A Chief Compliance Officer can get so overwhelmed with risks that it is hard to keep their focus on priorities. Risks are everywhere and no compliance program can address every risk – the trick is keeping your eye on the ball and focusing on the significant risk.
There are lots of risks surrounding a company’s supply chain. Unfortunately, vendors, suppliers and their respective vendors and suppliers can drive you crazy when you start to calculate all the permutations. A supplier of a supplier of a supplier can create real risks for anyone in the chain.
In addressing this complex situation, a clear strategy has to be developed – predicated on defining the specific risks applicable to your supply chain.
As I have written on numerous occasions (and will not repeat here), in the absence of a representational interaction, a vendor or supplier cannot create liability for a company under the FCPA (and arguably the UK Bribery Act). This is an important point that limits the number of vendors and suppliers who can create FCPA liability since few of them act on a company’s behalf in a representational capacity.
The most significant risk for companies from their respective supply chain is reputational risks. For example, a company that deals with a vendor or supplier, who in turn relies on a supplier who uses child labor or violates human trafficking laws, can create real reputational risks. Such risks can have a devastating impact on a company’s trust factor and reputation for integrity, which in turn threatens the company’s financial performance and stock price.
Given this important principle, companies have to screen and carefully review their supply chain for reputational risks. Many companies subject to the conflict minerals rule have been through an excruciating exercise of defining their entire supply chain. It is not an easy process nor is it something that can be accomplished quickly.
One key factor in focusing on supply chain risk is to rank each vendor or supplier by the annual amount of money spent on each vendor or supplier. In this situation, most companies spend roughly 80 percent of their budget on their top 20 vendors and suppliers. Focusing risk management on those primary vendors and suppliers is an effective strategy for focusing risk profiles and priorities.
At some point, companies may find it costs more to collect information about companies in their supply chain than to mitigate the risks by representations and warranties from companies certifying as to standards they employ when contracting with vendors and suppliers.
Regulators are imposing more requirements on supply chain management. Government contractors have a myriad of requirements that they have to impose through flow down provisions on subcontractors.
In the end, companies are facing a straight-forward principle — no one wants to do business with an unethical, illegal or generally unpopular vendor or supplier. Apple suffered reputational home with its reliance on Foxconn in China; Costco was hurt by its use of children who caught shrimp they resold; and Nike suffered reputational damage from its use of child labor in making its sneakers.
To manage these risks, a CCO has to work closely with the head of procurement. Procurement professionals are very attuned to these risks because they do not want to be the person or office responsible for hiring the next vendor or supplier that results in reputational damage.