U.S. regulators are increasingly focused on preventing trade dollars flowing to “bad actor” countries and regimes known for their sponsorship of terrorism, drug trafficking, bribery and corruption, and a range of other criminal activities. Doing that job, however, is putting more pressure on organizations to verify the source of their materials and labor. Those who neglect to do so risk steep financial penalties, brand damage and product disruptions, to name just a few adverse consequences associated with running afoul of regulations.
Recently, for example, a U.S. company faced millions of dollars in fines after audits failed to discover that materials in some products from its China supplier had originated in North Korea, which has been sanctioned by the U.S. and other countries. While the company settled to pay a lesser fine of around $1 million — largely by self-reporting the violation — regulators called its supply chain compliance “either non-existent or inadequate.” Reports of this type highlight just some of the risks related to improper vetting and monitoring of global suppliers.
Hoping to avoid a similar situation, one global contract manufacturer last year began a review of its supply chain management capabilities after recognizing that its decentralized and autonomous business units posed a potential liability. Familiar with Protiviti’s skill, experience and leadership in supply chain risk management, the company turned to us for assistance.
Reviews of 101 processes and 83 systems involving 18 departments and 197 participants, conducted through workshops and surveys, revealed that without a centralized supplier management strategy, this approach contained pain points, regional variances, and oversight gaps that could quickly become issues within the supply chain.
Protiviti worked with a steering committee that included the chief risk officer and the VP of finance as well as personnel from regulatory compliance, organizational effectiveness, legal, data management and other departments, to identify gaps in supplier lifecycle management. Over 12 weeks, the team assessed due diligence, onboarding, contracting, compliance, invoicing and other aspects of the client’s supplier management capabilities within 44 different business units spread throughout the world.
The organization’s philosophy was that if a business unit performed due diligence on a supplier in any division or region once, then the step should not have to be repeated. But reviews of 101 processes and 83 systems involving 18 departments and 197 participants, conducted through workshops and surveys, revealed that without a centralized supplier management strategy, this approach contained pain points, regional variances and oversight gaps that could have quickly become issues within the supply chain.
For example, there were multiple ways used for onboarding suppliers across the organization, and it was unclear how much vetting or due diligence was ultimately done prior to placing orders with the supplier. From selecting suppliers to paying invoices, a number of inconsistencies and weaknesses were uncovered, potentially exposing the company to risk.
After documenting the existing policies and processes, the client and Protiviti teams developed recommendations to transform the client’s supplier management process to mitigate risk. These recommendations focused on all elements of the partnership between the manufacturer and its suppliers, touching on processes within multiple functions, including legal, IT security, compliance and finance. The client team provided important insights and decision-making throughout the process, ensuring acceptance of the road map and the ultimate adoption of the recommended actions by the organization.
Specifically, the road map aimed at enhancing due diligence to foster more efficient supplier screening and onboarding procedures, shoring up supplier requirements and procurement policies, strengthening invoice and payment processes, ensuring supplier cybersecurity, and creating a single-view system for supplier risk screening, monitoring and reporting.
While Protiviti and the steering committee emphasized a standardized supply management plan, in some cases the team had to tailor the recommendations to account for additional or different supplier rules within a country, region or local jurisdiction.
Additionally, the collective team defined an enterprise data model for the future-state supplier risk management program to foster a better understanding of data and data integrity — the source of the information, where it resides and the degree of its sensitivity, for instance.
Ensuring compliance with laws and sanctions while staying focused on core business operations is often a difficult proposition, especially when regional idiosyncrasies require local regulatory expertise and cultural competence. Partnering with an expert with proven supply chain competence and a global footprint is often the best option for navigating these treacherous waters and avoiding a regulatory collision.
Not unexpectedly, the longstanding independence of the business units produced some resistance to the assessment and suggested remedies, but support from the executive ranks ensured the project’s success. In particular, this support generated buy-in for a change management plan that the organization and Protiviti created to drive the widespread adoption of the team’s recommendations. Emphasizing training and communication, the change management initiative has created an awareness of the need for and a better understanding of the recommended actions. With the groundwork laid, Protiviti and the client are now working together to design and implement a solution.
Many U.S. companies depend on global suppliers to meet the needs of their customers in a cost-effective manner, even as the risks that accompany this dependence continue to multiply and become more complex. In addition to conducting due diligence and screening suppliers on important matters such as timely product deliveries, quality control and supplier cybersecurity capabilities, organizations need to ensure that their suppliers and the services and materials they provide are in compliance with laws and sanctions, as well as the organization’s own code of conduct, which may cover things from environmental sustainability to conflicts of interest. Companies must have standard operating procedures that enable them to obtain reasonable assurance that they know who their suppliers are and where their materials are sourced. Ensuring this while staying focused on core business operations is often a difficult proposition, especially when regional idiosyncrasies require local regulatory expertise and cultural competence. Partnering with an expert with proven supply chain competence and a global footprint is often the best option for navigating these treacherous waters and avoiding a regulatory collision.