Category Archives: Supply Chain Integrity, Security and Fraud

Product Serialisation – a tool to help counter diversion and illicit trade

Posted on by

Paul Curwell, CPP, CFE, CISSP

5 minutes

When was the last time you bought diverted product?

Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?

If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.

men s gray crew neck shirt

I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.

Only the logo and product name was in english – everything else was in Indonesian.

My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.

To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.

Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.

Diversion of critical technology – a byproduct of global competition?

Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.

Serialisation can help improve supply chain integrity and counterdiversion

When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.

In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.

Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”

European Union Agency for Network and information security (2015)

Serialisation offers benefits to Supply Chain Integrity:

  • Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
  • Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
  • Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs
Supply chain integrity and security: what are the risks? (Part I)

Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:

  • The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
  • The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
  • The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
  • India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).

Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.

How does serialisation work?

Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:

  • Pallet
  • Consignment
  • Packaging (item and carton levels)
  • Labelling
  • Item

To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:

  • Barcodes
  • QR codes
  • Data Matrices

According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:

  • A large data carrying capacity
  • Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
  • The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
deliveryman scanning the barcode
Photo by RDNE Stock project on Pexels.com

How can small-medium businesses access the benefits of serialisation?

It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.

As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Channel stuffing fraud – a distribution problem

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    8 minutes

    What is Channel Stuffing?

    Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

    Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

    To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

    Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

    man operating silver machine for silver steel kegs
    Photo by ELEVATE on Pexels.com

    What industries are most exposed?

    Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

    • Consumer Electronics
    • Tobacco
    • Automotive Industry
    • Pharmaceuticals
    • Fast Moving Consumer Goods (FMCG)
    • Technology, including software providers
    • Fashion and apparel
    • Industrial equipment
    • Alcohol and Distilled Spirits

    As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

    people riding on inflatable raft
    Photo by Hilmi Işılak on Pexels.com

    Who are the victims in Channel Stuffing?

    There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

    Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

    The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

    Impacts of Channel Stuffing include:

    • Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
    • Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
    • Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
    • Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.
    • Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.
    man falling carton boxes with negative words

    How can you identify Channel Stuffing and what are the indicators?

    Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

    Typologies demystified – what are they and why are they important?

    If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

    Comparative Case Analysis: A powerful tool for typology development

    Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

    1. Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
    2. Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
    3. Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
    4. Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
    5. Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
    6. Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
    7. Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
    8. Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

    By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

    Four things businesses can do to minimise Channel Stuffing risk

    With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

    • Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
    • Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
    • Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
    • Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

    As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    An introduction to third party screening processes

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    7 minutes

    What is screening and why is it important?

    Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

    white jigsaw puzzle illustration
    Photo by Pixabay on Pexels.com

    Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

    Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

    Building your supplier integrity framework

    Overview of the screening process

    Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

    Stage 1 – Screening Design

    • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
    • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

    Stage 2 – Screening Delivery

    • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
    • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
    • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

    Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.

    It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.

    Screening processes employing ‘name matching’ algorithms are inherently risky

    If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

    • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
    • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
    google search engine on macbook pro
    Photo by Pixabay on Pexels.com

    Common problems encountered when designing your screening process (Stage 1 above) include:

    • Spelling errors
    • Truncated words
    • Names containing multiple languages (e.g. Arabic + English)
    • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
    • Dealing with initials and titles / honorifics
    • Words that are out of order (e.g. surname -> first name or first name -> surname)
    • Spaces and hyphens
    • Nicknames or unofficial names

    When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

    What should businesses screen for?

    Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

    Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

    What is Show and Shadow Manufacturing?

    There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

    What about emerging markets where there is no data?

    Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

    Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

    • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
    • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
    • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

    When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Returns Fraud – a risk for eCommerce companies

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    7 minutes

    What is Returns Fraud?

    Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

    • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
    • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
    • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
    • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
    • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

    Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

    elegant male outfits on dummies in modern boutique
    Photo by Andrea Piacquadio on Pexels.com

    How does Returns Fraud impact retailers?

    If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

    • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
    • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
    • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
    • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
    • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.
    Often overlooked, Product Security is fundamental to Product Management

    The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

    Three simple steps to mitigating Returns Fraud risk

    Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

    • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
    • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
    • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.
    6 steps to improving security and integrity culture in the workplace

    As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Counterfeits can compromise your Supply Chain Integrity

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    How counterfeiting threatens Supply Chain Integrity

    Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:

    • June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
    • March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines

    As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.

    flight flying airplane jet
    Photo by Pixabay on Pexels.com

    How do sub-standard parts enter a supply chain?

    Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.

    Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:

    • Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
    • Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
    • Corrupt or malicious insider compromises the supply chain for gain or profit, or,
    • As a result of foreign interference by a nation state actor against an adversary

    Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.

    woman in black shirt holding a hand sanitizer bottle
    Photo by Anna Tarazevich on Pexels.com

    Step 1 – Assess the risk posed by sourcing counterfeit product

    I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.

    For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.

    The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:

    Impact / CriticalityType of product
    HIGH LIfe dependent applications
    Safety critical applications
    Mission critical applications
    Applications where field work / repair is impossible
    MEDIUM Reclaimed / Refurbished parts
    Application critical
    Product is accessible for field repair
    Short product life expectancy
    LOW Non-critical applications
    AS6174 – SAE International
    man in black jacket standing beside black car
    Photo by Andrea Piacquadio on Pexels.com

    Step 2 – Identify which sources provide the greatest assurance

    Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.

    So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):

    Confidence Level
    (non-conformance risk)    		Product / Component Source
    HIGH
    (LOW risk)    		OEM or Certified Manufacturer
    Authorised Distributor
    Original Manufacturer or Contract Manufacturer
    MEDIUMVetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
    Unknown Independent Distributor (e.g. quality, reputation not asessed)
    Unknown source
    LOW
    (VERY HIGH risk)    		Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)
    AS6174 – SAE International

    Step 3 – Develop your organisation’s product assurance processes

    The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.

    For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:

    • Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
    • Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
    • Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
    • Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.

    Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).

    top view photo of white keyboard
    Photo by Olena Bohovyk on Pexels.com

    Step 4 – Plan for contingencies

    It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.

    Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.

    Step 5 – Document your Product Assurance Framework

    To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.

    A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Towards a taxonomy for product diversion

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    What is product diversion?

    Those who follow my blog will know that diversion is something I wrote about reasonably often. The reason for this is simple – diversion has a multiplier effect on the business supply chain. It doesn’t just result in a financial loss like theft does, but it also impacts the profitability and engagement of your distributors, the integrity of your channels (in terms of being able to control who sells your product, the quality and integrity of that product, and at what price), and consumer satisfaction in terms of brand perception, warranty coverage and customer service.

    black fujifilm dslr camera
    Photo by Math on Pexels.com

    How does product diversion occur?

    I started researching diversion more generally before Oliver May and I wrote our book ‘Terrorist Diversion’ for the non-profit sector. Unfortunately diversion happens everywhere in business, but the way it happens differs by industry and product. One challenge with diversion is that it can be hard to grasp how it actually happens – diversion is part theft, part fraud, and part breach of contract. To illustrate, when I discuss product diversion with clients, there are six main risks I start with, as follows:

    1. Expired, defective or out-of-specification (non-conforming) product is diverted from destruction or reverse supply chains and sold as conforming (on-specification) product
    2. Product authorised for sale in one market (e.g. Country X) is actually sold in another, unauthorised market (e.g. Country Y) in breach of contractual obligations between distributors / end users and the manufacturer
    3. Product is stolen from the distribution or supply chain and diverted (sold)
    4. Product is acquired, repackaged and on-sold by a third party or unrelated party
    5. Product sold by a manufacturer for non-domestic use is subsequently sold or re-imported for sale / use domestically in that country
    6. On-specification (conforming) product is produced by an authorised manufacture (i.e. a third party) without permission from the Intellectual Property Rights Holder, through practices such as overproduction (see my previous article on Shadow Manufacturing), with that excess conforming product being sold without approval

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    In my previous article on Typologies, I mentioned the importance of getting to what I typically call “level 3 risks” – effectively drilling down to three levels of detail that describes how and where each diversion risk may arise in relation to factors such as your business’s organisational structure, channels, products.

    Whilst I won’t be publishing them here due to length, I’ve identified over 25 different ‘Level 3 diversion risks’ at the time of writing. Each of these risks materialises in a different place in the supply chain and has different actors, demonstrating the breadth and complexity of this issue. If your business is experiencing product diversion issues, only focusing on a discreet element of diversion may not solve your broader problem.

    If you are concerned about product diversion in your supply chain, you may want to start with my risk taxonomy and customise it to your business. Remember not every risk will apply in your situation, but it is important to understand how and where diversion can occur in your business.

    Who perpetrates product diversion?

    Product Diversion is predominately a ‘trusted insider risk‘ perpetrated by someone within your organisation or supply chain who has privileged access to your products, processes and information. There are two exceptions to this, one being the involvement of buyers (end users) who purchase conforming product in bulk for unauthorised resale, and the second being criminals who perpetrate cargo or warehouse theft to resell stolen product on the commercial market. Perpetrators of product diversion typically include:

    • Employees
    • Contractors
    • Business Partners
    • Suppliers and Service Providers (e.g. reverse logistics, repackaging companies)
    • Organised Crime (warehouse and cargo theft)
    • Unauthorised End Users (see my previous article on the importance of End User Verification)
    • Contract Manufacturers

    In some cases, collusion between one or more groups will occur, as well as criminal infiltration between external organised crime and trusted insiders. Trying to perpetrate larger scale or ongoing product diversion as an individual may be challenging and lead to early discovery. In this case, networks such as organised fraud sydndicates tend to emerge.

    Where does product diversion arise in your supply chain?

    As with any crime, we always talk about means, motive and opportunity as three legs of the crime triangle. Without all three elements, crime is unlikely to occur. From my work, I have identified for main ‘motives’ which should be considered alongside the product diversion risk taxonomy I presented above:

    • Steal for self: where a trusted insider diverts the product for their personal use (this is typically small-scale or opportunistic, and commonly falls under the definition of ‘theft’ or ‘occupational fraud’ as opposed to product diverison, which is generally larger in scale and more organised)
    • Steal for sale: where a trusted insider with legitimate access to the product (including employees of third parties such as suppliers) diverts the product in a higher quantities for commercial sale
    • Buy for resale: where a fake end user purchases product, potentially at a discount, for resale in one or more Territories (countries / regions)
    • Buy then dispose: where a legitimate end user purchases product then resells / disposes of product to liquidation firm (such as a retailer who purchases stock but is unable to sell that stock within an acceptable period)

    If you are are responsible for managing these risks in your organisation, remember that some positions in your organisation will provide greater access and / or opportunity to perpetrate diversion than others. For the purposes of your security or insider threat management program, you need to consider these High Risk Roles.

    High Risk Roles are those positions in your organisation (or in your supplier or business partners’ organisation) that confer privileged or unsupervised access to your critical assets – in the case of diversion, this could be a warehouse manager or team managing reverse logistics and destruction of expired or non-confirming product. My article on High Risk Roles provides more information here.

    Key areas where product diversion can occur include:

    • Warehouses
    • Distributors
    • Wholesalers
    • Retailers
    • Factories
    • Contract Manufacturing Organisations
    • Third Party Logistics companies
    • Liquidation companies
    • Repackaging companies
    • Product returns companies
    • End Users (e.g. for resale)
    • Other resellers

    As you can see, product diversion can happen anywhere in the supply chain. However, some of the product diversion risks presented in my taxonomy will only manifest in specific parts of the supply chain and / or involve specific actors. This needs to be considered in any risk assessment and treatment plans.

    Conclusion

    As you can see, product diversion is a complex type of fraud which requires considered thought and planning in order to mitigate. Understanding how and where risk events may materialise is important, as is understanding the perpetrator and their motives. Access to data, and use of data analytics and intelligence is critical to mitigating your organisation’s risk to within your risk appetite.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    What is Show and Shadow Manufacturing?

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    What is contract manufacturing?

    The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

    Contract manufacturing allows outsourcing of noncore functions
    Photo by Los Muertos Crew on Pexels.com

    Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    ‘Show factories’ versus ‘shadow factories’ – what’s the difference?

    Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

    • Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
    • Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

    Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

    Shadow factories can involve forced labour
    Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on Pexels.com

    Shadow factories introduce a host of risks for principals

    The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

    • Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
    • Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
    • IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
    • Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
    • Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
    • Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
    • Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
    • Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

    By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

    Indicators of show and shadow factories

    When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

    It is possible to forensically identify potential shadow factory activity
    Photo by Anton Mislawsky on Pexels.com

    The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

    • Capacity versus output calculations in relation to a given factory’s estimated production capacity
    • Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
    • Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
    • ‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
    • Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
    • Production records – including staff rosters and payroll records
    • Distribution records – including vehicle logs and delivery records
    • Security access control records and vehicle access logs such as truck deliveries via a security gate)
    • Equipment usage logs – including records showing below expected machinery usage counts
    • Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
    • Accountability and traceability of rejected materials or defects arising during manufacture
    • Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

    Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

    Manufacturer Fraud Audit

    To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

    Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

    As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Supply chain integrity and security: what are the risks? (Part II)

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    Introduction

    Part I of this article addressed the concept of Supply Chain Integrity, which is increasingly being bunded with security under the banner ‘Supply Chain Integrity and Security’ (SCIS). SCIS is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to distruptions to global trade and commerce arising from the COVID-19 pandemic and the war in Ukraine.

    Part II of the article is continued here examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate.

    Photo by Julius Silver on Pexels.com

    Supply Chain Security – a rapidly changing field

    Supply Chain Security has undergone multiple expansions in scope to accomodate the evolving global threat environment, changes in international commerce, technological innovation and increasingly the 4th industrial revolution. However, this evolution has largely gone unreported by commentators in the field, with many books and articles on the subject failing to reflect the broad scope of risks now recognised by critical infrastructure and governments globally. As an example, Supply Chain Security traditionally focused on two main risks:

    Practitioners in this area have largely focused around logistics, with security programs focusing on controls such as shipping container seals and GPS vehicle tracking. The events of September 11, 2001, helped sharpen this focus, with the USA enhancing a scheme to help mitigate supply chain security risks posed by terrorism (known as C-TPAT). Examples of equivalent national schemes include:

    Photo by Fabiola Ulate on Pexels.com

    To coordinate a consistent global response and maintain safe and secure trade and commerce, the World Customs Organisation (WCO) introduced the SAFE Framework of Standards to Secure and Facilitate Global Trade in 2005, followed by the  Authorized Economic Operators (AEO) Programme in 2007. This perspective on supply chain security is reinforced by various global standards including ISO28001, which is intended to complement the SAFE Framework. However, whilst risks like terrorism, theft and product diversion all remain relevant, Supply Chain Security has evolved even further in the past ten years to reflect geopolitical threats in the current operating environment.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    Consequently, the USA, UK, Canada and Australia have all issued updated guidance on Supply Chain Security, which has expanded significantly from theft, diversion and terrorism to encompass the more complete spectrum of what the US Government calls ‘Supply Chain Threats’:

    In addition to ‘security’ focused risks, a range of frauds can also materialise in the supply chain. For some organisations, it makes sense to address security, integrity and fraud issues in the supply chain within the same business function or framework, whilst for others they are separated to completely different parts of the organisation. However, common risks here include:

    I have already written about a number of these supply chain frauds in other articles on @ForewarnedBlog (refer hyperlinks above). Future articles will also cover aspects of this topic.

    Risks and business processes with a nexus to Supply Chain Integrity and Security

    In any organisation, there are a number of business functions which commonly touch on aspects related to Supply Chain Risk Management. SCIS programs should try to leverage these resources where possible, either through use of common team to execute a process or through smart process design, which means a common process is used to address multiple distinct business requirements.

    Photo by Wilson Malone on Pexels.com

    Examples here include due diligence and supplier audits which can be performed once and the results reused multiple times to comply with a range of regulatory obligations or business needs. Examples of risks with a nexus to SCIS that might be leveraged include:

    When designing your supply chain risk management program, look across your organisation into other areas or teams (such as procurement, finance, sustainability and compliance) to understand work already performed and identify opportunities to streamline processes and systems.

    In addition to reducing your operating costs, this approach could improve your supplier’s experience when dealing with you. Sometimes from a supplier’s perspective, a customer can just become too much hard work, leading to increased prices (in an attempt to encourage you to find an alternate supplier) or severance of the relationship overall.

    A common example I encounter is where a supplier is asked for the same information multiple times by different teams from the same buyer, leading to wasted effort and frustration. Managing third party or supplier relationships are exactly that – a relationship – so there needs to be an element of give and take by both parties.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Supply chain integrity and security: what are the risks? (Part I)

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    Introduction

    Supply Chains are complex involving many levels of suppliers who are typically located in multiple countries around the world. For high reliability industries (such as airlines and oil rigs) or industries where there is a chance of life or death (e.g. defence applications, pharmaceuticals and food products), the introduction of a sub-standard or below specification (non-conforming) product could have serious consequences. Further, many of these industries are highly regulated to protect consumers.

    Photo by Markus Spiske on Pexels.com

    The nature of global supply chains today presents a real challenge, as illustrated by the global supply chain for the Boeing 787 and Bombardier Global Express in this article from Canada’s Aerospace Review. These challenges are magnified somewhat in relation to security and integrity risks, as explored later in this article. To assist readers unfamiliar with these concepts, a simple product supply chain could be considered as having at least eight categories of actors, as illustrated below:

    An illustative example of a simple supply chain

    Part I of this article addressses the concept of Supply Chain Integrity. Part II, continued here, examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate. Supply Chain Integrity and Security’ (SCIS) is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to COVID-19 and the associated distruptions to global trade and commerce arising from the pandemic.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    What is Supply Chain Integrity and Security?

    The concepts of Supply Chain Integrity and Supply Chain Security are often bundled together under the guise of Supply Chain Integrity and Security (SCIS). One example of this is in the life sciences industry, with the following defintion of SCIS being commonly cited from the U.S. Pharmacopea (a compendium of drug information, effectively the standards for all pharmaceutical compounds in the USA whose application is enforced by the US Food and Drug Administration):

    Supply Chain Integrity and Security (SCIS) is defined as a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted. This is minimized by implementing procedures to control both the forward and the reverse supply chains. SCIS involves reducing risks that arise anywhere along the supply chain, from sourcing materials and products to their manufacture and distribution. The ultimate goal is to detect adulterated, falsified, or counterfeit products and prevent them from entering the supply chain.

    Supply Chain Integrity defined

    Supply Chain Integrity is sufficiently different from Supply Chain Security to require its own explanation. Supply Chain Integrity is defined by ENISA as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”. When I think about what this means in plain english, I deconstruct the concept of Supply Chain Integrity into three core elements:

    • Provenance – What are the origins of all components or raw materials in my product? For example, a ‘blood diamond’ extracted illegally from a war zone using slave labour is still an authentic diamond, however its provenance is questionable.
    • Authenticity – Is the product what it claims to be, or has it been tampered with or substituted? Have the products or components been “produced with legal right or authority granted by the legally authorized source” (AS6174A)?
    • Traceability – Can I trace the movement of components in my product from raw material to the end user? This is defined in AS6174A as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor”
    Photo by Pixabay on Pexels.com

    As I previously discussed in this article on SAE’s standard AS6174 and which are worth reproducing again here, the World Economic Forum identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):

    • Integrity of Source – did this product come from where I think it did?
    • Integrity of Content – is the product made the way I think it is?
    • Integrity of Purpose – is the product going to do what I think it will do?
    • Integrity of Channel – did this product travel the way I think it did?”

    To address each of the elements of Provenance, Authenticity and Traceability, Supply Chain Integrity programs typically comprise a variety of activities, including:

    • Track and trace programs as well as serialisation to uniquely identify each component and locate where it resides globally in the supply chain at any point in time
    • Quality management programs, to identify conforming vs. non-conforming products
    • Supplier integrity programs, to understand exactly who the seller of a product, part or raw material is and assess what if any integrity risks this poses
    • Market surveillance (market monitoring) – intelligence activities to identify where products are being sold and by whom, to manage the risk of counterfeit or diverted products to end users and the manufacturer’s brand or reputation
    Photo by Pixabay on Pexels.com

    A taxonomy of Supply Chain Integrity risks

    As with any type of risk, it is possible to build a taxonomy of individual risks which reside under the category of Supply Chain Integrity. Based on my research, I have listed fourteen risks associated with Supply Chain Integrity below:

    • Adulteration of products or raw materials
    • Tampering of products, parts or components
    • Introduction of counterfeit material
    • Gray market products
    • Substitution of raw materials, parts, components or products
    • Falsified or fraudulent material
    • Use of substandard material (i.e. non-conforming or below specification)
    • Misbranded or falsely-labelled products
    • Expired products (moved to less-regulated jurisdiction, re-labelled, and then re-sold)
    • Products marked for destruction are diverted, re-labelled then re-sold
    • Ineffective product recall
    • Ineffective product storage and / or transport
    • Supplier integrity

    These risks are related to, but also quite different to the risks listed in Part II of this article on Supply Chain Security (see link at the bottom of the page).

    The relationship between Supply Chain Integrity and your Quality Management System

    I have mentioned the term ‘conformance’ a number of times throughout this document, which is defined by ISO22000 as “a product which filfils a requirement”. Conformance assumes that a buyer goes to market seeking to procure products or services which do a particular thing or meet a particular standard (the requirements), and that a supplier is contractually obligated to provide a product or service which addresses these requirements.

    Photo by Karolina Grabowska on Pexels.com

    For buyers, Quality Management Systems (QMS) play an important role in ensuring the products which are shipped to your door for use are firstly what you purchased (hopefully addressing your requirements), and secondly what they claim to be. This process is referred to in AS6174A as ‘Product Assurance’ which involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27) to minimise the likelihood of non-conforming materiel entering the supply chain. Product Assurance is undertaken using one of four methods listed below:

    • Documentation & Packaging Inspection
    • Visual Inspection
    • Non-Destructive Testing (NDT)
    • Destructive Testing (DT)

    Readers wanting more information on the Product Assurance process can refer to my previous article. In many organisations, the Product Assurance process is typically performed by a combination of warehouse personnel and / or engineers, scientists or quality management teams upon delivery of new parts or products. Alternately, other organisations perform these inspections before a product leaves the factory, ensuring adequate SCIS processes are in place to mitigate any security or integrity risks that may arise between the shipment leaving the factory and delivery to its final destination.

    Failure to properly perform Product Assurance may mean company takes receipt of a non-conforming product or component on day 1, however that this non-conformance is not identified until the product or component is placed into service (potentially some days later). This gap between delivery date and usage date may be an extended period of time during which warranties or guarantees may become voided. Risks here are particularly high for business critical or hard to source parts held in inventory as spares in the event of an in-service part failure, which could provide a false sense of security that sufficient spares are held in case of emergency.

    To read Part II of this article, click here.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Building your supplier integrity framework

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    What is Supplier Integrity ?

    The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

    Photo by ThisIsEngineering on Pexels.com

    Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

    • Human Rights
    • Environmental Protection
    • Employment and Industrial Relations
    • Financial Crime, specifically:
      • Anti-Bribery & Corruption
      • Economic and Trade Sanctions
      • Fraud
      • Money Laundering & Terrorist Financing
      • Tax Crime
    • Consumer Protection
    • Competition & Anti-Competitive Practices

    In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

    Why is Supplier Integrity important?

    There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

    • Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
    • Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
    • One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).
    Photo by Pixabay on Pexels.com

    In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

    • ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
    • OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
    • Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
    • Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.
    Photo by Akil Mazumder on Pexels.com

    What would you expect to see in a Supplier Integrity Framework?

    A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

    1. Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
    2. Supplier Integrity Policy –
      • Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
      • Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
      • Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
      • Sets out how incidents are to be reported and managed.
    3. Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
    4. Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
    5. Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
    6. Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

    Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

    The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

    The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

    Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.