In our previous article, we explored how setting integrity expectations with your suppliers can be an effective tool for promoting compliance throughout your entire supply chain. However, setting expectations alone will not create a high-integrity supply chain – verifying that your partners ‘walk the talk’ is the necessary next step for reducing risk. This is achieved by putting a good process in place and applying appropriate and reasonable assessment tools and techniques so that you can trust, but verify, your third parties’ compliance.
In this article, we will explore how an organisation can establish an effective programme for verifying their supply chain partners. Starting with identifying the relevant risk areas, we will discuss how to set program scope and deploy appropriate tools and techniques. Because different suppliers pose different risks at different levels in the supply chain, trust without verification will leave your organisation open to significant regulatory risk and reputational damage when things go bad.
Some things remain true across all organisations: markets evolve, resources are limited, and hindsight is 20/20. These factors lead to challenges when setting the scope of your supply chain integrity program. If the scope is too broad, resources will run out before getting deep enough; if the scope is too deep, risk area coverage will be limited.
The below are tips for building your supply chain integrity programme.
General integrity risk landscape
The risk landscape may appear endless and can overwhelm your resources if you do not have a way to prioritise the risks that are inherently common in your supply chain. Compliance risks can generally be broken down into four categories: financial risk, ethical risk, reputational risk and integrity risk. Each category will have a different impact depending on the many factors that define your business. What is the nature of your business? Where do you operate? What do your suppliers do for you? Where do your suppliers operate? Answering these questions can uncover the type of risks that have the highest impact on your business, and allow you to begin narrowing the landscape of compliance risks to those that likely exist in your supply chain.
Next, look for ways to segment your supplier network into logical groups where similar risks exist so that verification efforts can be tailored for efficiency. For example, a supplier of office furniture is unlikely to pose a significant risk of intellectual property theft. When verifying a vendor, save time by only applying the relevant checks. Segmentation should consider details such as the geographical locations where the supplier does work for you, the social factors that are relevant to the supplier, the goods the supplier produces for you, and the movement of the goods from the point of sourcing to you. Once complete, the segmentation exercise will give visibility into the relative risk level for each segment, allowing you to assign each segment into a risk tier that will be used for setting the specific programme scope.
No two supply chains are the same, meaning that each carries its own integrity risk profile that will impact the design and scope of the compliance assessment programme. Resource requirements can vary significantly, as can the tools and techniques needed to effectively verify the integrity across the network. Properly scoping your programme will not only save you resources but will help you identify and manage your key risk pain points.
As discussed above, suppliers present different risks and will affect your resources differently. This is where segmenting third parties into risk tiers can help narrow the programme scope and improve the efficiency of your limited resources. The key is to ensure that your efforts are consistent with your values, expectations and priorities. For instance, if child labour is your main area of concern, you must allocate adequate resources and a high degree of priority to this risk.
It is quite common for organisations to misapply their resources to another non-priority risk area because that area is getting more public attention. If you are attempting to eradicate modern slavery from your supply chain, it may not help you to reallocate your resources to fighting data breaches or environmental stewardship just because the media is reporting on it or the public is talking about a related scandal. While changes in the environment may call for modifying the scope of risk areas covered in your programme, constantly chasing the latest hot risk topic will lead to a loss of programme focus and a misallocation of resources.
Tips for setting programme scope
Identify which third parties are in scope
Focus first on your high- and medium-risk suppliers. Cut out the big and the famous – are you really not going to do business with a national supply chain if you find they had a labour complaint in one of their stores?
Build a realistic (and prioritised) red flag list
Your programme cannot address every red flag out there. Identify those that represent the most significant risks and start your programme there.
Develop a risk-rating methodology
There’s no way to differentiate high- and low-risk suppliers if you don’t have a way to rate how much risk they present. Your rating methodology should consider high-impact risks for your business, industry, geography etc.
- Test the approach on a sample
Test and tune your programme with a pilot of your processes, rating methodologies and mitigation approaches for a sample of suppliers in your network. Make sure you are getting the expected results before rolling the programme out across your entire supply chain.
Tools to help you verify a third-party
So, now you have assessed the risk landscape, set your programme scope and developed a methodology to identify the segments where suppliers are most likely to be challenged with prioritised risks, what do you do about it? This is where having the necessary tools to conduct a reasonable level of assessment is important.
The tools to help you verify what your suppliers tell you vary depending on the potential risks they present to you, as well as your available resources and budget. Tools range from simple database screening to boots-on-the-ground and on-site verifications. Other tools include questionnaires, surveys and enhanced due diligence.
- Database screening
Screening your suppliers against an advanced database may help you to validate their risk tier and check whether they are sanctioned, blacklisted or listed on an international watchlist. Screening suppliers can also confirm which have clean slates and which have integrity concerns.
Based on the outcome of the screening, you may be required to perform high-degree risk-based due diligence on your suppliers, or simply not do business with them. You can also use screening to onboard good suppliers and focus your attention on those that are likely to expose you to risks.
- Questionnaires and surveys
Questionnaires and surveys are good for obtaining information on suppliers. Although some of the information may not give a clear picture of your third party, the collected data can be used for risk tiering and determining which suppliers are potentially risky.
Using an automated and integrated system, you can send out questionnaires and automatically categorise the respondent third parties from low to high risk using a pre-set algorithm. Questionnaires can help verify and ascertain that all contractual agreements, transactions, books and records, subcontractor relationships (especially third- and fourth-tier relationships) and anything your suppliers tell you is factual, properly documented, trackable, legal, accurate, trustworthy and in alignment with your expectations and values. Suppliers who refuse to be verified shouldn’t be trusted – don’t trust their word without verification, and don’t do business with untrusted suppliers.
- Due diligence
Enhanced due diligence will give you a clear understanding of a supplier’s integrity and compliance profile, as you will be able to verify, among other things, their ownership, financial position, compliance culture, reputational profile, legal and operational status, as well as their engagement with low-tier suppliers – where integrity risks often lie. Thorough enhanced due diligence will also help to accurately verify the data and information gathered via questionnaires and surveys.
- Physical on-site verifications and virtual inspections
Physical on-site inspections are the best way to verify that your suppliers are living up to your expectations. Even though on-site inspections and verifications may be costly, lengthy and resource-demanding, they can help you to physically see which suppliers are likely to expose you to risks through their activities.
Inspections can be done discreetly virtually or physically. Discreet virtual inspections may provide a great deal of information, while open physical inspections may not be helpful if your suppliers are informed about impending inspections on their activities. Inspections are highly recommended for supply chains in high-risk locations (e.g. Southeast Asian, African or BRIC countries) and in industries like mining, garment manufacturing, food processing, construction, agriculture and fisheries.
Concluding with expected outcomes
Given the size of modern supply chains, there is no expectation that all risks will be reduced to zero. However, by deploying an effective programme, integrated with appropriate tools and techniques to verify the integrity of supply chain partners, you can be confident that all reasonable measures were taken to make an informed decision about doing business with a third party.
What should you expect to get out of your programme?
- Confidence that knowable issues have been identified
- Set remediation steps that can be executed when necessary
- Reasonable expectation that unfound significant issues are unlikely
- Risk-tier segmentation of your supply chain partners for ongoing verification
In part three of this series, we will explore the use of metrics for optimising programme effectiveness. Implementing a supplier risk-management programme without assessing its efficacy is not good enough and may result in exposure to integrity and compliance risks created by suppliers.