The Importance of Having a Formalized

Methodology

Vendor Management Risk

Mitigation:

Sun Life Financial

Laura WilliamsAVP, Procurement

Opus

Sam MeleVice President Sales

sig.org/summit

Case Study: Supplier Management

and Risk Mitigation

Laura WilliamsAVP, Procurement

Sam MeleVice President Sales

Today’s Speakers

About Hiperos 3PM

• The leading SaaS platform for managing third parties

• Purpose-built to minimize third party risk and maximize their value

• Manages third parties and third party relationships

• Accelerates / automates / enforces third party…

• Onboarding

• Risk Segmentation / Scoring

• Due Diligence

• Risk / Performance Monitoring

• Protects against reputational harm, regulatory exposure and revenue loss

• Reduces the cost of third party management

4

Financial Industry Challenges

• Low Margins from continued lower interest rates

• Increased cyber threat• Data Breaches• Ransomware• Malware etc.

• Increased Regulatory Costs• MRA, Board Resolution, Consent Orders, Fines, Censures etc.

• Increased competition from non traditional players• Startups, Fintechs, other established players

• Blurred lines between Vendors, Third Parties, Clients

• Prudent Risk Management practices across all risk domains

How do we manage risk and continue to create value?

6

Click to edit Master title style

SUN LIFE FINANCIAL IN 2016SUN LIFE FINANCIAL

A $32 billion(1) leading, international financial services provider… operating through a

balanced and diversified model… focused on creating shareholder value now and in the future

(1) Market capitalization (C$), as of December 31, 2016

Discussion Outline

7

• Drivers of Supplier Risk

• Key Challenges

• Supplier Risk & Performance Management Program

• Supplier Management Best Practices

• Leveraging Technology

• Lessons Learned

Drivers of Supplier Risk

8

• Change in use of technology

• Increased engagement of suppliers for non-traditional services/outsourcing

• Increase in threats to protection of data stored in technology or used by a supplier

• Increased and changing regulatory requirements

• Expectation of Clients / Customers

• Expectation of the Board and Enterprise Risk Committees

Supplier Risk Defined

Risk Description

The risk of financial loss, operations disruption and / or reputation harm as a result of inadequate performance or failure of suppliers.

Supplier risk is a composite of various operational risk elements including privacy, legal/regulatory, business continuity, information security, data/records management, IT currency and reputation.

External Drivers• Suppliers face similar technology threats (e.g. cyber security) that Sun Life does • Regulators (OCC, CFPB) have increased their focus and extended ‘bulletins’ to all third

parties • Sun Life customers are extending their focus beyond Sun Life controls to our controls over

our suppliers

Internal Drivers• Nature of supplier relationships is changing / more complex with increased technological

inter-dependence• Sun Life expects its suppliers to have adequate standards and controls, similar to its own to

address external factors / threats• Inconsistent supplier engagement and management practices / unclear supplier relationship

management responsibilities

Challenges

10

• Organizational size and geographies

• Dispersed ownership of supplier risk – Corporate/Operational Risk, Business, Individual SRMs, Legal, Privacy, Information Security, Enterprise Business Continuity, Strategic Sourcing

• Defining the Supplier Risk Landscape – what is in and out of scope

• Understanding who has access to what – both internally and externally

Sun Life Supplier Risk Management FrameworkThe supplier risk management framework for suppliers and outsourcers includes several inter-related elements including supplier lifecycle guidelines, policies and standards, organization roles and responsibilities, tools and templates. The framework embeds practices throughout the supplier lifecycle targeted to identify and reduce risk.

Establishes standards

and consistency in

supplier governance

process throughout the

supplier lifecycle;

defines relationships to

other control processes

Consistent practices

for supplier assessment,

engagement and

ongoing management

and monitoring

Supporting Infrastructure(People, Process, Tools)

Sourcing

methodology

and tools

Procurement /

Buying

guidelines

Supplier

Lifecycle

GuidelinesConsistent practices

for all supplier

sourcing and

procurement activityCommon tools ,

processes &

technology (e.g., P2P,

Contract

management, supplier

information

management, PIA)

Supplier Risk

Assessment

Supplier

Segmentation

Supplier

Relationship

Management

Report / Tools /

Scorecards

SLF Supplier Risk & Performance

Management Framework

Enterprise

supplier and

procurement

standards &

EOG

Outsourcing

Policy & EOG

SLF Roles &

Responsibilities

SLF Supplier Risk & Performance Management Program

12

• Program conception in 2014 with an goal to develop a framework to identify and manage supplier relationships throughout their lifecycle

• Objectives

• Define and assess supplier risk in a consistent, sustainable manner

• Incorporate current and emerging regulatory requirements

• Identify and incorporate existing practices (and Policies) – both those that work well and need improvement

• Identify roles and responsibilities throughout the organization

• Build a realistic implementation and transition plan

• Develop policy, standards and guidelines (tools, templates)

• Communicate and Educate

SRPM Implementation and Transition PlanningSun Life relies on suppliers to support our business process. The SRPM Standard and EOG provides a risk based approach to consistently assess and manage suppliers with supporting tools and infrastructure.

• Supplier spend reviewed

• Ownership and SRMs confirmed

• Contracts filed and risk assessed

• Missing contract identified

• Supplier tier established

• Right-size management applied

• Contracts missing identified

• Risk-based gap analysis/reporting

2014

2015

2016

Risk-Based Analysis

Supplier Tiering

Supplier Management Guidance

Sustained Supplier Risk

& Performance Management Activities

• Risks identified, assessed &

mitigated

• Owners identified

• Suppliers managed

• Grow program support

• Reportable, defensible Supplier

information

Understand Supply Base

Setting the Stage for Framework Execution Phase I – Scope and Assess Risk Consistently

1. Define Roles & Responsibilities

2. Find the Right Stakeholders

Accountable Executive

Day to Day Supplier Manager

Procurement & Sourcing Services

SMEs

3. Set a manageable scope & focus measurement on the right subset

4. Allow for ad hoc inclusion

Review with SLF R&C, BUCO

Stakeholder Workshops

5. Prioritize & capture early wins Total Supplier Base Kick Off Review HighRisk/Outsourcing

Tier 1 &2

Initial SLFSupplier List

18,000+

Sort by Top 80%

Spend

BusinessAssess

Risk ProfileStart with Suppliers

that have the greatest impact

on Business

Focus on Areas of Greatest ImpactKey Principles

Setting the scope and aligning with current SLF Canada Supplier Management practices in partnership

• Segmenting the supply base will focus the resources

• Supplier performance management plans including scorecarding, SLA tracking, etc.

• Formalize SLF and Supplier operational and strategic meetings

15

Framework Execution: Phase II – Supplier Segmentation Phase III – Full Supplier Risk & Performance ManagementBased on the results from the first phase, SLF will have a focused approach to supplier management with suppliers.

ILLUSTRATIVE

SUPPLIER TIERING PROCESS

Supplier Value vs. Resource Effort

Val

ue Resource Effort

Supplier Value

Time vs. Supplier Risks

Sup

plie

r R

isks

Time

Supplier and resource value is maximized through the application of consistent supplier management tools and processes.

Supplier Risk Management Best Practices

16

• Know your universe – what is the starting point and focus on areas of greatest impact

• Define the Risk – both the risk drivers and the risk impact, what is considered a high risk supplier and why

• Consistency in assessment and terminology is Key – critical, material, not-material, key, important, significant….

• Find the WIIFM for the business and make it easy to do business with you – from resource capacity to risk mitigation

• Have a plan and spell it out with clear roles and accountabilities

• Integrate with processes that already work – don’t try to fix what isn’t broken as a starting point

• Build upon processes that work well and continuously improve

Leveraging Technology

17

• Technology will be your hero

• Consistency in data capture means consistency in reporting

• Technology as ‘evidence’ – both direct and indirect, directly embed in technology and the technology itself is a form of evidence

• Phased and integrated approach to technology – it does not have to launch with full functionality all at once and can integrate with existing platforms

• Regulators love technology

Supplier Life Cycle and Technology

Lesson Learned

19

• Find your supporters early and consider a pilot

• Make it easy to comply

• Leverage existing risk committees and subject matter experts

• Tap into existing controls and technology processes

• Establish and document realistic and measureable targets

• Cast a wide net - talk to industry experts, colleagues and consultants

• Report often and don’t get discouraged

Wrap-up

• Third party management/Supplier Risk Management is about good business practices enforcing good business results.

• The only constant is change – flexibility is key to success

• This is bigger than just your suppliers or vendors. (Define your universe)

• Automation enables you to drive consistency, execution and auditability across the entire portfolio

• Third party management is about transforming data into actionable intelligence

• Information from technology provides continuous oversight through a closed loop process

• Effective third party management is not an “option” – it is a must –driven straight from the Board

20

Thank you

Laura Williams Sun Life Financial AVP, Procurement laura.williams@sunlife.com

Sam MeleVice President Sales Opussmele@hiperos.com

Evaluation How-to:

Your feedback drives

SIG Event content

By signing and

submitting your

evaluation, you are

automatically entered

into a prize drawing

Why?

Option 1: App

1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description 6. Click on the Evaluation link

Option 2: Browser

1. Go to www.sig.org/eval2. Select Session (#03)

How?

COMPLETE &SUBMIT EVAL

Tweet: #SIGspring17

Session #3

Vendor Management Risk Mitigation: The Importance of

Having a Formalized Methodology

www.sig.org/eval

Download the App: bit.ly/SIGAmelia

Laura Williams

Sun Life Financial

AVP, Procurement laura.williams@sunlife.com

Sam Mele

Vice President Sales

Opus

smele@hiperos.com