Effective supply-chain risk management calls for real audits

December 7, 2015

In today’s supply-chain compliance landscape, risk management can no longer be limited to Foreign Corrupt Practices Act (FCPA) due diligence. Risks now include all aspects from sanctions, export controls, privacy risks, data security, environmental issues, collusion and price fixing, as well as some new risks, such as human trafficking and modern-day slavery in the supply chain. This shows that looking at prospective business partners with only one risk in mind is no longer acceptable. It is essential to make an assessment on all of the relevant risk areas, for which tools, software and processes are needed to be able to assess each third party against all of the identified risk areas.

Many years ago, when companies were very focused on FCPA due diligence, there was a tendency that, once due diligence was done, the company would simply on-board that third party and conclude the risk-assessment process. Companies then conducted business with that third party, executed transactions, accepted and placed orders, shipped products, agreed on rebates and discussed marketing, all without much thought about comprehensive risk-management systems and processes.

This habit is precisely where many companies fall short today: they on-board their third party and then generally do very little in terms of supplier management. Increasingly, however, companies are beginning to appreciate the necessity of enhancements to this process, such as renewals, monitoring and ongoing assessments and, importantly, audits.

Identify, manage and resolve risks by conducting real audits

The key to robust integrity and compliance risk management has been widely recognised as being a combination of various steps covering ongoing solutions to common risk areas. Effective risk-minimisation strategies include identifying key risk areas in your suppliers and going further than screening and due diligence. A much broader system should be applied, with elements such as environmental impact assessments, on-site analyses, validation of compliance procedures through interviews, conducting training, and carrying out on-the-ground audits to identify supply-chain risks.

As mentioned previously, many compliance breaches are perpetrated by criminals, many of whom are more than capable of obfuscating junior auditors. It is also not unheard of that some suppliers intentionally allow auditors to find smaller issues in order for them to leave with something insignificant and stop looking for more serious risks. It is important to keep in mind that significant experience is required to conduct an audit for issues such as corruption, bribery, employee rights, price fixing and collusion, just to name a few. A clear direction is required to complete thorough audits that cannot only focus on a company itself, but also require insight into side companies, owners and directors, as many illegal activities are handled away from the company itself.

Companies that are not managing supply-chain risks are not managing risks at all

As supply-chain disruptions can cause considerable damage to profits, growth and reputation, it is clear that managing the risks of suppliers is a focus for large companies. While many large companies with extensive compliance budgets (for example, oil and gas companies) are known to conduct numerous audits every year, many smaller companies would struggle with such a considerable task. Nonetheless, a comprehensive supply-chain risk framework is essential.

It can help if suppliers are placed into different categories based on volume and frequency of business, and legal and regulatory risk profiles. Frameworks for structured supplier monitoring programmes based on risks, with several layers in the risk-assessment processes, have proven to be extremely valuable when implemented. A first step could be conducting integrity due diligence on all suppliers, followed by interviewing those partners identified as higher risk, and, finally, selecting a few suppliers per year to undergo thorough compliance monitoring audits.

Companies should be asking themselves which of their suppliers could cause critical operational or financial problems if they were found to have compliance or integrity issues. Similarly, an effective supply-chain compliance programme makes sure that suppliers have integrity, social and ethical underpinnings that align with the company’s brand and goals. These values should be tested through audits in those suppliers identified as most prone to risks, as this helps focus on early intervention rather than crisis management. Periodic supply-chain audits also increase brand protection.

 

While audits are a common response to supplier management, they are often too superficial to identify any major issues. As many of the risks are perpetrated by criminals capable of obfuscating junior auditors, complex audits must be conducted with clear and deep mandates.

The times of conducting superficial audits to satisfy management team’s calls for supply-chain risk management are over; companies cannot afford to miss identifying major issues. Screening, monitoring and integrity due diligence, with ready-made technology solutions that identify, manage and resolve risks, is now the bare minimum. Following that, real audits by professional-services teams with experience in managing risk and compliance are required to dig deep into the integrity profile and business conduct of each supplier and uncover key risks.

Suppliers are a necessary part of every business. Knowing how to effectively manage the risks that surround your suppliers is the key to a robust supplier integrity and compliance programme.

Companies that attempt to push responsibilities on suppliers will fail, both under the law and in the eyes of their customers. However, companies that meet the challenge will look favourable in the years ahead, and stakeholders, shareholders, and ultimately their clients and customers will thank them with business growth and increased reputation.

Previous Article
What ‘Safe harbour’ means for compliance
What ‘Safe harbour’ means for compliance

The EU’s Data Protection Directive 95/46/EC establishes minimum data-privacy requirements that all EU Membe...

Next Article
Podcast: Getting stakeholder buy-in for your compliance programme
Podcast: Getting stakeholder buy-in for your compliance programme

How do you get your employees to buy into your #compliance program? This podcast by compliance ambassador, ...

×

Subscribe to The Red Flag Group Insights

First Name
Last Name
Job Title
Company
!
Thanks for subscribing
Error - something went wrong!