The Securities and Exchange Commission’s conflict minerals rule could be compared to building a house. The first step—building the foundation—is to review your products and supply chains for the use of tin, tantalum, gold, and tungsten and determine whether they were mined from the war-torn Congo.

Most companies are still building that foundation, to various degrees of success. But with a June 1 deadline fast approaching for your second year of conflict-minerals compliance, when companies are supposed to start auditing the strength of their program, the time is coming to think about building upon that foundation, to a robust risk mitigation plan.

The “building code” for that next phase is spelled out in a document that deserves a place on any compliance officer’s desk, a 122-page due diligence framework published by the Organisation for Economic Co-operation and Development.

The conflict minerals rule requires that conflict minerals programs hew close to an internationally accepted framework. So far, the OECD guidance is the only such framework around, and is the core of nearly all industry-specific guidance. The need for a risk management plan “is engrained into the entire framework by the OECD,” says Michael Rohwer, program director of Conflict-Free Sourcing Initiative, a consortium of more than 200 companies and associations.

Below is an outline of the OECD framework, with step three identifying the necessary elements of an adequate risk management plan:

Design, implement, and monitor a strategy to identify and respond to identified risks.

Identify and verify the identities of all suppliers, business partners, and customers.

Report findings of the supply chain risk assessment to designated senior management.

Adopt, and clearly communicate to suppliers and the public, a conflict minerals policy.

Establish a chain of custody or traceability system for suppliers.

Incorporate a policy into contracts and agreements.

Establish a company-level, or industry-wide, grievance mechanism as an early-warning risk-awareness system.

That’s a lot to tackle, and neither the OECD nor SEC say they expect immediate results. The goal is to strengthen these efforts over time.

Start by Talking the Talk

The process begins by adopting a conflict minerals policy and communicating both its goals and the remedial actions that employees can expect. After establishing that policy, a company should build a team around it and establish a system of controls and transparency over their supply chain, Rohwer says.

“[Risk mitigation] is generally not an area where a boilerplate or one size fits all approach makes a lot of sense.”
Michael Littenberg, Partner, Schulte Roth & Zabel

"Companies are taking different approaches to their risk mitigation, which you would expect since the risk mitigation strategy has to be tailored to the specific risks identified and the particular supply chain," says Michael Littenberg, a partner at law firm Schulte Roth & Zabel who heads up the firm's public companies practice, which includes its conflict minerals and responsible sourcing practice. "The risk mitigation strategy is not an area where a boilerplate or one size fits all approach makes a lot of sense. It needs to be tailored to your own particular business and circumstances."

That tailoring to your business’s specific circumstances can happen in two phases.

The first, Littenberg says, involves general measures or compliance program features to mitigate supply chain risk, such as creating an enhanced supplier training program around conflict minerals compliance, clearly articulating supplier expectations, establishing a process for requesting and evaluating sourcing information from suppliers and engaging with smelters through the CFSI. The other piece involves on an individual supplier basis identifying and assessing risk, for example around suppliers that fail to meet company expectations, are unresponsive or source from uncertified or unverified sources. The supplier data collected forms the basis for both immediate and potential future corrective actions, even including severing the relationship if warranted.

The key is not just gathering data from suppliers and vendors (using questionnaires, interviews, and even on-site visits); the information must be accurate and actionable. Rohwer suggests using standardized reporting templates offered by the CFSI and a variety of trade groups, including the Automotive Industry Action Group. The templates standardize data collection, which means you can pair them with a data exchange protocol to track and compare the data.

The IPC-1755 Conflict Minerals Data Exchange Standard—developed by IPC, an electronics industry association, along with the AIAG, CFSI, and the Japan Electronics and Information Technology Industries Association—was created to help suppliers and their customers facilitate the exchange of conflict minerals data. It offers simplified terms and definitions, descriptions of declaration classes, data requirements for a conflict minerals declaration, and verification guidance. The free download is compatible with a variety of software tools and reporting templates.

“The entire rule is about having a process that is integrated into your company’s daily activities and process around conflict minerals,” Rohwer says.

Walking the Walk

In integrating such a process, an IT platform may help identify and assess risk in real-time, says Jonathan Hughes, director of Assent Compliance, a consulting firm with a conflict minerals practice. There may be “too many data points to accurately perform these tasks manually without an extensive amount of devoted internal resources,” he says.

Design and Implement a Strategy to Respond to Identified Risks

The following is an excerpt from the Organisation for Economic Co-operation and Development’s “Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas.”
Report findings to designated senior management, outlining the information gathered and the actual and potential risks identified in the supply chain risk assessment.
Devise and adopt a risk management plan. Companies may manage risk by either continuing trade throughout the course of measurable risk mitigation efforts; temporarily suspending trade while pursuing ongoing measurable risk mitigation; or disengaging with a supplier in cases where mitigation appears not feasible or unacceptable. To adopt the risk management plan and determine the correct risk management strategy, companies should:
Review the model supply chain policy on minerals from conflict-affected and high-risk areas to determine whether the identified risks can be mitigated by continuing, suspending or terminating the relationship with suppliers.
Manage risks that do not require termination of the relationship with a supplier through measurable risk mitigation. Measurable risk mitigation should aim to promote progressive performance improvement within reasonable timescales. In devising a strategy for risk mitigation, companies should: consider, and where necessary take steps to build leverage over upstream suppliers who can most effectively prevent or mitigate the identified risk; consult with suppliers and affected stakeholders and agree on the strategy for measurable risk mitigation in the risk management plan.
Measurable risk mitigation should be adjusted to the company’s specific suppliers and the contexts of their operations, state clear performance objectives within a reasonable timeframe and include qualitative and/or quantitative indicators to measure improvement.
Implement the risk management plan, monitor and track performance of risk mitigation, report back to designated senior management and consider suspending or discontinuing engagement with a supplier after failed attempts at mitigation.
Undertake additional fact and risk assessments for risks requiring mitigation, or after a change of circumstances. Supply chain due diligence is a dynamic process and requires on-going risk monitoring.
Source: OECD.

Hughes also stresses the importance of vetting the validity of supply chain data. “Each submission from a supplier should receive a grade or score according to its accuracy, content, and strength,” he says. A response plan can then be tailored based on those report cards. Some submissions may be accepted at face value and require no additional follow-up; high-risk suppliers or questionable responses may require supplier outreach, a resubmission request, or even a stop on all purchase orders.

The OECD’s requirement for “a grievance system” is intended to improve supplier transparency, Rohwer says. It is comparable to a whistleblower hotline or company helpline that gives employees a means to report problems and vent concerns. “People who have concerns have a way to contact you,” he says. “It is important to have some form of contact at the supplier level, whether it’s an e-mail address or a hotline.”

With last year's SEC filings under their belt, companies are getting more comfortable with those requirements and the OECD framework, Littenberg says. "Now is the time to start thinking about supply chain compliance more holistically and about how conflict minerals compliance relates to, and fits into, other supplier compliance initiatives," he says. "For example, can you combine some of your initiatives and supplier outreach to reduce the cost and time spent on compliance, as well as to reduce substantive supply chain risk?"

One tip: Watch what other companies are doing, certainly, but don’t assume that your mid-cap company can duplicate the efforts of an Apple or Intel.

“Companies should be benchmarking their programs against competitors and other perceived peers,” Littenberg says. “Everybody’s compliance program is unique, however, and their supply chain and risks are unique. Companies that are newer to this aren’t necessarily in the same place as a large electronics company that has been focused on the issue for six or seven years. Their suppliers are different, and they have different amounts of leverage over their supply chain. There is also a different level of maturity in their compliance program and the resources they are able to put into compliance.”

“This is certainly not one here [where] you can just print out someone else’s compliance program and adopt it and say it is yours,” he adds.