In the past, compliance risk was a top-of-mind issue among select industries: regulators appeared to have banking and financial services, along with energy and extractives, under a constant microscope. But as supply chains expanded across oceans and continents, and countries legislated regulations to address bribery and corruption, terrorist financing and human trafficking, compliance risk grew for all types of organisations. Now the pressure is on you. Is your current due diligence and monitoring process up to the challenge?
The Link between Third-Party Spending & Risk
Recently, a Deloitte survey of 480 procurement leaders from 36 different countries, garnered responses from a wide array of industries. While the energy industry elicited the second-highest number of responses, manufacturing beat it by more than 30 per cent, with consumer business and healthcare and life sciences coming in close behind in third and fourth places. Banking and financial services came in last among the top five. Interestingly, compliance risk awareness – and willingness to participate in the survey – coincides with the amount of third-party spend by industry.
With its wide-ranging supply chains, the manufacturing industry’s third-party spend is approximately $455 billion. Banking and financial services, in contrast, have a third-party spend hovering at $132 billion. Is it any surprise that nearly 60 per cent of procurement leaders have made managing risk a priority?
Two Driving Risk Forces: Regulation and Reputation
2016 was a busy year in terms of Foreign Corrupt Practices Act (FCPA) enforcement. According to the FCPA blog, the number of enforcement actions taken in 2016 (27) and the $2.48 billion paid to resolve the cases eclipsed all past years since FCPA enforcement began. Moreover, guidance issued by the newly-confirmed Attorney General Jeff Sessions and the US Department of Justice (DOJ) suggests that enforcement and corporate compliance program evaluations are not going to ease up anytime soon. The guidance outlines considerations ranging from Analysis and Remediation to Mergers and Acquisitions, but two critical messages stand out.
Corporate leaders set the bar when it comes to a corporate culture of compliance. The DOJ isn’t alone in suggesting that a top-down approach is necessary to underscore the critical nature of compliance. Guidance such from regulatory bodies in the UK and Europe, as well as from the Organization for Economic Cooperation and Development (OECD), emphasise that corporate boards and the C-suite must communicate the importance of compliance with internal and external audiences alike.
Organisations need to establish a risk-based approach for their compliance programs. Regulators note that guidance offers a framework, but there is no one-size-fits-all process for mitigating compliance risk. Instead, companies need to develop due diligence and monitoring programs tailored to the unique requirements of their business. Considerations include the size and nature of the business being conducted, countries in which business operations take place, the extensiveness of the supply chain or third-party networks on which the company relies and more.
In addition, regulators aren’t the only concern when it comes to mitigating risk. In the digital age, news spreads quickly – and consumers are increasingly vocal when an organisation or a brand falls short of expectations. A ‘tweetstorm’ of criticism can hit a company – or an entire industry – hard, resulting in consumer boycotts, civil litigation and ultimately, financial losses. When a textile factory in Bangladesh caught fire and collapsed, retailers’ lack of visibility into their extended supply chains started a chain reaction of recrimination. Likewise, headlines about forced labour in the fishing industry led to consumer complaints and class-action lawsuits. In fact, the ability for corporate stakeholders and consumers to hold organisations’ feet to the fire on these issues has led to a new sort of compliance standard: social compliance.
Augment Due Diligence with Proactive Monitoring
Conducting due diligence represents a critical line of defence in mitigating compliance risk, but regulator guidance – and common sense, given today’s 24/7/365 news cycles – suggests that companies also need to integrate proactive, risk-based monitoring in their compliance processes. Former Assistant Secretary of State Michael Posner, who more recently undertook a two-year study of global supply chains, told attendees at a SAPAribaLive panel discussion that “the strategy to keep your head in the sand works only until it doesn’t work; and then it’s too late.” With greater consumer awareness about conflict minerals, human trafficking, modern slavery and eco-sustainability – plus more regulatory oversight across a wider array of industries – Posner correctly noted that “the idea that you’re going to somehow fly under the radar while not risking your brand reputation is just not realistic.” By systematically monitoring for negative news in the media, companies are better positioned to anticipate risks due to disruptive natural disasters, regulatory compliance failures or unethical practices like forced labour – and respond appropriately to mitigate those risks.