Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Shop Talk: Building Ethics Into a Global Supply Chain Starts at Home

Joe Mont | December 11, 2012

To put a twist a popular bumper sticker, companies need to think locally and act globally.


The following executives participated in the November 27 roundtable on ethical conduct in the supply chain.

Grant Adamson,
Senior Counsel,
Phillips 66

Bobby Butler,
Chief Compliance Officer,
Universal Weather & Aviation

John Lazarine,
VP of Internal Audit,
Rackspace Hosting

Charlie LeStage,
Associate General Counsel, Deputy Compliance Officer,
Hercules Offshore

Joe Lloyd,
Director of Ethics & Compliance,
Tyson Foods

Jackie Phillips,
VP of Ethics and Compliance,
Spectra Energy

Mark Reynolds,
Internal Audit Director,
Susan G. Komen for the Cure

Ron Skillens,
Chief Compliance Officer,
Children's Medical Center of Dallas

Jim Stempak,
Principal, Risk Consulting Practice,
Crowe Horwath

Don Thurman,
Chief Compliance Officer,
Foster Wheeler USA Corp.

Rick Warren,
Principal,Third-Party Risk Services Practice Leader,
Crowe Horwath

For More Information on Compliance Week Roundtables

The larger they grow, the more diverse and complex their supply chain and network of vendors become, and the more scrutiny they face from regulators and the public.

In fact, regulators such as the Securities and Exchange Commission have ratcheted up oversight of supply chains and third-parties, including anti-bribery demands and a new requirement to disclose conflict minerals from the war-torn Congo in corporate supply chains. These and other regulations have pushed companies to gain more visibility into suppliers and sub-suppliers and to scrutinize the practices of the companies they do business with.  

In a wide-ranging discussion, a multi-industry group of compliance, audit, and legal professionals gathered in Dallas, at an executive forum hosted by Compliance Week and accounting and consulting firm Crowe Horwath to discuss supply chain risks and how to advance ethical conduct throughout the supply chain. Among the challenges they face is how to best ensure that suppliers abide by the policies and principles they set. Can they be confident that when putting their name on a product or service that everything lives up to not just their standards, but those required by law, expected by regulators? Companies know that it can take years to build up a reputation and a strong brand identity, but only a few minutes to see it torn apart by an embarrassing headline about sub-standard conditions in a supplier's factory or worse.

“Decisions on compliance efforts have to be focused on what is right for the customer, for your people, for the planet and the environment, and, lastly, profit,” said Rick Warren, a principal at Crowe Horwath who leads the firm's third-party risk practice. “All of them have to be a different level of priority based on your organization. The companies that get all of it right will have the stronger brands and add more value to their shareholders.”

It's All About Ethics

“Because customers rely on much more from us, it makes our system much more robust," said one participant. "And it's not just about compliance anymore. “It is all about ethics.”

“Culture trumps compliance,” agreed Bobby Butler, senior vice president and chief compliance officer for Universal Weather & Aviation. He recalled a quote from Warren Buffet: “Culture, more than rulebooks, defines how an organization behaves.”

A recurring theme throughout the discussion was that building an ethical culture must go hand-in-hand with defining a company's approach to risk.

According to Warren, there doesn't have to be a one-size-fits-all formula for success. One client, for example, measures its performance on minimizing reputational risks in the supply-chain by monitoring the press for negative stories, with a goal of zero, he said. It invests heavily in compliance and audit manpower to ensure that goal and forces suppliers to go through new training. Another's approach is to make “compliance part of our DNA” and something “so ingrained in the culture that everybody knows it is their job to be compliant.”

Still, projecting an ethical corporate culture can only go so far, especially in regard to third-parties. Forum participants also discussed the need to manage risk. Jackie Phillips, vice president of ethics and compliance for Spectra Energy, said it is important to zero in on a company's sweet spot when reacting to risk. "On an elementary level, you have to be able to explain to internal management, as well as rank and file, what the risks are," she said. "You have to find some middle ground between, 'the sky is falling, we are all doomed,' and deluding ourselves into thinking that there is no exposure at all for our company. You have to find somewhere in the middle and say, 'Ok, this is a comfortable level from which we can decide what the real issues are for us and how we can effectively mitigate and manage those risks." 

These concerns should be documented and shared, not kept within individual departments."There are some risks that don't fit into a silo; they cut across our organizations and need to be addressed with an enterprise-wide perspective," she said.                     

Business leaders have to set the “tone for the company” and it is important to overcome the perception that a “commitment to compliance may lead to a competitive disadvantage,” or that the compliance team is akin to a “snitch in the room," Butler said. He suggests considering compliance outreach to mid-level managers, who are often more influential than what comes from the CEO.

A Holistic Approach

Participants discussed the importance of building a comprehensive ethical culture that permeates a company and its vendors. Jim Stempak, a principal with Crowe Horwath's risk consulting practice, stressed education and training for fostering a “best practices” mindset. “Just sending a policy over to suppliers doesn't work,” he said. “You've got to tailor that message to real-life examples and to their cultural expectations of what they are supposed to be doing. The policy has to translate.”

Mark Reynolds, director of IT and operations audits for Susan G. Komen for the Cure, a Dallas-based leader in breast cancer education and research, spoke to the specific needs of charitable organizations. “Komen cares about compliance and puts processes in place to fund the best research and support the local communities with meaningful grants,” he said. “Most people do not give money to charities for compliance functions. However, donors, the public, and legislators expect us to safeguard donations, be faithful stewards, and fund the best programs.” 

Those efforts have to come with an awareness that “non-Komen activities are often attributed to us just because it had a pink ribbon,” Reynolds said.

Another participant said boards and executives are likely to ask: “How do we know that our compliance program is changing behavior in an organization?”  It isn't just the higher-ups who need to be on-board. Many throughout an organization may view the compliance function as “the police. “The challenge is finding new and creative ways to present what we are doing,” he said. “I have to disarm that a little bit, and let them know we are a resource for them.” That approach proves its value when compliance-related consultations rise, even if other metrics, like hotline calls, drop. "People are coming directly to us, saying, ‘Hey, this might be an issue and I'd like to run it by you,' “ he explained.

Above: Bobby Butler, chief compliance officer at Universal Weather & Aviation, said it's important to have “boots on the ground” when dealing with overseas entities.

Don Thurman, Foster Wheeler USA's chief compliance officer, addresses the group (right); to the left sits Ron Skillens of the Children's Medical Center of Dallas, and Susan G. Komen for the Cure's Mark Reynolds.

Using real-life examples is also effective when conveying the importance of risk mitigation and the need for everyone to make it their business, panelists agreed. One participant, said: “It's hard to illustrate the value of what didn't happen, but when something does happen, you can leverage it.”

Reigning in Vendors

"You know who your suppliers are, but how do you know who their suppliers are?" is how Spectra's Phillips described a constant challenge.

When peering down the rabbit hole of sub-suppliers, it can help to make sure you have plenty of back-up. John Lazarine, vice president of internal audit for Rackspace Hosting, says it may help to have a company share its code of conduct with those it does business with. “We want them to understand how we want to operate, so that they will say something if they see something questionable or wrong on their side." 

“At the end of the day, it comes down to having people who know the difference between right and wrong, who want to do the right thing and are aware that when things are wrong, they should raise a hand, or make a phone call and do something,” he said. “If some people are inclined to step over the ethical line, to do the shady stuff, they are going to do it. You've got to have mechanisms that highlight those things and get them out in the open.”

A major issue for boards and senior management is knowing how far down to vet their supply chain and whether the existing risk assessments, especially in terms of FCPA compliance and anti-corruption measures, are adequate. “That's not an easy answer,” said Crowe Horwath's Warren. “Even within an industry there are different types of relationships with suppliers in different parts of the world.” That is especially true when compliance companies are all across the board in terms of being centralized or decentralized. There are also differences in talent, board structure, and types of vendors.”

A question to ask, Warren said, is: “If the Department of Justice knocked on your door, what would you give them to prove you are compliant.” That approach to assessing your program is “a good first step,” he said. Go back to your book or binder of rules and policies and see if they would give the DOJ a laudable view of what your program looks like and what you are actually doing.

Creating a like-minded network becomes more of a challenge as a company branches out into international opportunities. “You don't just need to factor in the cost of doing business there, but also how you will ensure that your company is in compliance with applicable laws and regulations and who will oversee that compliance,” Lazarine said.

Jackie Phillips, vice president of ethics and compliance at Spectra Energy, and John Lazarine, vice president of internal audit for HMS Holdings, share a smile during the roundtable.

Butler stressed importance of having “boots on the ground” when dealing with overseas entities and verifying the claims of vendors, often  made in pre-screening questionnaires companies rely on. “You cannot manage compliance sitting in Houston or Dallas,” he said. “You have to get out and kick the tires, look under the hood, and work with them face to face.” He also suggests that companies give vendors the opportunity to use the hotline the same as employees do. "The hotline needs to go out into the supply chain."

“One of the things I do when I sit down with leaders across the business is to ask them about their own area of responsibility and what laws and regulations apply to them,” Lazarine said. "I'm hoping that some of the conversations spark some interest and concern so that they will go back and do some research. We try to coordinate, collaborate, and get our arms around this as best we can, but ultimately Management has an obligation to research and understand the various laws and regulations that are applicable to their areas of responsibility. We should be the backstop; we should not be the tip of the spear."