Increasingly, governments and regulators are warning firms about hidden and unacceptable risks within supply chains. Now more than ever, firms need to know who they are buying from and selling to, as well as who their vendors and customers are buying from and selling to. Then there are the literal supply chains of logistics: Who is delivering raw materials to you? Who is delivering your goods to the customers and the marketplace?

What was once perceived as a simple bilateral relationship between buyer and seller or vendor and purchaser is no more, but just how far does a firm need to go down a supply chain? And how many chains are there? Retailers are commonly referenced in media allegations of manufacturers paying less than the minimum wage, exploiting children, even slave labor. Such allegations are bad for a company’s brand as well as its relationship with regulators.

Last month, Pakistan International Airlines suspended a number of flights after having discovered that around 260 of the country’s 860 active pilots had either fake flying licenses or had cheated in their exams. Does your firm use this airline to supply goods or to move people from one business unit to another? Did you ever consider a training supply chain?

Of course, this is an extreme case, but it does highlight the primary issue: risk. Risk managers like certainty. Without it, the correct data risks cannot be measured, managed, mitigated, or rejected. Thus, it follows that adjacent to risk, there is confidence. Which of us has previously perceived there could be a risk within the training of the staff of a third-party supplier? Does anyone believe the Pakistan issue is an isolated instance?

How does this play out in the world of financial crime compliance? Does your firm’s due diligence extend to the validation of staff training within a respondent bank? Confidence can be provided when firms seek and secure International Organization for Standardization (ISO) ratings and approvals. ISO is a non-governmental organization with 164 member countries and has currently issued 23,293 international standards covering all aspects of manufacturing and technology. But do those standards work within your supply chains? Moreover, what and whom can your firm rely upon?

You will by now have noticed this article poses lots of questions and thus far has provided no answers. That is because supply-chain risk management is somewhat subjective. While U.K. anti-slavery laws demand firms undertake supply-chain due diligence, and some firms now apply robust know your supplier (KYS) and know your customer (KYC) processes, there is no one single answer to supply-chain risk management.

Or is there? I posit that the answer is to take control of your supply chains and demand data from those within it. In the event participants are not prepared to provide any of the data you have requested, you would be wise to cut them out of your supply chain.

Where risk arises in relation to correspondent banking, this should extend to the provision of full KYC data for the respondent bank’s customer. Yes, this is bold, but it is about taking control, securing certainty, and dealing with risk. Notwithstanding the perceived obstacles of bank secrecy and customer confidentiality, this can be achieved by requesting the respondent bank obtain their customers’ consent to share the data. Should the request be refused by the respondent bank or its customer, the correspondent providing the clearing services should demand the respondent no longer process transactions through the correspondent on behalf of that customer.

Supply-chain risk management is achieved by taking control, demanding data, and not being blind to any of the risks hidden behind a vendor; a vendor’s supplier; a vendor’s training provider; a vendor’s logistics contractor; or a vendor’s auditor. In the event you determine you do not have control of the supply chain and cannot make such demands of others, identify what else or who else you and your firm might be able to rely upon. These may include the regulated status of third parties, public ownership, transparency, and the longstanding good reputation of a party.

How far up and down these supply chains do you go? That is a matter for you, but do not be intimidated into accepting no for an answer. Do not be deterred by the absence of a direct relationship with a party within the supply chain and beware of the usual red flags:

  • Newly incorporated companies;
  • Offshore companies;
  • Companies providing consultancy services within the supply chain;
  • Companies owned/controlled by governments/politicians;
  • Transactions that appear overpriced, underpriced, or illogical; or
  • Companies in high-risk jurisdictions

In the parallel supply chains running between raw material providers, commodity brokers, manufacturers, their bankers, customers, regulators, and more you can facilitate the legitimate provision of goods, adjacent to confidence. Such confidence is often drawn from the brands and third parties your firm does business with, buys training from, and supplies services to. Doing business with cheap, but simultaneously nasty, third parties can cause a lot of damage to your reputation and your ability to participate in some supply chains.