The latest enterprise risk management news from around the world

Managing supplier compliance risks: the way forward

As organizations are placed under increasing scrutiny for the actions of their suppliers, they can no longer shy away from the importance of building a stronger supplier compliance management programme.

By Sonal Sinha.

For organizations today, ensuring compliance across their global and expansive ecosystem of suppliers is a far more complex challenge than it used to be. As supply chains continue to stretch globally, companies are increasingly put into the spotlight due to the actions of their third parties. No longer can they claim ignorance if one of their suppliers is found to be non-compliant with a particular regulation or organizational policy. With that in mind, many organizations have turned to build more efficient and effective supplier compliance management programmes to ensure that all of their suppliers and third parties are working within the boundaries of what is expected.

In a bid to learn about the different approaches to managing, measuring and monitoring supplier compliance, MetricStream recently conducted a global survey of executives in organizations across multiple industries.

Perhaps the most alarming finding was that over 50 percent of organizations have faced an issue of non-compliance due to a supplier: highlighting the pressing need for more effective supplier compliance management programmes.

The most common area where businesses fall foul of regulation was with management systems and documents (59.5 percent), followed by breaches in environmental and health and safety standards (29 percent). The former reveals an issue with the supplier’s own compliance programme, which could mean an absence of systems to ensure they’re working within the scope of external regulations. This is an issue for any connected company, as managing a third party that lacks the ability to ensure its own compliance is a big reputational risk.

More encouragingly, the report made clear that nearly all (91 percent) companies do have some kind of strategy or programme for supplier compliance monitoring in place. The level of strategy does differ, though; with 48 percent monitoring compliance of their entire supply chain; 48 percent focusing only on critical suppliers; and 12 percent carrying out management only on certain geographies, for example on countries with a low ranking on the corruption index. Considering the pressures placed on businesses, the fact that 91 percent have identified the need for supplier compliance is positive.

When it comes to creating supplier compliance policies, companies take into consideration a number of factors, including: industry best practices (76 percent), their own internal requirements and codes of conduct (74 percent), global regulations (55 percent), and local laws (43 percent). The lack of focus on global regulations and local laws could be a cause for concern, as regulations and laws can vary drastically between regions and countries, for example the minimum working age. If organizations overlook these nuances and implement a blanket policy across all of their suppliers, they could face serious regulatory penalties.

In regards to the frequency of supplier compliance reviews, 45 percent of businesses conduct reviews annually; ten percent on a quarterly basis; and 5 percent every month. However, a significant 38 percent of businesses re-visit supplier compliance on a need-only basis, for instance when outsourcing at times of full capacity. While this may seem like an adequate approach, it can lead to out-of-date processes which, in turn, can lead to supplier compliance issues.

Through our research, we found that businesses have a number of benchmarks that they use to evaluate their suppliers. Seemingly, the most important is the supplier’s adherence to the parent company’s process and performance requirements (83 percent), followed by compliance with polices and codes of conduct (71 percent). Perhaps most surprising, is the fact that the third party’s compliance with local laws is of less emphasis (57 percent). Again, this lack of focus on regional regulation could become a real issue for businesses as more supplier-focused laws are introduced. Going forward, companies must communicate these new legal obligations to mitigate the risk of regulatory fines and reputation damage.

It’s also interesting to note that even though companies monitor supplier adherence with regulations it remains the most common reason for the non-compliance issues referred to previously. Therefore, this suggests that there may be a problem with the methods used to communicate and manage supplier compliance and, thus, it is likely a good time to re-evaluate them.

Despite many choosing to adopt supplier compliance management technology tools and systems, there is still a heavy reliance on manual processes, e.g. the use of spreadsheets and email, with 38 percent of businesses using them as the sole method of collecting and analysing data. Slightly fewer (24 percent) use an independent tool, but only 5 percent use a comprehensive solution as part of an enterprise-wide governance programme – another surprising statistic. In this data-driven world, information can be derived from almost anywhere. Companies can no longer expect employees to collect and then analyse all the information from an increasing number of data points – it’s simply not possible. Instead, organizations should be using tools that automate data collection, including data from other areas of the business, and trigger alerts if the information breaches pre-set risk indicators. This will give companies a far more holistic view of their supply chain, empowering employees to make better informed judgement calls and resolve non-compliance issues in a timely manner.

Ultimately, as organizations are placed under increasing scrutiny for the actions of their suppliers, they can no longer shy away from the importance of building a stronger supplier compliance management programme. 91 percent of businesses do have some form of management in place, but with half having experienced issues due to third party non-compliance, it’s obvious the processes being used need to be re-evaluated. While perhaps a complex undertaking, it actually presents an opportunity for businesses. As with most compliance activities, many take a myopic view and conduct supplier compliance management to avoid fines and protect business value. The question is, why can’t it be used to add value? At a time when supply chain scandals are becoming more common, customers are more drawn towards brands that are committed to building ethical and compliant supply chains, remaining loyal as opposed to swapping for less transparent alternatives. Businesses must view their suppliers as an extension of their own firm, encouraging and communicating the expectations of regulatory compliance as if they were any other internal department.

This can be achieved by developing a well-defined supplier compliance management strategy and programme; one which focuses on continuous supplier performance monitoring, regular supplier audits and assessments, collaborative corrective actions, and timely compliance reporting. Companies that embrace such a strategy will not only be well prepared for new regulatory enforcement, but will also be known as strong and ethical brands.

The author

Sonal Sinha is Vice President, of MetricStream.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.