Satisfying third-party due diligence and compliance requirements can be time-consuming, especially for your suppliers — and global regulations around supply chain due diligence are only growing. Aravo’s Dean Alms offers his advice: Make things easier on your suppliers, not harder.
Bribery and corruption, cybersecurity attacks and data spills, ESG concerns, geopolitical shifts and manmade or natural disasters pose complex and enduring risks to a company’s extended enterprise. Governing bodies at the state, national and international level have passed supply-chain and third-party due-diligence laws and regulations to mitigate these risks, with more on the horizon.
You, your suppliers and their suppliers may operate in multiple markets that have new or changing regulations and compliance expectations. Thus, it’s critical to remain vigilant and align with evolving anti-bribery and corruption (ABAC), financial reporting, cybersecurity and data privacy, ESG and trade laws, regulations and standards across global jurisdictions.
Teams that manage risk and drive compliance should build and foster collaborative relationships with their supplier base and digitally enable each other to be reciprocal, transparent and efficient. As a result, these relationships will not only help fulfill their statutory obligations but also help their business needs and support enduring partnerships.
Manufacturers are pressed from all sides to prove their environmental bona fides, but given the nature of manufacturing-related emissions, that means making sure their global supply chains are environmentally conscious. Assent’sRead more
As supply chain risks and cyber threats rise, so do regulations
It’s our responsibility as corporate and global citizens to do what we can to drive positive change where we can to combat corruption, cyber risks, environmental exploitation and social injustice from within our extended supply chains. Complying in good faith with laws and regulations is part of this responsibility.
Examples of ESG due diligence laws include the U.S. Uyghur Forced Labor Prevention Act (UFLPA), the German Supply Chain Due Diligence Act (LkSG), the EU’s Corporate Sustainability Reporting Directive (CSRD) and recently enacted Canadian forced labor and child labor law. Add to that the pending disclosure rule changes from the SEC and International Sustainability Standards Board, which are expected to require more publicly traded companies to report their Scope-3 emissions.
While ESG risks have risen, so have cybersecurity threats. Today, more than 80% of chief information officers say their software supply chains are vulnerable to cyber attacks. In this area, too, government agencies have acted, including a series of presidential executive orders and new electrical system standards — and proposed SEC regulations in the financial services sector.
And this is to say nothing of the continuing geopolitical tensions that ramp up the strain on supply chains, including Russia’s war in Ukraine, Chinese economic espionage and human rights abuses and malign Iranian actions in the Middle East, all of which have earned those countries economic and political sanctions along with trade embargoes and restrictions.
To drive compliance, carrots work better
How can companies comply with more supply chain laws and regulations to mitigate risks and drive continuous improvement throughout their value chains? How should they address their suppliers’ and vendors’ compliance obligations to fulfill their own legal or regulatory requirements?
To be sure, the answer isn’t simply to dump all the work off to your suppliers. Here are some best practices to drive due diligence and compliance without driving either you or your suppliers to your breaking points.
Nail initial supplier due diligence: Conduct a comprehensive initial assessment and obtain industry and third-party certifications, audits, supplier surveys and past performance evaluations. This approach establishes a strong foundation for both you and the supplier, benefiting future periodic reassessments and compliance with relevant laws and regulations.
Incorporate compliance KPIs into supplier performance management: Integrate regulatory compliance into ongoing performance management with suppliers. Establish, manage and assess adherence to relevant laws and regulations (e.g., FCPA, UFLPA, LkSG) by incorporating them into measurable KPIs for supplier accountability and maintaining legal standing.
Supplement initial due diligence reports with risk intelligence data: Ensure that the solution being used to manage supplier risks incorporates real-time insights to streamline onboarding and enrich risk reviews. This helps the organization prioritize third parties that represent the highest risk to the business.
Continuously monitor third parties to stay informed and vigilant: Continuous monitoring offers early warnings for potential risks to the business, facilitating prompt corrective actions with suppliers and accelerating supply chain resiliency.
The responsible path for most companies building a TPRM program for their extended enterprise is to think big, start small and grow fast. Think big and design a program accordingly, so you don’t end up with multiple fragmented solutions that lack visibility, data integrity, and clarity over your overall risk. Start small, as ESG, cybersecurity, and other risk areas will heighten, and applicable regulations will change. Grow fast by incrementally expanding your risk domains as needed. Finally, plan to build agile and resilient capabilities as you move through various maturity levels with your TPRM program, tracking success, delivering performance metrics and impacting the business.