Reynolds' Supplier Risk Management

Program Creates a Balance between

Cost and Risk

Tipping the Scale:

Reynolds American

Suzanne WoodDirector, Internal Audit

EY

Patrick FishburneManager, Performance Improvement Services

Jason ParnesManager, Advisory Risk Services

www.sig.org/eval

Tipping the scale Reynold’s supplier risk management

program creates a balance between

cost and risk

Reynolds American Inc. & EYSuzanne Wood, RAI

Patrick Fishburne, EY

Jason Parnes, EY

3

Introduction

4

Presenter bios

Name: Jason Parnes

Company: Ernst & Young LLP

Title: Manager, Advisory Risk Services

Background: Jason Parnes is a manager in the Advisory Risk Services practice of Ernst & Young LLP. He

graduated from Northern Kentucky University in 2008 and has been involved in a wide variety of

professional service activities during his career, which includes tax, audit, operational process

assessments and fraud investigation. In the past two years, Jason has been focused on the area of

supply chain and has assisted top global manufacturers across multiple industry lines (automotive

and consumer products) in the development of a global supply chain finance organization and third-

party risk management programs/organizations.

Name: Patrick Fishburne

Company: Ernst & Young LLP

Title: Manager, Performance Improvement Services

Background: Patrick Fishburne is a Manager in the Advisory Services practice of Ernst & Young LLP. He

graduated from the University of Notre Dame in 2005. He is a performance improvement supply

chain professional with four years of industry experience working in government supply chain and

logistics. As a member of the Advisory Service practice, Patrick’s key areas of focus are

procurement risk, sourcing and category management. Prior to joining Ernst & Young LLP, Patrick

was a Supply Corps Officer in the United States Navy, serving on two ships that deployed to the

Middle East and South East Asia. Patrick received his MBA from the University of Notre Dame’s

Mendoza College of Business in 2011.

Name: Suzanne Wood

Company: Reynolds American Inc.

Title: Director, Internal Audit

Background: Suzanne Wood is a director in the Internal Audit Department of Reynolds American Inc.

She graduated from Appalachian State University in 1985 and received her Mastersof Engineering

from North Carolina State University in 2004. In addition to her work with Internal Audit, Suzanne

has industry experience in IT, supply chain and operations strategy. Suzanne managed supply

chain compliance activities and developed models/plans to facilitate and support strategic company

initiatives and decisions. In addition to overseeing operational and FDA readiness audits, she has

spent the last nine months leading a supplier risk management initiative by collaborating with key

business resources, leveraging business knowledge and capitalizing on risks/gaps identified

through Internal Audit work.

5

Reynolds American Inc. (RAI)

company background

Reynolds American Inc. (NYSE: RAI) is the parent company of R.J. Reynolds

Tobacco Company; American Snuff Company, LLC; Santa Fe Natural Tobacco

Company, Inc.; Niconovum USA, Inc.; Niconovum AB; and R. J. Reynolds Vapor

Company.

• R.J. Reynolds Tobacco Company is the second-largest US tobacco company. The company's

brands include two of the best-selling cigarettes in the US: Camel and Pall Mall. These

brands, and the company’s other brands, including Winston, Kool, Doral, Salem, Misty and

Capri, are manufactured in a variety of styles and marketed in the US.

• American Snuff Company, LLC is the nation’s second-largest manufacturer of smokeless

tobacco products. Its leading brands are Grizzly and Kodiak.

• Santa Fe Natural Tobacco Company, Inc. manufactures and markets Natural American Spirit

100% additive-free natural tobacco products, including styles made with organic tobacco.

• Niconovum USA, Inc. and Niconovum AB market innovative nicotine replacement therapy

products in the US and Sweden, respectively, under the Zonnic brand name.

• R.J. Reynolds Vapor Company makes and markets VUSE e-cigarettes, a highly differentiated

vapor product.

6

EY company backgroundEY is a leading global professional services firm committed to helping our people, our clients and

our wider communities achieve their potential. It’s about 175,000 people working together to help

each other develop and succeed professionally and personally. It’s about helping clients deliver on

their promises to their markets and stakeholders. We help businesses improve performance

through a range of services, including tax, advisory, assurance and transactions.

At EY we are committed to building a better working world – one with increased trust and

confidence in business, sustainable growth, development of talent in all its forms, and greater

collaboration.

150 countries

175k people

$27.4b revenue

Americas53,900+people

EMEIA84,200+people

Asia-Pacific29,800+people

Japan6,800+ people

7

Session objectives

This session is designed to provide an overview of

the journey to develop a comprehensive supplier risk

management (SRM) program.

You will learn:

• Key aspects of an effective SRM operating/organizational

model, including technology platforms

• An approach to scoring and monitoring supplier risks by

category

• How to identify, categorize and prioritize risks presented by

suppliers

8

Polling question

How many companies have implemented,

or have begun to implement,

a comprehensive SRM program?

9

Agenda

1. Problem statement – Why SRM?

2. Journey to today

3. Current SRM model

4. The path forward

5. Achievements and challenges

6. Wrap-up

10

Why SRM?

11

A changing environment requires a comprehensive

SRM process

Internal Restructuring

• Outsourcing/subcontracting initiatives

• Supply chain complexities

• Mergers/acquisitions increase the supplier risk universe and demands for efficiency

• Need for a scalable supplier risk scoring and monitoring tool and associated technology

• Permanent, defined organization to manage integrated risk scoring and monitoring

• Investment toward de-risking products prior to introduction to market

• Development of cross-functional teams to co-develop SRM programs

• Increased regulatory compliance requirements, including FDA

• Growing importance of information, data privacy, anti-bribery, corruption risk management

and conflict minerals

• Stringent environmental laws toward investment in greener technologies

Regulatory landscape

Cross-Industry leading practices*

*Cross-industry leading practices were benchmarked against nine leading companies.

12

Our journey

13

Timeline of SRM activities

2012 2013 2014

SRM consulting

engagement initiated

• Identified risk environment pillars

• Partnered with business functions to

develop detailed questionnaires

• Created Procurement Compliance group

• Piloted Supplier Vetting Questionnaires

(SVQ) for sample suppliers

• Full implementation of SVQ

• Initiated educational sessions

• Created “Total Risk Score” used to inform 2015 audit

plans

• In collaboration with an EY team:

• Developed an integrated SVQ and reporting tool

• Began development of cost of risk model

2015

• Implement integrated SVQ model

• Collaborate with business functions to refine

control activity matrix

• Define system requirements for selecting a tool

• Define operational structure for sustainability

• Continue with development of cost of risk model

14

Who was involved?

A comprehensive SRM program requires input from

all areas across the business.

Finance Legal

IT Procurement

Executive

Leadership

Internal Audit

Corporate

Security

Regulatory

OversightSRM

Responsible for setting “tone at the top” and driving program development

Provides direct input into program requirements and actively involved in vetting/monitoring activities

15

SRM program: initial designThe initial SRM program consisted of three disparate

processes.

SVQ• Used to evaluate new and existing suppliers with

new scope

• Combination of internal knowledge and external

supplier questionnaires

• Risk pillars identified

Quadrant analysis• Used to evaluate existing suppliers annually

• Completed internally only

• Subjective ratings

Controls activity

matrix• Defined monitoring activities

for strategic/critical suppliers

• Driven by quadrant

analysis only

• Beginning stages of

development*

*Controls activity matrix is still in active development stages

Internal Audit is collaborating with EY to leverage total

supplier reliability concepts to enhance SRM model

SRMevolution

Ma

turi

ty

PerformanceLow

Low

High

High

Reactive

Corrective

Optimized

Proactive

Integrated

• Create an integrated risk scoring and

monitoring model where risk area

scores drive monitoring activities

• Develop a governance framework to

facilitate decision-making processes

• Implement supplier risk management

process that aligns technology,

governance and organization design

• Optimize cost of risk profile

High-level objectives

Commercial Execution Information Regulatory Continuity Sustainability

Ris

k e

xa

mp

les

• Commodity price

volatility

• Exchange rate

volatility

• Wage inflation

• Contract exposure

• Contract non-

compliance

• Suppliers risk

• Delivery

• Performance

(SLAs)

• Quality

• Component or

service integration

• Intellectual

property theft

• Customer data

• Competitive data

• Personal theft

data violations

• Corruption (FCPA)

• Customs and duty

• Conflict minerals

• Accountability and

transparency (FDA)

• Trade sanctions

(OFAC)

• Workplace practices

(labor, EHS, etc.)

• Supply availability

• Supply disruption –

force majeure

• Supplier failure

• Product/support

discontinuation

• External operations

capacity

(co-manufacturing)

• Environmental

• Social

• Geopolitical

• Ethical

Six critical areas of supplier risk

17

Current SRM model and

next steps

18

Current model: supplier vetting

Integrated SVQ evaluates supplier risk across 9

major categories:

SpendRegulatory /

legal & privacyTechnology

Business

continuity

Sustainability/

reputational

Physical

securityOperational Financial

FDA

compliance

Aggregate and risk area scores,

combined with quadrant assigned

(critical/strategic, leveraged, routine,

bottleneck) drive onboarding

decisions, as well as monitoring and

audit activities.*

*See appendix for example supplier scorecard/quadrant analysis and SRM process flow

19

Current model: supplier vetting

Risk area scoring is determined through a

combination of activities.

Residual

risk score

Initial

vetting

questions

Supplier

questionnaires

& internal

knowledge+ =

Two distinct

scores

• Sector

• Supplier

Determined based on

supplier-specific score

for example:

• Financial viability (e.g., credit

risk)

• Anti-corruption

• Privacy/information security

Inherent Risk Score

20

Current model: monitoring

Supplier scores from the SVQ determine the following:

• Monitoring activities required

• Frequency of activities (annually, quarterly, contract renewal)

• Audit frequency, if necessary

Monitoring activities include:

• Annual conflict minerals survey

• Operational audits

• ITGC reviews

• Corporate security audits

• Contingency plan reviews

Current monitoring

activities are primarily

manual in nature.

21

Oversight

and governance

Technology

and analytics

People and

organizational

design

Processes

Risk scoring

model

Cost of Risk vs.

risk exposure

Risk response

strategy

Risk monitoring

model

Governance

structure*

Organizational

design*

Technology

implementation*

Next steps: overviewThe path forward involves further developing key

aspects of an operating model

Comprehensive SRM

operating model

List of activities to enable the

operating model

Already in place

2015 activities

*See appendix for example governance structure/organizational design and technology platforms that currently offer

SRM modules.

22

Achievements and

challenges

23

Achievements and challenges

Things we did well:• Enhanced existing processes by leveraging leading practice concepts

• Collaboration across the business functions and integration with existing and other in-flight

due diligence efforts

• Defined risk environment pillars as foundation

• Integration of due diligence questionnaires

• Leveraged opportunities to educate business

• Implementation of “quick wins”

Challenges faced or things we could have

done better:• Weighting of risk areas/scoring

• Technology

• Subjectivity of information provided by vendor managers in quadrant analysis

• Disparate initial processes

• Education of internal resources

• Competing priorities

• Organizational design – who should own?

24

Wrap up

25

Final thoughtsMost organizations actively manage financial risks, but

many fall short of managing risks that are external to

their organization

*Vinod R. Singhal, Business Briefing: Global Purchasing and Supply

Chain Strategies, Dupree College of Management, Georgia Institute

of Technology

9%is the average decrease in

stock price associated with

companies that announced

a supply chain disruption*

Traditional SRM is approached in a fragmented fashion, with legal, procurement, finance and operations all working independently. Attempting to manage supplier risk in this fashion can lead to:

• Operational disruptions

• Costly procurement situations

• Damage to brand and reputation

• Inability to adapt to a changing marketplace

• Inability to achieve regulatory compliance

requirements

26

Contact information

Suzanne WoodEmail: woods@rjrt.com

Phone: (336) 741-0965

Patrick FishburneEmail: patrick.fishburne@ey.com

Phone: (757) 575-6853

Jason ParnesEmail: jason.parnes@ey.com

Phone: (513) 476-2488

27

AppendixThe following slides represent examples of SRM

organizations/processes; however, they do not necessarily reflect the

processes and organization in place at Reynolds American Inc.

28

Detailed SRM process

Monitoring and reporting processes

Scoring processes

29

Example supplier scorecardInherent risk score Residual risk score

Score Rating Score Rating

Aggregate Score 62 Moderate-High 62 Moderate-High

Risk area

Spend 60 Moderate 60 Moderate

Regulatory/legal & privacy 55 Moderate 55 Moderate

Technology 70 Moderate-High 70 Moderate-High

Business continuity 55 Moderate 55 Moderate

Sustainability/reputational 46 Moderate 46 Moderate

Physical security 10 Minimal to None 10 Minimal to None

Operational 70 Moderate-High 70 Moderate-High

Financial 70 Moderate-High 70 Moderate-High

FDA compliance 100 High 100 High

Technology platforms for SRM

30

• RSA Archer eGRC

• Oracle

• SAP

• MetricStream

• IBM Emptoris

• Ernst & Young LLP

SRM technology

• Tab EAU

• Spotfire

• SAP Business

Objects

• Ernst & Young

LLP

• SAS

Predictive Analytics

• SAP

ERP System

• Ariba

Business intelligence

• LexisNexis

• BriefCase Analytics

• NAVEX Global

• NEO Group

• D&B

• BEROE

• Maplecroft

Market intelligence

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and

advisory services. The insights and quality services we

deliver help build trust and confidence in the capital

markets and in economies the world over. We develop

outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play

a critical role in building a better working world for our

people, for our clients and for our communities.

EY refers to the global organization, and may refer to

one or more, of the member firms of Ernst & Young

Global Limited, each of which is a separate legal entity.

Ernst & Young Global Limited, a UK company limited by

guarantee, does not provide services to clients. For more

information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of

Ernst & Young Global Limited operating in the US.

© 2015 Ernst & Young LLP.

All Rights Reserved.

1502-1398239

ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or other

professional advice. Please refer to your advisors for specific advice.

ey.com

Evaluation How-to:

Your feedback drives

SIG Event content

By signing and

submitting your

evaluation, you are

automatically entered

into a prize drawing

Why?

Option 1: App

1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description 6. Click on the Evaluation link

Option 2: Browser

1. Go to www.sig.org/eval2. Select Session (#1)

How?

Complete and

submit!

bit.ly/downloadameliaappTweet using: #SIGspring15

Session #1

Tipping the Scale: Reynolds' Supplier Risk Management

Program Creates a Balance between Cost and Risk

Speakers:

www.sig.org/eval

Reynolds American Suzanne Wood woods@rjrt.com

EY Patrick Fishburne Patrick.fishburne@ey.com

EY Jason Parnes Jason.parnes@ey.com