Building your supplier integrity framework

Posted on July 23, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is Supplier Integrity ?

The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

Photo by ThisIsEngineering on Pexels.com

Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

Human Rights
Environmental Protection
Employment and Industrial Relations
Financial Crime, specifically:
- Anti-Bribery & Corruption
- Economic and Trade Sanctions
- Fraud
- Money Laundering & Terrorist Financing
- Tax Crime
Consumer Protection
Competition & Anti-Competitive Practices

In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

Why is Supplier Integrity important?

There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).

In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.

What would you expect to see in a Supplier Integrity Framework?

A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
Supplier Integrity Policy –
- Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
- Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
- Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
- Sets out how incidents are to be reported and managed.
Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

Further Reading

Australian National Contact Point [AusNCP] (2020). OECD Guidelines. https://ausncp.gov.au/oecd-guidelines
Curwell, P. (2021). The trouble with company registers – not a uniquely Australian problem, https://forewarnedblog.com/2021/03/13/the-trouble-with-company-registers-not-a-uniquely-australian-problem/
Curwell, P. (2022). Australia’s Critical Technology and Supply Chain Principles – a new reality for industry (part 2), https://forewarnedblog.com/2022/03/19/australias-critical-technology-and-supply-chain-principles-a-new-reality-for-industry-part-2/
Department of Justice & Securities Exchange Commission (2020). FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, 2nd Edition, United States Government, https://www.justice.gov/criminal-fraud/fcpa-resource-guide.
FATF-GAFI (2014). Transparency and Beneficial Ownership, FATF Guidance, Financial Action Task Force, https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf
Henisz, W., Koller, T. and Nuttall, R. (2019). Five ways that ESG creates value, McKinsey Quarterly, November 2019, www.mckinsey.com.
OECD (n.d.). OECD Guidelines for Multinational Enterprises – Responsible Business Conduct, OECD Centre for Responsible Business Conduct, https://mneguidelines.oecd.org/
OECD (2018). OECD Due Diligence Guidance for Responsible Business Conduct, OECD Centre for Responsible Business Conduct, https://www.oecd.org/investment/due-diligence-guidance-for-responsible-business-conduct.htm
Shahid, A. and Azar, S (2013). Integrity & Trust: The Defining Principles of Great Workplaces, Journal of Management Research, 5(4):64, DOI:10.5296/jmr.v5i4.3739.
The Ethics Centre (2018). Ethics Explainer: Social license to operate, 23 January 2018, https://ethics.org.au/ethics-explainer-social-license-to-operate/
The Ethics Centre (2018). Trust, legitimacy & the ethical foundations of the market economy, https://ethics.org.au/wp-content/uploads/2019/02/The-Ethics-Centre_180410-on-trust-and-legitimacy.original.pdf
van der Does de Willebois, E., Halter, E.M, Harrison, R.A., Park, J.W, and Sharman, J.C. (2011). The Puppet Masters: How the Corrupt Use Legal Structures to Hide Stolen Assets and What to Do About It, Stolen Assets Recovery Initiative, The World Bank and United Nations Office of Drugs and Crime, Washington D.C. https://star.worldbank.org/

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Third parties defined – what are they exactly, and how should these risks be managed?

Posted on June 25, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Defining third parties

I frequently use the term ‘third party’ throughout my blog and in the course of my day to day consulting work. Most often, when we talk about third parties we are referring to suppliers, vendors or service providers, but there is a whole ecosystem of third parties present in business today – particularly applicable to those businesses that operate overseas.

As you can see from the table below, third parties also encompass contractors (often we forget about this category and may even consider them like employees, especially when evaluating insider threats, but this oversight can create downstream problems from a fraud, integrity and security perspective if not managed properly):

Third Party	Definition
Joint Venture Partner	An individual or organisation which has entered into a business agreement with another individual or organisation (and possibly other parties) to establish a new business entity and to manage its assets.
Consortium Partner	An individual or organisation which is pooling its resources with another organisation (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.
Agent	An individual or organisation authorised to act for or on behalf of, or to otherwise represent, another organisation in furtherance of its business interests. Agents may be categorised into the following two types: – Sales agents (i.e. those needed to win a contract) – Process agents (e.g. visa permits agents).
Adviser	An individual or organisation providing service and advice by representing an organisation towards another person, business and/or government official. Examples include legal, tax, financial adviser, consultants and lobbyists.
Contractor	A non-controlled individual or organisation that provides goods or services to an organisation under a contract.
Sub-Contractor	An individual or organisation that is hired by a contractor to perform a specific task as part of the overall project.
Supplier / Vendor	An individual or organisation that supplies parts or services to another organisation.
Service Provider	An individual or organisation that provides another organisation with functional support (e.g. communications, logistics, storage, processing services).
Distributor	An individual or organisation that buys products from another organisation, warehouses them and resells them to retailers or directly to end-users.
Customer	The recipient of a product, service or idea purchased from an organisation. Customers are generally categorised into two types: – Intermediate customer: A dealer that purchases goods for resale. – Utimate customer: One who does not in turn resell the goods purchased but is the end user.

World Economic Forum (2013) Conducting Third Party Due Diligence Guidelines

Distributors can be particularly challenging for product-based supply chains, especially if distributors have poor processes and controls in place to manage processes like large discounts to end users, poor end user verification, and poor inventory management controls (both stock on hand, obsolete or discontinued stock marked for discount, and stock marked for write-off). These distributors can be vulnerable to product diversion schemes.

How are companies responsible for the actions of their third parties?

It’s all to easy to forget that under legal ‘Principal-Agent theory’, the company contracting the third party (principal) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their third party arrangements.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Third party risk is an area receiving increased attention from company executives and regulators world-wide, particularly in a the following risk categories:

Reputation risks (including political donations)
Modern slavery risks
Bribery and corruption risks
Sanctions risks
Fraud & integrity risks (both vendor fraud and against the end user)
Security risks (including insider threats and product diversion schemes)

Increasingly, Environmental Social Governance (ESG) or sustainability considerations are also playing a role in third party and supply chain decisions based on preferences and / or pressure from shareholders, employees and customers.

All companies – large and small – are responsible for the actions of their third parties, and may find themselves the subject of reputation and brand damage as well as litigation, financial losses, and regulatory enforcement action if these risks are improperly managed. Additionally, small and medium sized companies are not immune to regulatory enforcement action simply because of their size.

What should companies do to manage their third party risks?

There are a number of actions that can and should be taken to mitigate third party risks such as those listed above. Whilst no program is ever able to completely mitigate the risk of something happening either now or at any point in the future, implementing steps to try to manage these risks does go a long way.

For offences involving bribery and corruption and breach of international sanctions regulations, regulators such as the United States Department of Justice (Foreign Corrupt Practices Act) and United States Treasury Office of Foreign Assets Control (sanctions regulations) provide pathways for principals to mitigate penalties for misconduct and illegality arising from the conduct of their third parties, but only where the principal has an appropriate compliance program in place to manage these risks.

Any program to properly manage third party risks must follow the third party lifecycle, which may include some or all of the following management actions:

Lifecycle Stage	Illustrative Management Actions
Third Party program setup and governance	1. Setting the ‘tone from the top’ 2. Develop the Compliance Obligations Register 3. Determine risk appetite 4. Develop policies and frameworks 5. Undertake risk assessments 6. Develop a risk management plan, including risk treatment strategies 7. Training and awareness programs 8. Develop due diligence frameworks and programs 9. Develop ongoing monitoring and evaluation frameworks
Third Party Selection	1. Document the principal’s specific requirements 2. Perform due diligence 3. Identify the third party’s material risks, process or capability gaps 4. Identify potential treatments for these gaps
Third Party Onboarding	1. Develop risk-based contract schedules which are practical, auditable and enforceable by the principal 2. Agree contracting and legal agreements 3. Agree third party audit or contract compliance arrangements
Third Party Operations	1. Perform Quality Assurance 2. Manage the third party relationship 3. Provide regular oversight and direction 4. Undertake periodic audits or contractual compliance reviews 5. Periodically review and update Compliance Obligation Registers and Risk Assessments 6. Undertake periodic due diligence throughout the term of the contract with review frequency based on the assessed risk
Third Party Offboarding	1. Execute termination protocols as agreed in the contract 2. Collect all principal documentation, Intellectual Property, equipment and other assets 3. Supervise the destruction of data, assets (e.g. molds, prototypes) or equipment where not easily transferred 4. Periodically review the footprint of the third party’s operations for a period after termination to ensure all IP has been returned and monitor for competitor relationships

Paul Curwell (2022) – illustrative actions to manage third party risks

All businesses today need third party relationships, and whilst they do present risks they also present tremendous opportunity. Further, most businesses today would not be able to thrive without access to their third party ecosystem. Whilst there are risks inherent with third parties, these can be managed effectively and appropriately via a risk-based approach that both considers the context and materiality of the risk and implements practical, effective treatments that work for both the principal and the third party. After all, any party can walk away if contracting becomes too onerous, which may not be a good outcome for either party. Treading this fine line is one of balance and mutual agreement.

Conducting a Country Risk Assessment for your key suppliers

Posted on March 20, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

Choosing a supplier is an important decision for any business, no matter the size or time in operation. We all know that picking the wrong supplier can have disastrous consequences for your brand, reputation and customer satisfaction. Globalisation has driven manufacturing to low cost destinations, typically in less developed parts of the world. Whilst this meant the ability to purchase a product for a cheaper price, it also came with risks relating to reliability, quality, supply chain disruptions, integrity and ESG (Environmental Social Governance) risks such as indentured labour.

Stories of bad procurement experiences abound in relation to sourcing Personal Protective Equipment like gloves and masks for health workers during the COVID-19 outbreak. For example, some customers purchased counterfeit product whilst others purchased products which did not conform to stated specifications and had to be destroyed. However, in other cases the government where the manufacturer or distributor (e.g. warehouse) was located stepped in to compulsorily acquire the products for their own citizens, at the customer’s expense.

As highlighted by these examples, three main risks need to be considered as part of any supply chain decision:

How well do you Know Your Supplier (KYS)
- Are they legitimate?
- Do they have a good track record in the market?
- Are they financially solvent?
- What do existing customers think of them (do they have any customers)?
- Will associating with them damage your reputation?
Does the product quality and pricing meet expectations?
- Are their products legitimate?
- Do they use substandard or counterfeit components?
- Do their products conform to expected / agreed standards and specifications?
- Are they competitively priced?
Is the supplier located in a high risk country?
- What factors external to the supplier might impact their ability to service your needs?
- How dependent are they on other parties, such as trucking companies and electricity utilities, to delivery on supply agreements?
- Are there any other considerations which might result in supply chain disruptions or non-delivery?

This concept of a ‘high risk country’ and the concept of country risk is examined in more detail below.

So what is country risk anyway?

The importance of understanding country risk is often overlooked, or given only a cursory glance by many businesses. As Australians we are truly privileged in terms of our advanced society, laws and infrastructure, and it is easy to forget that this is not the case for other countries (especially those manufacturing low cost products for import). When used by economists and the investment community, country risk refers to the “losses that could arise as a result of the interruption of repayments or the operations of entities engaged in cross-border investments caused by country events as opposed to commercial, technical or management problems specific to the transaction” (Toksoz).

The term political risk may also be used interchangably with country risk in some situations, however it is typically used to refer to those sources of risk with a political dimension whereas country risk as used here is much broader. According to Moosa (2002), country risk analysis is used in three scenarios:

Multinational companies use it as a screening tool to select preferred countries for investment and / or market entry based on risk factors;
Country risk metrics can be used as part of a continuous monitoring program for in-flight projects or investments (see below); and,
It can help identify, assess and manage country-related risks pertaining to projects or other initiatives in a foreign country.

For the purposes of this article, the selection of suppliers falls into the latter category.

You don’t need to consider country risk as part of every supplier decision

Not every product is created equal – some products may be more highly commoditised (and therefore readily availble from multiple suppliers) than others. Typically, it is not necessary to follow the practices outlined in this post for products which can be easily purchased from many suppliers in many different countries (and indeed regions of the world).

Situations where a business should to conduct a proper country risk study of its supply chain include:

Companies that are sourcing a contract manufacturer to build their products to specification
Products that require rare or hard to obtain ingredients / materials / components
Products that require specialist skills, equipment or manufacturing conditions (e.g. clean rooms)
Products that require components which are made under license by a fourth party

Where does country risk fit into the overall decision process for a supplier?

The process of choosing a supplier generally involves at least five core steps:

Identify and document your business requirements
Identify source countries for the product
Identify potential suppliers (i.e. individual businesses)
Negotiate and award the contract
Monitor the supplier for the life of the contract

Often, the identification of a potential supplier is conducted in tandem with the country risk assessment, however the order really depends on how many supplier choices exist. For example, in the case of contract manufacturers there may be suitable suppliers across multiple countries. Assuming these contract manufacturers are broadly comparable on other attributes such as price / quality and KYS outcomes, the inherent country risks may become a determining factor in the ultimate decision.

Photo by Startup Stock Photos on Pexels.com

What does the country risk assessment process involve for suppliers?

In my career, I have seen many country risk assessments which really miss the mark. They might be a great piece of research that consumes copious numbers of pages and tells you everything you might ever want to know about a country, but so what? We’re in business, not writing a doctoral thesis or encyclopedia. Many country risk assessments are actually what are referred to as ‘country studies’, effectively research documents that catalogue many facts about a given country but are not linked to risks per se. I use a three-step process to produce a country risk assessment for a supplier, as follows:

Map the supplier’s value chain – use Michael Porter’s value chain analysis to gain at least a basic understanding of what is required by the supplier to make your product. For example, if your supplier runs an iron foundry, you care about electricity and water as inputs. The reliability of your supplier’s phone network is important for delivery and payment, but without power and water there is no product. If your supplier depends on third parties for components, you need to understand this as well.
Identify country risks – there are numerous methods for this, with two common ones being PESTLE and PMESII. If you already have a country study, this should be used as an input to this risk identification stage. Use desktop research and interviews to identify the required information, and then categorise your findings using the PESTLE and PMESII taxonomies:
- PESTLE – stands for Political, Economic, Social, Technological, Legal and Environmental and is commonly used in government and business. Each of the PESTLE categories has a multitude of sub-factors, such as types of contract law (as a Legal example) which should be researched, discounted, or included where relevant
- PMESII – stands for Political, Military (or law enforcement / organised crime), Economic, Social, Information (as in the reliability of information such as public records and the media) and Infrastructure. PMESII is a methodology used by the intelligence community.
- Either method, or any variation thereof, should be developed based on your scope of work and objectives.
Write up the country risk assessment and risk mitigation plan – the last step in my method for preparing a country risk assessment for suppliers involves overlaying the country risks against the value chain. Where possible, market forecasts and internal metrics (e.g. revenue, production) should also be referenced to ensure identification of country risks that actually impact the value chain. Once you have identified risks relevant to the value chain, these risks can be assessed and potential mitigation options identified for consideration.

Why should I bother? What is the cost-benefit here?

In her latest book on Political Risk, former US Secretary of State turned Stanford University professor refers to political risk in the context of her “five hards of political risk management” (p82):

Hard to reward
Hard to understand
Hard to measure
Hard to update
Hard to communicate

I have encountered situations where well-intentioned businesses sought to manage country risk, such as when selecting a single contract manufacturers for all their production, only to find executives balk at the thought of spending a thousands of dollars to identify and assess risks which in many cases would protect from losses of millions in future revenue. Whilst it might be hard to quantify the return on investment that justifies spending on country risk, the benefits are clear, as illustrated by this example from MIT Professor Yossi Sheffi’s excellent book ‘the resilient enterprise’:

On 17 March 2000, lightning resulted in a fire at the Philips NV semi-conductor plant in New Mexico, USA which damaged manufacturing clean-rooms and destroyed inventory under production. Two of the plant’s most important customers were Ericsson and Nokia, then leaders in the mobile phone market.

In Finland, Nokia received a call from the plant informing them of an anticipated one-week delay. However, on further investigation Nokia determined the downstream effects would impact millions of its handsets, jeopardising sales and market share. Nokia began to enact its contingency plan, including buying excess capacity in the global market.

Nokia’s primary competitor, the Swedish company Ericsson, also received the same call but was reportedly less concerned. By the time they realised the materiality of the situation it was too late. This event ultimately triggered billon-kronor losses for Ericsson, resulting in its exiting the mobile phone market entirely.

This example highlights the importance of understanding all aspects of risk in the supply chain – making early, informed actions are critical to managing supply chain risk.

The country risk assessment process isn’t just a once-off

Most relationships in life start out well but deteriorate over time. Like any business relationship, suppliers need to be continuously monitored and the relationship nurtured to ensure long-term benefits to all parties. The concept of ongoing or continuous monitoring in due diligence and risk management generally has been around for many years, but has only recently started to take hold. Two elements need to be continuously monitored so as to properly manage supply chain risk:

Ongoing monitoring / continuous monitoring of the supplier themselves for factors such as financial solvency, quality, changes in ownership; and,
Ongoing monitoring of those external ‘country risk’ factors which the supplier may not even be aware of but which could disrupt ongoing supply.

One way to conduct ongoing (continuous) monitoring is through a strategic ‘early warning’, ‘situational awareness’ or ‘risk sensing’ capability which monitors the operating environment for tripwires, or leading indicators of an emerging risk which allows for closer monitoring and timely response. I will discuss how to build one of these capabilities in a future post.

ForewarnedBlog.com

Actionable insights on security, fraud, integrity and resilience for innovative industries

Tag Archives: 3rd Party Management Systems & Processes