International regulations and guidance continue to emphasize the role of due diligence in mitigating the risks posed by a company’s operations. While the EU’s new due diligence rules have been hailed by some as landmark and will usher in a new regulatory layer, LRN’s Ty Francis says meeting the increased regulatory scrutiny on supply chains could start with turning to tried-and-true third-party risk practices.
The European Union’s recently passed Corporate Sustainability Due Diligence Directive (CSDDD) mandates large companies in the EU address issues relating to forced labor and environmental damage in their supply chains.
This directive requires companies to thoroughly audit both their “upstream” partners involved in design or manufacturing and “downstream” partners responsible for transportation, storage and distribution of products. Business organizations have expressed concerns that the directive will impose additional regulatory layers, potentially impose severe sanctions, disadvantage European firms compared to international competitors and deter investment in Europe.
The rules, which were softened to gain acceptance from some EU members worried about excessive bureaucracy, will take effect in 2028 for companies with over 1,000 employees and a global turnover exceeding 450 million Euros. (Originally, the proposal targeted EU companies with more than 500 employees and 150 million euros in turnover.)
The law obliges companies to prevent, cease or minimize potential or actual harm to human rights and the environment, including issues like child labor and biodiversity loss. It also necessitates remediation of any adverse impacts caused. Financial entities are required to assess only their upstream partners.
Additionally, companies must develop strategies for transitioning to a low-carbon economy. Penalties for noncompliance can reach up to 5% of a company’s global turnover.
International regulations growing
Despite adjustments, Germany did not support the final version of the EU’s directive. The EU’s largest economy had already taken more steps toward regulating corporate supply chains with its own legislation, the Supply Chain Duty Act (Lieferkettensorgfaltspflichtengesetz” enacted in June 2021. This law, which targets companies based in Germany with at least 3,000 employees, is set to broaden its reach this year, lowering the employee threshold to include companies with at least 1,000 employees.
The German legislation applies to all types of suppliers, requiring companies to proactively monitor direct suppliers while adopting a more reactive approach to indirect suppliers, based on substantiated claims or incoming news of violations. It mandates the establishment of a risk management system, regular risk assessments and the implementation of preventive measures to mitigate any adverse human rights impacts within their supply chains. Additionally, companies must create avenues for complaints, allowing rights holders and whistleblowers to anonymously report any violations.
Like the EU’s new directive, the effectiveness of the German law will hinge on thorough implementation and the willingness of companies to adjust to these new regulations, ultimately pushing forward corporate accountability on a broader scale.
Canada, too, has joined the fast-growing group of regions making supply chains a priority, with its Fighting Against Forced Labour and Child Labour in Supply Chains Act, also referred to as the Modern Slavery Act (MSA), going into effect Jan. 1, 2024.
Back in the United Kingdom, the recently introduced “failure to prevent fraud” offense under the Economic Crime and Corporate Transparency Act mandates significant changes for organizations in the UK. This offense, likely to be implemented sometime in 2024, could expand corporate criminal liability and simplify the prosecution of organizations for fraud committed by employees or third parties that benefit the organization.
And though it doesn’t rise to the level of federal legislation, across the Atlantic, the DOJ’s Criminal Division in its updated evaluation of corporate compliance guidance makes clear, a well-designed compliance program should apply risk-based due diligence to third-party relationships.
It is clear that compliance with international standards means strengthening due diligence, including conducting sober assessments of risks posed by third parties, be they business partners, suppliers or others.
Using AI to Elevate Supply Chain Due Diligence? Don’t Forget to Pair It With Human Analysis.
Computer programs can’t queue in line to retrieve information from local offices
Read moreExpectations of organizations
The EU’s new provision could ask organizations to intensify their training efforts, particularly for employees in higher-risk positions. This includes detailed case studies within training materials to help employees recognize and understand potential fraud scenarios. The aim is to ensure that individuals are well-informed about the nuances of the offenses and the organization’s specific vulnerabilities to fraud.
And for third parties, well, due diligence is crucial, such as agents acting on the organization’s behalf. The act will demand that organizations conduct due diligence not just for transactions and contracts but also for the ongoing monitoring of third parties. This could include integrating fraud due diligence into existing processes like anti-bribery and anti-corruption checks.
Some broader requirements could see organizations asked to conduct comprehensive fraud risk assessments, potentially revising existing assessments to better cover outward fraud and implement effective audit and monitoring systems for fraud, particularly focusing on medium- and high-risk third parties. Asking third parties to comply with your own policies and procedures, and even going the step further and requiring them to undertake training to ensure they are aware of your code of ethics, may be a prudent risk mitigation exercise.
Overall, with the impending requirement for more structured training and rigorous third-party due diligence, organizations must prepare for a thorough overhaul of their current fraud prevention strategies to align with the new legal landscape set by the UK’s corporate transparency act. This involves a proactive approach to training and third-party interactions, ensuring that all possible measures are taken to prevent fraud.
Also in January, the UK’s Financial Reporting Council (FRC) introduced the updated 2024 UK Corporate Governance Code, emphasizing the board’s responsibility to manage risks, including those associated with third-party suppliers. Boards often lack a clear view of the risks and assurances provided by these third parties.
The code stresses the importance of evaluating the quality of controls managed by third parties. Typically, third-party questionnaires are used to assess these controls, but they may not offer enough assurance to meet the new code’s standards.
In addition to companies performing stringent due diligence before engaging any key third-party service provider to ensure they have robust controls, they should also maintain a detailed inventory of these third-party suppliers to identify and assess their risk levels, to align with the recent updates.
Risk management & due diligence: sides of the same coin
While every business is at risk of exposure to modern slavery, we believe companies can mitigate this risk through good policy, processes and practice. The recent reforms highlight the need for stringent oversight of controls by key suppliers, but are organizations ensuring some of their higher-risk suppliers are aligned with their own controls, code of conduct or internal training?
Organizations have been performing third-party risk management (TPRM) and third-party due diligence (TPDD) for the longest time. But how should organizations up their game? Before we look at this, we need to understand the difference between the two.
TPRM is a broad, ongoing process that involves identifying, assessing and controlling risks presented by third parties (vendors, suppliers, partners) throughout the duration of a relationship. This includes risks in areas like cybersecurity, compliance, operational processes and reputational impact. TPRM is continuous and aims to mitigate risks by implementing controls, monitoring third-party performance and ensuring that the third party aligns with the organization’s standards and regulations on an ongoing basis.
TPDD, on the other hand, is often a component of TPRM but is generally a preliminary step taken before entering into a contract or relationship with a third party. It involves a detailed examination and assessment of the third party to understand the potential risks and benefits of the partnership. Due diligence includes reviewing the third party’s financial status, business operations, legal compliance and reputation. It’s a critical phase to ensure that the collaboration will not negatively affect the organization’s integrity or financial position.
While TPDD is about thorough vetting before entering into a partnership, TPRM focuses on continuously managing and mitigating risks throughout the relationship. Both are essential for maintaining healthy, compliant and profitable business relationships, but to ensure that your third party and supplier is aligned with your organization’s values and code, we should be offering our suppliers and third parties ethics and compliance training.
Training third parties and suppliers, especially key employees within those entities, on the same content your organization uses can be crucial to ensure alignment in values and messaging. It is now imperative that your vendor community understands the values and ethical behaviors expected of them, while representing your organization and providing your team the ability to audit vendor performance.
Key international supply chain regulations
Location | Current regulation | Date | Key requirements |
Germany | Supply Chain Due Diligence Act (Lieferkettengesetz) | 2023 | Companies with more than 3,000 employees (reducing to 1,000 employees from 2024) must establish risk management systems, take preventive measures against human rights and environmental risks and establish complaint procedures. |
EU | Corporate Sustainability Due Diligence Directive (CSDDD) | TBD | Companies with over 1,000 employees and turnover of EURO 450M are required to identify and prevent adverse impacts on human rights and the environment across their global supply chains. |
UK | Economic Crime and Corporate Transparency Act (“Failure to Prevent Fraud” Provision) | TBD | Organizations would need to demonstrate that they have adequate procedures in place to prevent fraud by persons associated with them, similar to the “failure to prevent bribery” offense under the Bribery Act 2010. |
USA | California Transparency in Supply Chains Act | 2012 | The law applies to retail sellers and manufacturers doing business in California that have annual worldwide gross receipts exceeding $100 million. Covered companies must disclose on their websites the efforts they undertake, if any, regarding audits of suppliers to assess compliance with company standards for trafficking and slavery in supply chains. |
Canada | Fighting Against Forced Labour and Child Labour in Supply Chains Act/Modern Slavery Act (MSA) | 2024 | Companies based or doing business in Canada must detail the steps taken during the previous financial year to prevent and reduce the risk that forced labor or child labor is used by them or in their supply chains. They will meet two of the following three criteria for at least one of its two most recent financial years: >$20M or more in assets >$40M in revenue >250 or more employees |