Additional national and international ESG initiatives are in the pipeline or currently under discussion that will introduce or increase these requirements. This includes the further implementation of the EU’s Action Plan on Sustainable Finance and Germany’s National Action Plan in Business and Human Rights, incorporating a new national Supply Chain Act. These laws and initiatives aim to respond to international standards, such as those agreed by the UN as well as OECD member countries. Some of these new requirements are aimed at addressing serious international incidents. An example is the 2013 fire and collapse of a clothing factory in Bangladesh which supplied European fashion brands. The factory operated in violation of local fire prevention standards, and the tragedy had significant reputational repercussions.
Local labour laws might pose additional regulatory risk in connection with the supply chain. In some cases, the company and its officers and directors may face civil or even criminal liability where a supplier does not follow local laws, for example on minimum wages or working time, or does not implement adequate controls to prevent violations of these laws from happening.
Setting up a supplier compliance management system
Companies should put in place a tailor-made compliance management system (CMS), designed to address the specific compliance risks which that company faces. This should include measures to:
- prevent misconduct – such as policies, training and due diligence;
- detect misconduct – such as a whistle-blower hotline and audits;
- react appropriately to misconduct – such as internal investigations and sanctioning of employees; and
- continuously improve compliance measures – based on regulator monitoring and improvements following ‘lessons learned’ from misconduct.
The following are some of the main elements of a typical supply chain CMS.
Compliance risk assessment
Compliance risk assessment (CRA) is the basis for each CMS. It includes a process to determine a company or group-specific risk inventory based on company operations; business model; global reach of the supply chain; management and procurement model (central versus local); and other relevant factors.
The CRA also involves management assessment of risks associated with the elements of this inventory considering the probability of violations; the impact such violations might have; measures that are already in place to prevent violations; the effectiveness of existing measures; and the definition of any additional measures required.
If needed, the company should define a framework of policies and internal processes to address regulatory compliance risk in the supply chain. This framework might include specific aspects of the company’s code of conduct (for example, on bribery and corruption and conflicts of interest); internal policies around procurement and any specific procurement controls. It may also include an external supplier code of conduct, containing a general set of contractual obligations and commitments that suppliers must adhere to.
Supplier qualification process
This should define responsibilities during supplier on-boarding; and include sufficient supplier due diligence. Due diligence should include the collection and evaluation of basic information on suppliers gathered through self-assessment and certifications on factual qualifications, environmental heath and safety and quality standards; export and customs requirements; sanctioned party screening; and documentation thereof.
Supplier compliance controls
These should address specific risks associated with suppliers. For example, controls in the accounting process to ensure the ‘four eye principle’ or two-person rule for procurement and payment transactions and the integrity of supplier master data; contractual commitments; and reporting obligations in respect of wages, working time, health and safety standards etc.
Supplier monitoring process
Monitoring should include regular as well as incident-driven supplier audits; corrective actions in case of challenges; and termination rights following a defined remediation procedure.
Implementing your compliance system globally
There is no ‘one size fits all’ standard for supply chain compliance. Instead, the required elements and depth will depend on the specific circumstances of the company.
Compliance risk assessment
Companies will not usually be starting from scratch with their supply chain regulatory compliance efforts. Most companies already have ample processes and controls in place to address relevant risks, even if they have not yet looked at them from the CMS angle. The CRA approach will allow you to establish not only the relevant risks, but also those measures that are in placer already. This will allow you to obtain a full picture of any gaps, and to think of appropriate but still efficient ways to close these gaps.
In global companies, responsible and knowledgeable individuals from all business units and locations should be included in the risk assessment process.
Designate clear responsibilities
Also, the company should consider and assign clear responsibilities for supply chain management. Many of the typical compliance challenges can be effectively addressed by designating functions or individuals within the company to handle regulatory supply chain risk or, as a minimum, to set standards and monitor other functions or individuals who handle single aspects of compliance.