Out-Law Analysis | 07 Sep 2020 | 7:30 am | 6 min. read
Even the best supply chain risk compliance management cannot exclude regulatory violations from happening altogether. However, targeted and tailor made measures based on a thorough risk assessment will provide the best protection against regulatory risk stemming from the supply chain.
This is part of a series, find out more about creating a resilient supply chain regime.
A company with a good understanding of its risk profile and associated processes will be better suited for the next crisis.
A company's supply chain can present significant compliance risks. Aspects to consider include corruption; fraud; export controls and sanctions; environmental, social and governance (ESG) compliance requirements; labour law compliance; and health and safety laws, among others.
Suppliers might serve as a gateway for active bribery of customers – for example, use of suppliers such as business consultants to disguise illicit payments made to customers to obtain business. Supplier handling also provides opportunities for passive bribery, if procurement employees receive benefits such as cash, travel or gifts from suppliers in order to favour them in violation of company rules around procurement.
Procurement activities such as contracting and accounting may be misused to funnel assets such as cash or valuable goods out of the company. Malicious employees might set up fake suppliers in the system; process fake invoices; manipulate legitimate invoices; or change banking details before and after outgoing payments. In cases of fraud, such funnelling is made for the benefit of employees or related third parties. Alternatively, these tactics can be used to generate 'slush funds' that are hidden from the company's official records in order to be used for illicit purposes, such as bribery.
Suppliers, their shareholders, beneficial owners and other related parties may be subject to sanctions under one or more national or multi-national sanction regimes. Processing orders, making payments or providing other benefits to sanctioned parties might violate sanction laws and trigger serious consequences for the company.
The company or parts of the corporate group may be required to take specific actions in respect of its global supply chain under ESG-related laws in different countries - for example, the Modern Slavery Act in the UK; the 'conflict minerals' provisions in chapter 15 of the US Dodd-Frank Act; or California's Transparency in the Supply Chain Act. These actions may include specific due diligence on HR or labour law standards within the supply chain; providing annual statements to the public or other reporting requirements; or educating customers on steps taken in respect of supply chain transparency.
Dr. Eike W. Grunert
Local labour laws might pose additional regulatory risk in connection with the supply chain
Additional national and international ESG initiatives are in the pipeline or currently under discussion that will introduce or increase these requirements. This includes the further implementation of the EU's Action Plan on Sustainable Finance and Germany's National Action Plan in Business and Human Rights, incorporating a new national Supply Chain Act. These laws and initiatives aim to respond to international standards, such as those agreed by the UN as well as OECD member countries. Some of these new requirements are aimed at addressing serious international incidents. An example is the 2013 fire and collapse of a clothing factory in Bangladesh which supplied European fashion brands. The factory operated in violation of local fire prevention standards, and the tragedy had significant reputational repercussions.
Local labour laws might pose additional regulatory risk in connection with the supply chain. In some cases, the company and its officers and directors may face civil or even criminal liability where a supplier does not follow local laws, for example on minimum wages or working time, or does not implement adequate controls to prevent violations of these laws from happening.
Companies should put in place a tailor-made compliance management system (CMS), designed to address the specific compliance risks which that company faces. This should include measures to:
The following are some of the main elements of a typical supply chain CMS.
Compliance risk assessment (CRA) is the basis for each CMS. It includes a process to determine a company or group-specific risk inventory based on company operations; business model; global reach of the supply chain; management and procurement model (central versus local); and other relevant factors.
The CRA also involves management assessment of risks associated with the elements of this inventory considering the probability of violations; the impact such violations might have; measures that are already in place to prevent violations; the effectiveness of existing measures; and the definition of any additional measures required.
If needed, the company should define a framework of policies and internal processes to address regulatory compliance risk in the supply chain. This framework might include specific aspects of the company's code of conduct (for example, on bribery and corruption and conflicts of interest); internal policies around procurement and any specific procurement controls. It may also include an external supplier code of conduct, containing a general set of contractual obligations and commitments that suppliers must adhere to.
This should define responsibilities during supplier on-boarding; and include sufficient supplier due diligence. Due diligence should include the collection and evaluation of basic information on suppliers gathered through self-assessment and certifications on factual qualifications, environmental heath and safety and quality standards; export and customs requirements; sanctioned party screening; and documentation thereof.
These should address specific risks associated with suppliers. For example, controls in the accounting process to ensure the 'four eye principle' or two-person rule for procurement and payment transactions and the integrity of supplier master data; contractual commitments; and reporting obligations in respect of wages, working time, health and safety standards etc.
Monitoring should include regular as well as incident-driven supplier audits; corrective actions in case of challenges; and termination rights following a defined remediation procedure.
There is no 'one size fits all' standard for supply chain compliance. Instead, the required elements and depth will depend on the specific circumstances of the company.
Companies will not usually be starting from scratch with their supply chain regulatory compliance efforts. Most companies already have ample processes and controls in place to address relevant risks, even if they have not yet looked at them from the CMS angle. The CRA approach will allow you to establish not only the relevant risks, but also those measures that are in placer already. This will allow you to obtain a full picture of any gaps, and to think of appropriate but still efficient ways to close these gaps.
In global companies, responsible and knowledgeable individuals from all business units and locations should be included in the risk assessment process.
Also, the company should consider and assign clear responsibilities for supply chain management. Many of the typical compliance challenges can be effectively addressed by designating functions or individuals within the company to handle regulatory supply chain risk or, as a minimum, to set standards and monitor other functions or individuals who handle single aspects of compliance.
Dr. Eike W. Grunert
In many cases, it might be appropriate to assign responsibility for supplier qualification and due diligence to the procurement or other business functions that deal regularly with suppliers rather than transferring this to central management
It might be a challenge to designate clear responsibilities while striking the balance between central transparency, a uniform approach across the organisation and expertise on one side, and being close to the business on the other side. In many cases, it might be appropriate to assign responsibility for supplier qualification and due diligence to the procurement or other business functions that deal regularly with suppliers rather than transferring this to central management. If so, the company needs to sufficiently train procurement officers on the relevant regulatory risks, and the processes put in place to address these.
When drawing up a supplier code of conduct, it often makes sense to benchmark the company's expectations or legal requirements of its main customers, including original equipment manufacturers (OEMS), and come up with a standard that covers these aspects, rather than re-inventing the wheel.
Comprehensive IT tools, dashboards and supplier monitoring solutions already exist in the market to support supply chain compliance. However, it might be more reasonable and efficient for the company to build on existing general compliance or accounting processes and add supplier specific features to these, rather than implementing new work flows, processes and tools. This will depend on the company's needs and available resources.
When it comes to supplier monitoring, companies with an extended global value chain will frequently have already build up extensive expertise in closely monitoring and managing their main suppliers for quality, cost and secure performance reasons. Adding relevant regulatory aspects to monitoring and managing of suppliers should go well alongside these existing processes.
07 Sep 2020