Supply Chain Lessons from Walmart’s Meat Recall and Target’s Data Breach
26 Aug 2014 12:00 am by Mark Dunn
This blog, written by our Director of Supply Management, first appeared in spendmatters.com.
Spend Matters welcomes a guest post from Eric Walsworth, director of supply management at LexisNexis, a division of Reed Elsevier.
In January of this year, Walmart was forced to recall meat sold at some of its stores in China after the meat was discovered to contain DNA from foxes. In the aftermath, Walmart China’s president and chief executive officer said, “It is a deep lesson that we need to continue to increase investment in supplier management.”
Only one month earlier, Target disclosed it had been the victim of a major credit card security breach. Experts believe thieves gained access to roughly 40 million credit and debit card numbers and the personal information of as many as 70 million customers. The subsequent investigation found the hackers used a third-party contractor to gain access.
These incidents highlight the risks of doing business with suppliers that fail to perform appropriately: potential supply chain disruption, serious reputation damage, and even government investigations related to regulatory compliance.
Three major risks of doing business with third parties
Most companies have relationships with a wide range of third-party organizations. While these third parties are essential to drive growth, they bring with them risks that need to be mitigated and managed.
Supply Chain Risk – In recent years, the drive for efficiency and cost saving has increased the complexity of supply chains. This leaves your company vulnerable to a delay – or even complete halt – to operations if the tools, supplies, or necessary services provided by third parties are disrupted.
Financial Risk – Chances are that your business agreements include contractual terms that even your most loyal suppliers will seek to avoid from time to time. Likewise, suppliers who appear to be on solid financial ground may actually be on thin ice when it comes to their capitalization.
Security Risk – Counterfeiting, piracy, trade secret theft, and trademark infringement are all serious considerations for any company, but in today’s economy, intellectual property is at greater risk when working with third-party business partners. A 2013 report by The Conference Board found that roughly half of the executives surveyed perceived extensive risk of IP infringement in emerging markets when working with suppliers and business partners.
How emerging regulatory and compliance mandates are affected
In addition to operational risk with third parties, new regulatory mandates constitute an entirely separate area of compliance risks for any company working with third-party suppliers.
Consider the flurry of new regulatory mandates affecting the financial services industry, including the following:
- New guidance on risk management. In October 2013, the U.S. Department of Treasury’s Office of the Comptroller of the Currency (OCC) emphasized the responsibility banks have to assess and manage risks associated with third-party relationships. The OCC makes it clear that it “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party.”
- SEC’s “covered person” provisions. In July 2013, the Securities and Exchange Commission finalized amendments to Rule 506, which require private investment funds to conduct due diligence to confirm no “covered person” has engaged in a “disqualifying event,” also known as the “Bad Actor” provisions. This new rule was broadened specifically to include third parties and various categories of business partners.
- CFPB expectations for supplier due diligence. The Consumer Financial Protection Bureau (CFPB) has notified financial institutions they are expected to have an effective process for managing the risks of service provider relationships, including conducting thorough due diligence to verify that service providers understand and comply with the law.
Moreover, a wide range of compliance requirements affect corporations globally. Legislation against bribery and corruption — such as the UK Bribery Act and the U.S. Foreign Corrupt Practices Act — cause anxiety for all corporate executives whose companies do business in global markets.
Worse yet, suppliers further removed from the company’s immediate focus may pose the biggest supply chain risk. A survey by the Business Continuity Institute found that almost 40 percent of reported supply chain disruptions originated with Tier 2 and 3 suppliers.The lesson? Organizations need greater capability to track supply chain problems that can come from virtually any supplier in the world at anytime.
Importance of news and public records updates
These operational and compliance risks are formidable, but the reality is every major corporation must develop new business relationships with third parties to survive. So what can a corporate executive to do to mitigate those risks?
The answer is that you must commit to aggressive due diligence in the vetting of your third-party suppliers, supplemented by ongoing monitoring. While financial scores and open Web searches can be useful, they can hardly be considered due diligence. Both sources rely on limited and often lagging indications of what is truly going on with your suppliers. It’s important to make use of forward-looking, licensed media, and public records databases to anticipate risk. By the time a company’s financial score has changed, it’s often too late for you to take action to minimize the effect on your company — whether that effect is reputational, operational, or legal.
A recent study by LexisNexis and State of Flux using risk rated news identified early warning signs of bankruptcy in more than 80 percent of sampled companies. Warning signs could be clearly seen six months before companies reached bankruptcy, and these signs became more pronounced the closer the companies got to failure. Critically, the pattern of early warning signs was unique to failing companies and not seen in a sample of healthy companies. See summary results in figure below.
Business information services that monitor news and public records are powerful tools, enabling corporations to vet a supplier more thoroughly before entering into a relationship and subsequently conduct ongoing monitoring. This is an important strategy for conducting aggressive due diligence and protecting your company from problems arising from doing business with third parties that fail to perform appropriately.