Are your suppliers putting your organisation at risk?
23 Jul 2014 12:00 am by Mark Dunn
In January 2014, Walmart was forced to recall meat sold at some of its China stores after discovering it contained DNA from foxes. In the aftermath, Walmart China's president commented that "It is a deep lesson that we need to continue to increase investment in supplier management."
Only one month earlier, Target disclosed it had been the victim of a major credit card security breach. Experts believe thieves gained access to roughly 40 million credit and debit card numbers and the personal information of as many as 70 million customers. The subsequent investigation found the hackers used a third-party contractor to gain access.
These incidents highlight the risks of doing business with suppliers that fail to perform appropriately; potential supply chain disruption, serious reputational damage and even government investigations related to regulatory compliance.
Most companies have relationships with a wide range of third-party organisations. While these third parties are essential to drive growth, they bring with them risks that need to be mitigated and managed.
1. Supply Chain Risk
In recent years, the drive for efficiency and cost-savings has increased the complexity of supply chains, resulting in lost visibility. This leaves your company vulnerable to a delay to operations if the tools or necessary services provided by third-parties are disrupted.
2. Financial Risk
Chances are that your business agreements include contractual terms that even your most loyal suppliers will seek to avoid from time to time. Likewise, suppliers who appear to be on solid financial ground may actually be on thin ice when it comes to their capitalisation.
3. Security Risk
Counterfeiting, piracy, trade secret theft and trademark infringement are all serious considerations for any company, but in today's economy, intellectual property is at greater risk when working with third-party business partners. A 2013 report by The Conference Board found that roughly half of the executives surveyed perceived extensive risk of IP infringement in emerging markets when engaging suppliers and business partners.
In addition to operational risk with third parties, new regulatory mandates constitute an entirely separate area of compliance risks for any company that engages third-party suppliers.
Consider the flurry of new regulatory mandates impacting the financial services industry, including:
- New guidance on risk management. In October 2013, the U.S. Department of Treasury's Office of the Comptroller of the Currency (OCC) emphasised the responsibility banks have to assess and manage risks associated with third-party relationships. The OCC makes it clear that it "expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party."
- SEC's "covered person" provisions. In July 2013, the Securities and Exchange Commission finalised amendments to Rule 506 which require private investment funds to conduct due diligence to confirm no "covered person" has engaged in a "disqualifying event," also known as the "Bad Actor" provisions. This new rule was broadened specifically to include third parties and various categories of business partners.
- CFPB expectations for supplier due diligence. The Consumer Financial Protection Bureau (CFPB) has notified financial institutions they are expected to have an effective process for managing the risks of service provider relationships, including conducting thorough due diligence to verify that service providers understand and comply with the law.
Moreover, a wide range of compliance requirements affect corporations globally. Legislation against bribery and corruption — such as the U.K. Bribery Act and the U.S. Foreign Corrupt Practices Act — cause anxiety for all corporate executives whose companies do business in global markets.
Worse yet, suppliers further removed from the company's immediate focus may pose the biggest supply chain risk. A survey by the Business Continuity Institute found that almost 40% of reported supply chain disruptions originated with Tier 2 and 3 suppliers. The lesson? Organisations need greater visibility into supply chain problems that can come from virtually any supplier in the world at any time.
These operational and compliance risks are formidable, but the reality is every major corporation must develop new business relationships with third parties to survive. So what can a corporate executive to do to mitigate those risks?
The answer is that you must commit to aggressive due diligence in the vetting of your third-party suppliers, supplemented by ongoing monitoring. While financial scores and open Web searches can be useful, they can hardly be considered due diligence. Both sources rely on limited and often lagging indications of what is truly going on with your suppliers. It's important to leverage forward-looking, licensed media and public records databases to anticipate risk. By the time a company's financial score has changed, it's often too late for you to take action to minimise the impact on your company — whether that impact is reputational, operational or legal.
A recent study by LexisNexis® and State of Flux using risk rated news identified early warning signs of bankruptcy in more than 80% of sampled companies. Warning signs could be clearly seen six months before companies reached bankruptcy, and these signs became more pronounced the closer the companies got to failure. Critically, the pattern of early warning signs was unique to failing companies and not seen in a sample of healthy companies. See summary results in figure below.
Business information services that monitor news and public records are powerful tools, enabling corporations to more thoroughly vet a supplier before entering into a relationship and subsequently conduct ongoing monitoring. This is an important strategy for conducting aggressive due diligence and protecting your company from problems arising from doing business with third-parties that fail to perform appropriately.