Managing the risks imposed by suppliers and third party service providers has become increasingly difficult and expensive. At the same time, the risks imposed by these relationships keep on getting larger and more costly. Yet procurement and risk personnel are expected to do more with less. In part one of this series we diagnose the problem. We look at how the trend towards outsourcing, combined with ever-greater regulatory burdens, has made managing supplier and third-party risk increasingly important, difficult, and expensive. We will also examine why the traditional approach to prioritizing supplier management resources falls short when it comes to managing risks. And how decentralized procurement exacerbates the problem. In part two, we will look at a new approach: How segmenting risk tasks and having a third party co-manage the tactical risk tasks can reduce costs and risks simultaneously.
This article series is excerpted from a research report “Co-Managing Supplier Risk: Lowering Risks and Cost-of-Managing Simultaneously” which can be downloaded here (complimentary, registration required).
Outsourcing and Compliance: Supplier Risk’s One-Two Punch
The Outsourced Enterprise — What is Your Exposure?
Over the last few decades, more and more functions that used to be done internally are now done by third parties. This includes everything from IT to customer service, payroll, logistics, quality, manufacturing, HR, facilities management, security, sales, marketing, R&D, legal, accounting, sourcing and procurement — you name it. If someone else can do it better, faster, and cheaper, then it is a candidate for outsourcing. But along with the explosion of outsourced services, risk has increased for many corporations, as visibility and control have decreased.
Suppliers and service providers exist to serve the enterprise, but they may also cause harm to the enterprise. This can happen in many different ways: A manufacturer’s representative or third party sales agent takes a bribe, exposing your company to huge FCPA1 fines (some have been in the hundreds of millions of dollars). A supplier engages in fraud or theft.2 You entrust a trading partner with valuable intellectual property and they inadvertently share it, sell it to a competitor, or use it to make competing or counterfeit product.3 One of your trading partners who has trusted access to your systems is hacked, and subsequently your systems end up infiltrated.4 An uninsured contractor has an accident on your premises and sues your company for millions. The list of real-life incidents is practically endless.
The Juggernaut of Regulatory Compliance
Regulatory compliance presents yet more challenges in supplier management. If we step back and look at the broad arc of history, the regulatory and legal responsibilities and compliance requirements imposed on corporations have grown dramatically more far reaching over time (see Figure 2 below). Driven by public outrage over events ranging from Upton Sinclair’s The Jungle, to bribery scandals of the 1970s, to the Enron scandal, to the subprime mortgage crisis, lawmakers feel compelled to make sure “this will never happen again.” To ensure that businesses behave responsibly, legislators create new regulations such as the Meat Inspection Act, the Pure Food and Drug Act, the Foreign Corrupt Practices Act (FCPA), Sarbanes-Oxley (SOX), Dodd-Frank,5 Food Safety Modernization Act (FSMA), Consumer Financial Protection Bureau (CFPB) rulings, and countless others.
In the EU, where public awareness and concern over environmental issues are more pronounced, they have ETS, WEEE, RoHS, and REACH,6 and new regulations on the way, all of which keep getting more comprehensive. In spite of protests from business lobbyists, there is little indication of reversals in these trends towards greater scope and strictness of regulation over time.
Regulatory Compliance Requires Managing Your Supplier
Many of these regulations impose or imply requirements to manage suppliers and trading partners. For example, FCPA compliance extends to any agents acting on your behalf. In fact most FCPA prosecutions have involved third party intermediaries7 (see Figure 3). Many of CFPB’s rules also make financial service companies liable for the actions of agents acting on their behalf.8 Sarbanes-Oxley requires due diligence in selecting, controlling, reporting, and managing suppliers and the risks they present.9
On top of this, there are numerous lists of parties that you either cannot do business with, or that have specific restrictions on how you can do business with them. This includes the US Denied Persons List, Debarred List, Entity List, Specially Designated Nationals List, Nonproliferation Sanctions notifications, World Bank List of Debarred Parties, and dozens more worldwide.
To make matters worse, newer regulations are almost always open to interpretation, the details of which often get resolved through litigation or further legislation. Keeping up with all of this is a Sisyphean burden for businesses. It seems that just when companies get systems and policies working to comply with one set of regulations or restriction lists, a whole new set comes along.
The Quandary of Mid/Lower-Tier Supplier Management
Current Supplier Segmentation Strategies Don’t Work Well for Risk Management
The Chief Procurement Officer’s number one priority will always be reduction in spend. In addition, today, they are expected to reduce a tremendous variety of risks associated with suppliers and vendors, making sure the organization is in compliance. Often the CPO is asked to do all that while simultaneously reducing purchasing headcount and/or budget. In order to use their limited procurement resources wisely, most companies segment their suppliers, so they can manage them with the appropriate amount of diligence and effort expended, focusing their precious resources on those suppliers that are most important to the organization. Typically a company uses three (sometimes four) segments: A Suppliers (Critical/Strategic), B Suppliers (Core/Tactical), and C Suppliers (Commodity/Transactional).10
Segmentation strategies based on the size of savings opportunities may work well for focusing resources on the largest spend reduction opportunities, but are not ideal for identifying and managing the largest risks. Some companies address this by adding ‘criticality’ as a segmentation criterion, to ensure that any supplier that is sole sourced, hard to replace, and critical to the running of the enterprise is considered an A supplier. This helps to address some disruption or continuity risks, but misses many other types of potential significant damages that can be caused by suppliers, including tier B or C suppliers, such as non-compliance with regulations, theft, litigation, and reputational risks. You may have a quite small contract with an easily replaced local office cleaning service, but one of their employees could steal very valuable intellectual property or gain access to critical corporate networks, resulting in immense damages. Or you may have hired a sales agent, also considered non-critical or nonategic, but if they end up offering a bribe to obtain business on your behalf, enormous payments for an FCPA violation could result. In short, there are many types of risks posed by tier B and C suppliers, in addition to the A suppliers. These risks must also be diligently managed.
The challenge is the sheer volume of B and C suppliers, multiplied by the large number of risk-related documents and data that need to be collected and refreshed regularly. A major corporation typically has tens of thousands, or even hundreds of thousands of suppliers, many requiring several to dozens of documents, surveys, certificates, and so forth that need to be collected, verified, organized, and refreshed annually or more often. Companies are faced with either spending too much time and effort to manage the risks or just accepting the risk and damages incurred — neither is a great choice.
Decentralized Procurement Challenges
The challenge of managing the vast numbers of B and C suppliers is compounded when procurement decisions are made locally, as is often the case, especially for site-specific or geography-specific services. Risk considerations are often given short shrift in local procurement decisions, even when explicit corporate policies are in place mandating specific due diligence procedures. Too often local entrenched relationships (the ‘good old boys’ network and “we’ve always used them”) rule the day.
Local service providers can be a good choice for many types of service. But decentralized decision-making can make it challenging to ensure that the right questions are asked, and proper expertise and certifications are validated before granting access to your facilities, employees, and potentially to restricted areas of your company.
1 Foreign Corrupt Practices Act — Return to article text above
2 In 2011, there was over $6B of supplier theft in the retail industry alone according to The Centre for Retail Research, Global Retail Theft Barometer 2011 — Return to article text above
3 Worldwide IP theft causes over half a trillion dollars in losses annually. The value of counterfeit goods is projected to exceed $1.7 trillion or 2% of global GDP by 2015. (Sources: IP loss estimate from Word Customs Organization, cited by A.I. Feldman in “U.S. Firms Paying High Price for Global IP Theft”. Counterfeit goods estimate from The International Chamber of Commerce, cited by CNN Money in “Counterfeit goods becoming more dangerous”) — Return to article text above
4 Global cybercrime costs over $1 trillion, according to research projections by McAfee Associates. — Return to article text above
5 In some of these large sweeping bills, unrelated regulations are often thrown into the mix. For example, the “Dodd-Frank Wall Street Reform and Consumer Protection Act,” while primarily a financial regulation, also includes additional regulations on disclosure of conflict minerals by manufacturers, mine safety reporting, restrictions on IMF loan approvals, and reporting on payments for oil, gas, and mineral licenses. — Return to article text above
6 ETS = European Union Emissions Trading Scheme, WEEE = Waste Electrical and Electronic Equipment Directive, RoHS = Restriction of Hazardous Substances Directive, and REACH = Registration, Evaluation, Authorization and Restriction of Chemical — Return to article text above
7 Many of these FCPA violations also involve internal personnel, in addition to an external third party intermediary. — Return to article text above
8 For example, the CFPB compliance guide for international fund transfers states in section IV. (§ 1005.35) “You are liable for any violation of the rule by an agent or authorized delegate when that party acts on your behalf.” — Return to article text above
9 Other legislation — such as FSMA, the Lacey Act and EUTR (illegal logging regulations), California SB 1307 (pharmaceutical e-pedigree), and the conflict minerals rule within Dodd Frank — require knowledge of who the exact source of materials is, traceability, and/or visibility/control over the materials used by suppliers. — Return to article text above
10 Typical definitions might be that: A Suppliers are critical, deeply embedded, difficult to replace, can’t run your firm without them. (These may be 5% or less of all suppliers.) B Suppliers are important to running your firm, somewhat less embedded, but still not so easy to switch. (Typically 15%-30% of your suppliers.) C Suppliers provide fungible products/services that can be easily switched, comprising 60%-80% of suppliers. — Return to article text above
To view other articles from the risk issue of the brief, click here.