Better management of supply chain risk is a top priority for corporations these days. That should be no surprise to compliance officers.
Supply chains are longer and more complex, with more third parties participating in them than ever before. The suppliers themselves also pose more risks: legal, logistical, reputational, regulatory, and cybersecurity, to name a few.
And that was all true before COVID-19 arrived. The pandemic underlined how unprepared for supply chain disruption most companies were and brought the perils of supply chain risk into painfully sharp relief.
The good news is that compliance teams can play an important role here. Supply chain risk management rests on a foundation of third-party due diligence. Well, due diligence is something compliance officers have been doing for years.
The challenge is how to leverage your due diligence program into better supply chain risk management wisely. Because while this evolution in risk management is necessary, that doesn't mean the transition will be easy.
First, Consider the Fundamentals
The goal with supply chain risk management and anti-corruption due diligence is fundamentally the same. You want to build an accurate risk profile of the third party, so that risk profile can inform how your business will work with that third party — including the option of not working with the party at all.
How do you build that risk profile? By collecting data during the onboarding process.
Supply chain risk management just involves many more types of data. Some of that information might come from external providers (for example, criminal background checks), and some will need to be generated internally (say, the results of cybersecurity audits).
One early step in developing a supply-chain risk management program will be to define the types of data you want and then developing procedures to collect that information.
This is where the blending of compliance and risk management starts to appear. For example, when we say "define the types of data you want" that should lead you to say "perform a risk assessment!" — because performing a risk assessment is the first step in understanding the data you'll need to collect.
But a risk assessment for regulatory compliance and a risk assessment for supply chain operations aren't the same thing. You'll need to use multiple risk management frameworks to work through the risks that your business might confront to understand the information you need to collect.
Second, understand the importance of technology when we talk about "developing procedures to collect that information."
Collecting anti-corruption data with manual processes was hard enough already, and typically those manual processes involved a limited number of business functions in the First Line of Defense. (Typically sales or procurement people looking to source local agents in overseas markets.)
Needing to solicit more information, from more parts of the enterprise, in more formats makes using manual processes for supply chain risk management nearly impossible; it quickly becomes too much to handle via spreadsheets and email requests. Automated workflows for onboarding and evidence collection must be part of your supply-chain risk management program, or else you will be overwhelmed.
Second, Build a Sustainable Solution
That point about automated workflows raises a few other technology points we should consider.
First, artificial intelligence will play an increasingly important role in supply chain risk management. That's because you will be pulling together so many different types of data that will all need to be woven into one supplier's risk profile. In theory, you could launch some massive data integration project to accomplish the same goal — but that's a mighty expensive way to unify different silos of data. AI exists as a layer above those silos, so to speak and achieves the same risk analysis with less expense and IT headache.
Second, astute monitoring of your suppliers will be just as important as the onboarding of them. Supply-chain risks can change for numerous factors: your operations change, the suppliers' operations change, or the external risk environment may change. Small swings in circumstance could cause profound changes in your organization's risk. Again, this isn't a task you can manage manually. You'll need automation to support your monitoring activities.
Third, remember the remediation work that comes first. You're likely to have a lot of it. That will require sophisticated systems to track which remediation work has already been done, which is running late, and what comes next. Capabilities such as automated alerting and escalation will be your best friend.
Play Your Cards Right
Leveraging due diligence into supply chain risk management is a complex endeavor, but remember: this is also an excellent opportunity for the compliance function to play a larger, more valuable role in the enterprise.
For example, many businesses might have procurement functions that are good at sourcing supplies — but that's not the same as managing suppliers' risks, day in and day out. In many organizations, the business function with the most experience at managing third-party risk will be yours.
With planning and effective use of technology, compliance officers can demonstrate, yet again, that a good compliance program is a strategic advantage for the business.