Rare is the business these days that can afford to be cavalier about the regulatory scrutiny on its supply chain. Rarer still is the enterprise not working hard to gain more visibility into its extended family of vendors and suppliers.

But are they doing what needs to be done effectively and efficiently?

A recent survey of companies by MetricStream on managing, measuring, and monitoring supplier compliance found that even though more than 90 percent of respondents have a supply chain compliance program in place, nearly 50 percent have still suffered from recent incidents of supplier non-compliance.

Even a single slip-up can be disastrous in the current regulatory environment. Bank regulators have made abundantly clear that financial institutions bear responsibility for the actions and deficiencies of the third parties they use. Federal and state laws regarding conflict minerals, human trafficking, and child labor affect the manufacturing sector and beyond. Activist scrutiny, customer concerns, reputation risk, and class-action lawsuits are all unwanted supplements to an enforcement action.

How do non-compliant vendors and suppliers still manage to fall through the cracks? The reasons vary. Many are globally disparate and have suppliers of their own—and those fourth or fifth parties can still haunt you directly. Companies may also focus on immediate regulatory priorities (conflict minerals, for example), while neglecting broader issues. Others may have such a fractured, siloed system of vendor management that a holistic view of risk is nearly impossible.

“Doing nothing is not an option,” says Randy Stephens, vice president of advisory services for NAVEX. “No matter how challenging it is, you need to find ways to break it down into its component parts and get started.”

Ditch the Paper

The complexity of the third-party universe means that overseeing your supply chain manually is virtually impossible. Still, says Gary Barraco, senior director of supply chain solutions for Amber Road, a provider of global trade management software, nearly 50 percent of the manufacturing companies he talks to manage their vendors with spreadsheets, Word documents, or even e-mail.

GRC software vendors abound, eager to help companies automate their processes, but Barraco finds it can be useful to let personnel hold onto their spreadsheet security blanket, configuring a back-end system that can seamlessly import and export data into those documents.

There are strategic benefits to moving away to manual processes. “Upstream visibility helps with downstream proactivity,” Barraco says. Tracking a vendor’s suppliers, for example, can let a company keep tabs on its inflow of raw materials, flagging discrepancies that could lead to a shipping delay. Transparency into supplier capacity levels can also raise red flags. If a vendor’s capacity is 100,000 units per year and your company’s order is for 150,000, questions need to be asked about where the remainder of the units are coming from and who they are outsourced to.

Get Everyone at the Table

At many companies, different departments, units, and locations all have preferred vendors and suppliers. A proper risk assessment needs to consider a company as a whole, not the sum of its parts, even if that might initially lead to conflicts.

“Regulators are going to ask how well you really have your arms around your supply chain and vendor chain. The wrong answer is going to lead to a more egregious audit and examination.”
Sean Cronin, VP of Field Operations, ProcessUnity

“You may always have people in your organization who will argue that they need to use their guy,” Stephens says. “A compliance officer needs to be able to stand up to them and say they can use them, but they need to be able to demonstrate the same rationale and same due diligence process applied to any undertaking with a third party. They are gong to have to demonstrate a business need and that they don’t add risk, just like anybody else.”

Stephens recommends that each external vendor be assigned an in-house point person for oversight. “That person knows they are going to be on the hook if somebody gets out of line,” he says.

Convening the entire team helps everyone understand the need for evaluating, monitoring, and establishing policies and controls for vendors both new and old. “Get in a room with the stakeholders in your company and whiteboard out where all the potential third parties can exist,” Stephens advises. Although most data can be gleaned from accounts payable information and internal databases, this exercise will help fully map the supply chain and provide the opportunity to rationalize their third parties and eliminate duplicate services.

Think Like a Regulator

When engaging in third-party management, “think and act like a regulator,” says Sean Cronin, vice president of field operations for GRC software provider ProcessUnity. That requires a focus on established standards, controls, expectations, and demands for transparency.


The following, prepared by the Open Compliance & Ethics Group, details best practices, and what to avoid, when assessing supply chain risk.
Keys to Success

Identify every link in every supply chain, the roles they play, and the risks associated with them.

Use a code of conduct, policies, and training to promote awareness of supply chain risk and understanding of  required conduct for both employees and parties in the supply chain

Select the right technology platform and due diligence partners to build risk intelligence

Identify, evaluate and manage risk consistently across and throughout all supply chains, using a standard  approach to risk ranking and prioritization.

Continually monitor and evaluate the supply chain risk management capability.
Common Mistakes

Addressing only a small subset of parties in the supply chain, and then failing to manage even these based on risk ranking.

Failing to do business continuity planning.

Having inadequate communication between management and personnel involved

Allowing activities that reduce supply chain transparency.

Not considering consolidated impact.
Source: OCEG.

“That’s what the regulators are really looking for, because you cannot avoid vendors that may have ulterior or bad motives,” he says. “Regulators are going to ask how well you really have your arms around your supply chain and vendor chain. The wrong answer is going to lead to a more egregious audit and examination. You want to show that you are managing this process proactively and are self-policing.”

Be a Diplomat

Companies may need to be difficult with unresponsive or recalcitrant vendors, but a little bit of diplomacy can go a long way to build the sort of relationship you want. “Years ago, the model would have been to go in and say, ‘You work for me, I’m going to tell you what to do, and if you don’t like it I’m going to stop doing business and go somewhere else’,” Barraco says. “If you keep doing that you are eventually run out of places to source from.”

Just as compliance officers have had to convince their companies to view them as a useful ally rather than an obstacle, supply-chain management needs to adopt a similar mission statement. “The best way to remediate health and safety issues is not to just go in like a bull and say you are taking over,” Barraco says. “Go in and say you are there to help and work with them. Nine times out of 10, the factory would love to have the same compliance standards and operate properly.”

Trust, but Verify

As always, use a risk-based approach to judging your vendors and business partners. “It’s not the people you have dealt with for years and years and have a great relationship with who are likely to cause you a problem,” Stephens says. “It is going to be someone that you haven’t had a great relationship with, or haven’t had a long-term one. That’s where you have to apply your risk assessment process.”

“You don’t have to do the same level of due diligence for each third party,” he adds. “If you have a domestic supplier who works for a lot of companies, you might have a lower level of due diligence expectations than a new third party you are adding in a country with a high fraud index rating.”

His other advice: Trust your gut.

“If you get your due diligence back and everything looks great, with green lights all across the board, that itself might send you a red flag,” Stephens says. “Don’t rely completely on the process; still apply common sense and question things your instincts tell you don’t make sense.”