Supplier Risk Management
On an ongoing basis, suppliers are evaluated for compliance with our operating companies’ guidelines, as well as laws and regulations. We employ robust supplier risk management processes, which include environmental, social and governance factors. RAI subsidiaries utilize an annual supplier management activity matrix, which includes supplier self-assessments, FDA-relevant risk assessment and supplier audits. In 2016, 80 percent of direct materials suppliers and 17 percent of active indirect suppliers were assessed.
Risks identified from the analyses, including sustainability risks, inform a supplier segmentation process. Suppliers are assessed on likelihood of risk, as well as its impact to our subsidiaries. Suppliers who score highly in both areas are further assessed through the RAI Enterprise Risk Management (ERM) process.
RAI employs a holistic ERM process that aligns with the COSO Framework. Governance is provided by the RAI Risk Committee, which is chaired by the CEO. ERM at RAI is centralized for purposes of governance, thought leadership, process leadership (including the use of a common risk language, assessment tools, etc.) and enterprise communication and reporting. With respect to risk assessment, management and ownership, ERM is decentralized and embedded in the subsidiaries with second line oversight by the supplier compliance, supplier quality assurance and procurement functions. Critical suppliers’ risks are assessed and reported to the Audit and Finance Committee twice a year through the ERM office.
Our subsidiaries use various levels of supplier audits based on the supplier segmentation results and quality issues. These audits are led by supplier quality assurance, supplier compliance and internal audit department and include cross-functional teams comprising procurement, finance and other departments. Audit focus areas include quality, training, risk of contamination, logical and physical security, change control, product recall and business continuity. The program also identifies areas in which suppliers could improve, and RAI’s subsidiaries work with suppliers to identify corrective actions and ensure timely implementation.
In addition to these audits, RAI subsidiaries evaluate critical and strategic suppliers for financial health. Procurement engages with various third parties to evaluate the financial statements of both publicly and privately held suppliers.
Supplier due diligence is not limited to upstream suppliers. RAI’s operating companies contract with third-party regional distribution centers (RDCs) for finished goods inventory receiving, shipments to customers and inventory reporting. We conduct procedural and physical audits of these downstream facilities at least once every 18 months. Audits include a review of:
- Internal controls to prevent the use and/or shipment of non-conforming, damaged or contaminated product;
- Formal preventive maintenance programs for buildings and equipment;
- Sanitation and pest control;
- Chemical usage;
- Personal hygiene;
- Product handling, identification, traceability and recall; and
- Security and environmental hazards.