Tag Archives: Supplier and Vendor Audits

An introduction to third party screening processes

Posted on by

Paul Curwell, CPP, CFE, CISSP

7 minutes

What is screening and why is it important?

Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

white jigsaw puzzle illustration
Photo by Pixabay on Pexels.com

Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

Building your supplier integrity framework

Overview of the screening process

Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

Stage 1 – Screening Design

  • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
  • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

Stage 2 – Screening Delivery

  • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
  • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
  • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.

It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.

Screening processes employing ‘name matching’ algorithms are inherently risky

If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

  • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
  • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
google search engine on macbook pro
Photo by Pixabay on Pexels.com

Common problems encountered when designing your screening process (Stage 1 above) include:

  • Spelling errors
  • Truncated words
  • Names containing multiple languages (e.g. Arabic + English)
  • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
  • Dealing with initials and titles / honorifics
  • Words that are out of order (e.g. surname -> first name or first name -> surname)
  • Spaces and hyphens
  • Nicknames or unofficial names

When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

What should businesses screen for?

Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

What is Show and Shadow Manufacturing?

There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

What about emerging markets where there is no data?

Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

  • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
  • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
  • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is Show and Shadow Manufacturing?

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is contract manufacturing?

The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

Contract manufacturing allows outsourcing of noncore functions
Photo by Los Muertos Crew on Pexels.com

Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

  • Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
  • Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

Shadow factories can involve forced labour
Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on Pexels.com

Shadow factories introduce a host of risks for principals

The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

  • Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
  • Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
  • IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
  • Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
  • Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
  • Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
  • Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
  • Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

Indicators of show and shadow factories

When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

It is possible to forensically identify potential shadow factory activity
Photo by Anton Mislawsky on Pexels.com

The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

  • Capacity versus output calculations in relation to a given factory’s estimated production capacity
  • Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
  • Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
  • ‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
  • Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
  • Production records – including staff rosters and payroll records
  • Distribution records – including vehicle logs and delivery records
  • Security access control records and vehicle access logs such as truck deliveries via a security gate)
  • Equipment usage logs – including records showing below expected machinery usage counts
  • Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
  • Accountability and traceability of rejected materials or defects arising during manufacture
  • Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

Manufacturer Fraud Audit

To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How can Insider Threats manifest in the Supply Chain?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Executive Summary

Insider Threat Management is difficult at the best of times, let alone cascading this implementation into the supply chain. The starting point for managing this risk is to understand how and where insider risks may arise in the supply chain, as well as assessing the likely business impact. Only then can these risks start to be managed effectively. The second consideration is contracting with suppliers to set expectations and form contractual obligations on expected practices: Some organisations rely solely on contractual obligations to manage their insider risks, an approach which is fraught with danger. This article explores these risks in more detail and outlines common pitfalls encountered when developing Insider Threat Management clauses in contract schedules.

Employees and contractors of your suppliers have access to your most sensitive information
Photo by Format on Pexels.com

How can insider threats affecting a principal materialise in the supply chain?

In this post, I use the term ‘principal’ to reference the party engaging a third party (e.g. a supplier). Insider threats can be malicious, complacent or ignorant, and there are two ways trusted insiders in the supply chain may impact a principal:

  • Principal is targeted directly by the insider – examples include supply chain attacks (ICT), issue motivated activism (e.g. anti-fossil fuels), or the introduction of SSFFC (Substandard, Spurious, Falsely Labelled, Falsified and Counterfeit) and / or non-conforming parts or components into the principal’s supply chain.
  • Principal is not directly targeted but is impacted by the consequences of the event – examples might include a workplace violence incident which causes a downstream business interruption that affects quality, availability or some other service level.

Under Australia’s new Security of Critical Infrastructure Act and Rules (2022) (referred to as SOCI), critical infrastructure operators are required to more actively manage insider threats and supply chain hazards. The relevant Rules have been reproduced below:

  • Personnel Hazards: minimise or eliminate material risks that negligent employees and malicious insiders may cause to the functioning of the asset (paragraph (c))
  • Supply Chain Hazards: minimise or eliminate the material risk of, or mitigate, the relevant impact of: misuse of privileged access to the asset by any provider in the supply chain (paragraph (b))

To comply with these obligations, organisations need to understand the intersection of insider threats and supply chain threats and how they might manifest in practice.

What insider risks can manifest in a direct impact on the principal?

We buy products or services from our suppliers, and we may also use other third party relationships such as alliances or consortiums to facilitate business in some way. This means that insider risks can impact people, assets, information as well as products, services and quality. Examples of insider risks in the supply chain are outlined below:

RiskDescriptionControls
Unauthorised use or disclosure of informationMay involve the following categories of information:
a) Intellectual Property & Trade Secrets
b) Commercially sensitive information
c) Personally Identifiable Information		Information Protection Programs
Supervised Destruction at contract termination
Unauthorised use or copying of molds, proprietary materials, manufacturing equipment, tools or techniquesWhere a supplier uses tools and equipment provided for a permitted purpose without authorisation (relevant to Contract Manufacturers and Contract Resesarch Organisations)Supplier Assurance / Audits
Equipment Disposition
Market Surveillance Programs
Supervised Destruction
Contract clauses specifying ownership of IP
Supplier reputation (entity)Adverse media / reputation
Management track record
Finances & Credit Ratings
Watchlist & Sanctions checks
Ultimate Beneficial Ownership & Control
LItigation history & enforcement action
Other checks as appropriate		Supplier Integrity Program
Supplier Due Diligence
Supplier Assurance / Audits
Supplier’s employeesPotential for infiltration by hostile actors (e.g. organised crime, nation state actors) of the supplier.
Hiring of unsuitable employees, contractors by a supplier.		Workforce Screening Program (background checks)
Supplier Integrity Program
Insider Threat Management Program
SabotagePhysical Sabotage
ICT System Sabotage
Data Sabotage
Supply Chain Attacks
Product Tampering		Physical Security Program
Personnel Security / Insider Threat Program
Supply Chain Integrity & Security Program
IT Disaster Recovery
Introduction of SSFFC & Non-Conforming PartsFailure of, or damage to, critical assets whilst in service due to malicious insertion or latent vulnerabilities in parts, components or software.
Unidentified cybersecurity vulnerabilities in products or systems (e.g. network back-doors).
Failure of products or components whilst operating withinin specifications.
Substitution of authentic (conforming) for inauthentic (non-conforming) parts or components.		Supply Chain Integrity & Security Program
Quality Assurance Program
Intentional Interference & Contract FrustrationSupplier / service provider under-delivers or incorrectly delivers intentionally for some reason (including through economic coercion or hostile control by other nation states)Supplier Due Diligence
Threat and Risk Assessments
Contracting
Supplier Assurance / Audits

Designing and enforcing Insider Threat clauses in contracts can be challenging

In my experience working on both supply chain security and insider threat engagements, it is common to see organisations placing a high degree of reliance on the provisions in a contract to manage these risks. Quite often these courses of action are driven by legal or procurement policy decisions in organisations which don’t fully appreciate their threat and risk environment.

Relying on contractual provisions to manage insider threats (or any other supply chain threat) means your organisation is reactive or response-driven: when you need to enact the provisions general incident or loss has already materialised, and sometimes the legal remedy may not be obtained until years after the event, during which time considerable management time, expense and effort has been expended.

Legal mechanisms are only one way to manage trusted insider risks

In addition to the above, I regularly encounter a range of challenges with these contract clauses, including:

  • Sometimes contracts are silent on Insider Threat Management, or the clauses that do exist cannot be readily or easily enforced.
  • Supplier contracts often last for multiple years, and renewals may be simple extensions without using the latest templates. This can mean a patchwork of standards and obligations exist throughout the supplier base, some of which may not align to the organisations current standards and practices.
  • Principal’s don’t specify their expectations of a suppliers Insider Threat Management program, which could be mitigated by providing standards and frameworks for suppliers to follow and referencing these in contract schedules.
  • Sometimes the relevant clauses are in a contract but they are never audited or enforced to confirm the supply plied is actually adhering to what they agreed to. Also, suppliers may have been compliant at a point in time, but then ceased to comply due to cost pressures or management decisions.
  • When dealing with the situation where there is only one or a small number of suitable suppliers globally, negotiating power is an issue. The principal may have the best intentions and a good framework to follow, but the supplier is not interested in agreeing to these clauses and refuses to sign the contract, knowing the principal will likely have to back down.
  • In some cases, it may not be possible for a supplier to agree to the principal’s requirements due to the nature of legal, industrial relations, employee engagement, or culturally-acceptable practices in the suppliers jurisdiction. Workforce surveillance practices such as Used Activity Monitoring is a good example here.

As you can see, there is a lot to consider when making policy decisions on Insider Threat Management practices generally, let alone when suppliers are thrown into the mix. Effective management requires a clear understanding of the threats and risks affecting the principal and how they may impact critical assets. Only then can a risk-based management strategy be developed tailored to the principals needs and risk profile. There is often little room for a ‘one size fits all’ strategy in this scenario.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building your supplier integrity framework

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is Supplier Integrity ?

The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

Photo by ThisIsEngineering on Pexels.com

Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

  • Human Rights
  • Environmental Protection
  • Employment and Industrial Relations
  • Financial Crime, specifically:
    • Anti-Bribery & Corruption
    • Economic and Trade Sanctions
    • Fraud
    • Money Laundering & Terrorist Financing
    • Tax Crime
  • Consumer Protection
  • Competition & Anti-Competitive Practices

In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

Why is Supplier Integrity important?

There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

  • Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
  • Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
  • One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).
Photo by Pixabay on Pexels.com

In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

  • ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
  • OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
  • Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
  • Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.
Photo by Akil Mazumder on Pexels.com

What would you expect to see in a Supplier Integrity Framework?

A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

  1. Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
  2. Supplier Integrity Policy –
    • Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
    • Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
    • Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
    • Sets out how incidents are to be reported and managed.
  3. Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
  4. Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
  5. Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
  6. Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Third parties defined – what are they exactly, and how should these risks be managed?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Defining third parties

I frequently use the term ‘third party’ throughout my blog and in the course of my day to day consulting work. Most often, when we talk about third parties we are referring to suppliers, vendors or service providers, but there is a whole ecosystem of third parties present in business today – particularly applicable to those businesses that operate overseas.

Photo by Oleg Magni on Pexels.com

As you can see from the table below, third parties also encompass contractors (often we forget about this category and may even consider them like employees, especially when evaluating insider threats, but this oversight can create downstream problems from a fraud, integrity and security perspective if not managed properly):

Third PartyDefinition
Joint Venture PartnerAn individual or organisation which has entered into a business agreement with another individual or organisation (and possibly other parties) to establish a new business entity and to manage its assets.
Consortium PartnerAn individual or organisation which is pooling its resources with another organisation (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.
AgentAn individual or organisation authorised to act for or on behalf of, or to otherwise represent, another organisation in furtherance of its business interests. Agents may be categorised into the following two types:
– Sales agents (i.e. those needed to win a contract)
– Process agents (e.g. visa permits agents).
AdviserAn individual or organisation providing service and advice by representing an organisation towards another person, business and/or government official. Examples include legal, tax, financial adviser, consultants and lobbyists.
Contractor A non-controlled individual or organisation that provides goods or services to an organisation under a contract.
Sub-ContractorAn individual or organisation that is hired by a contractor to perform a specific task as part of the overall project.
Supplier / VendorAn individual or organisation that supplies parts or services to another organisation.
Service ProviderAn individual or organisation that provides another organisation with functional support (e.g. communications, logistics, storage, processing services).
DistributorAn individual or organisation that buys products from another organisation, warehouses them and resells them to retailers or directly to end-users.
CustomerThe recipient of a product, service or idea purchased from an organisation. Customers are generally categorised into two types:
– Intermediate customer: A dealer that purchases goods for resale.
– Utimate customer: One who does not in turn resell the goods purchased but is the end user.
World Economic Forum (2013) Conducting Third Party Due Diligence Guidelines

Distributors can be particularly challenging for product-based supply chains, especially if distributors have poor processes and controls in place to manage processes like large discounts to end users, poor end user verification, and poor inventory management controls (both stock on hand, obsolete or discontinued stock marked for discount, and stock marked for write-off). These distributors can be vulnerable to product diversion schemes.

Photo by fauxels on Pexels.com

How are companies responsible for the actions of their third parties?

It’s all to easy to forget that under legal ‘Principal-Agent theory’, the company contracting the third party (principal) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their third party arrangements.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Third party risk is an area receiving increased attention from company executives and regulators world-wide, particularly in a the following risk categories:

  • Reputation risks (including political donations)
  • Modern slavery risks
  • Bribery and corruption risks
  • Sanctions risks
  • Fraud & integrity risks (both vendor fraud and against the end user)
  • Security risks (including insider threats and product diversion schemes)

Increasingly, Environmental Social Governance (ESG) or sustainability considerations are also playing a role in third party and supply chain decisions based on preferences and / or pressure from shareholders, employees and customers.

All companies – large and small – are responsible for the actions of their third parties, and may find themselves the subject of reputation and brand damage as well as litigation, financial losses, and regulatory enforcement action if these risks are improperly managed. Additionally, small and medium sized companies are not immune to regulatory enforcement action simply because of their size.

Photo by Pixabay on Pexels.com

What should companies do to manage their third party risks?

There are a number of actions that can and should be taken to mitigate third party risks such as those listed above. Whilst no program is ever able to completely mitigate the risk of something happening either now or at any point in the future, implementing steps to try to manage these risks does go a long way.

For offences involving bribery and corruption and breach of international sanctions regulations, regulators such as the United States Department of Justice (Foreign Corrupt Practices Act) and United States Treasury Office of Foreign Assets Control (sanctions regulations) provide pathways for principals to mitigate penalties for misconduct and illegality arising from the conduct of their third parties, but only where the principal has an appropriate compliance program in place to manage these risks.

Any program to properly manage third party risks must follow the third party lifecycle, which may include some or all of the following management actions:

Lifecycle StageIllustrative Management Actions
Third Party program setup and governance1. Setting the ‘tone from the top’
2. Develop the Compliance Obligations Register
3. Determine risk appetite
4. Develop policies and frameworks
5. Undertake risk assessments
6. Develop a risk management plan, including risk treatment strategies
7. Training and awareness programs
8. Develop due diligence frameworks and programs
9. Develop ongoing monitoring and evaluation frameworks
Third Party Selection1. Document the principal’s specific requirements
2. Perform due diligence
3. Identify the third party’s material risks, process or capability gaps
4. Identify potential treatments for these gaps
Third Party Onboarding1. Develop risk-based contract schedules which are practical, auditable and enforceable by the principal
2. Agree contracting and legal agreements
3. Agree third party audit or contract compliance arrangements
Third Party Operations1. Perform Quality Assurance
2. Manage the third party relationship
3. Provide regular oversight and direction
4. Undertake periodic audits or contractual compliance reviews
5. Periodically review and update Compliance Obligation Registers and Risk Assessments
6. Undertake periodic due diligence throughout the term of the contract with review frequency based on the assessed risk
Third Party Offboarding1. Execute termination protocols as agreed in the contract
2. Collect all principal documentation, Intellectual Property, equipment and other assets
3. Supervise the destruction of data, assets (e.g. molds, prototypes) or equipment where not easily transferred
4. Periodically review the footprint of the third party’s operations for a period after termination to ensure all IP has been returned and monitor for competitor relationships
Paul Curwell (2022) – illustrative actions to manage third party risks

All businesses today need third party relationships, and whilst they do present risks they also present tremendous opportunity. Further, most businesses today would not be able to thrive without access to their third party ecosystem. Whilst there are risks inherent with third parties, these can be managed effectively and appropriately via a risk-based approach that both considers the context and materiality of the risk and implements practical, effective treatments that work for both the principal and the third party. After all, any party can walk away if contracting becomes too onerous, which may not be a good outcome for either party. Treading this fine line is one of balance and mutual agreement.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Theft of fuel from HMS Bulwark – a diversion case study

Posted on by

Paul Curwell, CPP, CFE, CISSP

What happened?

This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

A case of diversion or shrinkage? Motive is key

The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

So does this activity equate to shrinkage or diversion?

  • Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
  • Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

How can these types of product diversion events be detected generally?

Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

  • 42% of business frauds globally are detected via tip offs,
  • 16% through internal audit, and,
  • 12% through management review.

Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

Photo by Lou00efc Manegarium on Pexels.com

From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

  • Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
  • Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
  • Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
  • Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

What other preventative and detective controls might be relevant in this scenario?

In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

  • Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
  • Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
  • GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
  • IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
  • High-value or sensitive facilities should be subject to a range of physical security measures.
  • Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

Lessons learned – what to do about it?

Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Vendor Fraud: what is it?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Are there fraud risks associated with vendors?

Every public and private sector organisation today has a requirement to outsource some or all aspects of their operations, whether it be purchasing supplies or equipment, engaging a managed (outsourced) service provider to run its IT helpdesk or security operations centre, our purchasing tangible products or raw materials for its operations. Managing these capabilities takes a lot of effort and typically requires a specialist team aside from the procurement function to manage key relationships day to day.

Photo by fauxels on Pexels.com

We all know that relationships are difficult by their nature, and business relationships are no different to those in our personal lives. Sometimes, however, relationships deteriorate substantially to the point of potential litigation or where those relationships may be severed. Common triggers for this includes upstream supply or quality control issues, breaches of confidentiality, and fraud.

What is fraud?

The Commonwealth Fraud Control Policy defines fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. As defined here, a benefit can be non-material or material benefit, tangible or intangible. Benefits may also be obtained by a third party. Examples of fraud relating to vendors include:

  • theft
  • accounting fraud (e.g. false invoices, misappropriation)
  • causing a loss, or avoiding and/or creating a liability
  • providing false or misleading information
  • failing to provide information when there is an obligation to do so
  • misuse of assets, equipment or facilities
  • making, or using, false, forged or falsified documents
  • wrongfully using confidential information or intellectual property.

Business to business fraud is a problem which remains largely off the radar – many businsess have problems with their vendors or business partners, but these rarely end up in court or in the media. Frequently, even when a business relationship goes wrong, the parties to the relationship still need each other and will work to rebuild trust that has been lost where an alternate supplier or partner is not available.

One important note on vendors is that they form part of your organisation’s inner circle: they are trusted insiders who, by virtue of this status, have privileged access to your organisation, its products, information, services, systems, facilities and people beyond that of the ordinary public. It is critical that vendors be considered as part of your Insider Threat Management Program, as well as in your Supply Chain Security, Integrity and Fraud Program. Where there are overlaps in coverage in these programs, this should be harmonised.

Associations with irreputable vendors can also damage your organisation’s reputation, and potentially introduce the risks of civil or criminal action as well as shareholder activism. One example here is where a vendor is involved in modern slavery, and your organisation’s due diligence program has not detected this in advance.

Photo by Rolled Alloys Specialty Metal Supplier on Pexels.com

What is the vendor fraud landscape?

Vendor fraud can be defined as fraud involving a vendor that occurs at any point in the supplier process, which is:

  • Supplier selection
  • Contracting
  • Operations
  • Termination

The Association of Certified Fraud Examiners (ACFE) notes that vendor fraud can occur in anything from billing to delivery of supplies, and can be broadly grouped in two categories. Vendor frauds involving trusted insiders, such as employees and contractors, can occur indepedent of the vendor or in collusion with them. There are also various types of vendor frauds perpetrated without the involvement of insiders. These range from what we might call ‘soft frauds’, such as subtly charging the wrong hourly rate or claiming travel expenses when not applicable, through to more serious problems like product substitution. A high level taxonomy of vendor fraud is shown below:

Vendor frauds involving insidersExternal vendor frauds
Billing schemes (invoicing)Labour fraud schemes (for outsourced services)
Corruption schemes (e.g. kickbacks, bribery, conflicts of interest)Travel fraud schemes
Fraud schemes involving materials
Shell companies and pass through schemes
Hidden subcontractor schemes
ACFE – high level vendor fraud taxonomy

As you can see, there is a wide spectrum of vendor frauds – the ACFE’s training course on vendor fraud, referenced below, is a great starting point for someone new to this area. Some are specific to particular types of work – such as labour and travel fraud schemes more prominent with the outsourcing of services.

Vendor fraud versus supply chain integrity: what’s the difference?

As the focus of @forewarnedblog is on protection and integrity of critical technologies, supply chains, IP, products, brands and marketplaces, I would be remiss if I did not cover vendor fraud schemes involving materials and ‘supply chain integrity’ in more detail.

The term ‘supply chain integrity’ is being used increasingly in common language to reflect whether business (as opposed to retail consumers) buyers have ‘got what they paid for’ in relation to materials (products). As consumers, when we buy a product (the material) we expect it to meet certain quality or provinance (origin) standards, such as those advertised by the seller or manufacturer. In countries like Australia, many of these requirements are also enshrined in consumer law. If a product breaks or fails, or if it is poor quality such as paint peeling off, then we feel disappointed and probably worse. It is business’ responsibility to make sure this outcome doesn’t happen for its consumers, which is where a Supply Chain Integrity program comes in.

A Supply Chain Integrity program aims to “mitigate the risk end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (The United States Pharmacopeial Convention, 2016). These programs apply to both buyers and sellers, but the focus differs depending on where you sit in a supply chain.

Photo by cottonbro on Pexels.com

The overlap with vendor fraud lies with what ACFE refers to as “fraud schemes involving materials“, where risks such as product substitution (a buyer pays for a product meeting one set of specifications, but it is substituted for a cheaper, lower quality, alternate or less functional model which might be less reliable or functional for the user). Typically, the trust a consumer places in a product or service is also wrapped up in the seller’s brand – if we see a product for sale from a brand we trust, we might buy it without question. Commonly, Supply Chain Integrity is bundled with Supply Chain Security into a consolidated ‘Supply Chain Integrity and Security’ program (SCIS), as seen in the global pharmaceutical industry.

Typically, an SCIS program focuses on both upstream supply (i.e. ensuring substandard products or raw materials do not infiltrate your supply chain as an input to say manufacturing), and downstream to ensure that counterfeits and diverted products do not enter a supply chain through nodes such as authorised distributors. In contrast, vendor fraud programs are typically narrower in scope.

What does this mean in practice?

In my opinion, if you are in an industry with serious life, safety or reputational (‘brand’) risks attached to the quality of materials provided by your suppliers, using a vendor fraud program to manage product substitution fraud risks may not be sufficiently robust or rigorous. Typically these programs focus on whether the vendor supplied a substandard product (i.e. may have defrauded you in terms of your sourcing, purchasing or procurement process) rather than a more holistic program aimed at improving the security and integrity of your supply chain overall (i.e. all products across all vendors). For these industries, a holistic Supply Chain Integrity and Security program (that also addresses the vendor fraud risk of product substitition) is more appropriate.

Photo by cottonbro on Pexels.com

We already see this situation emerging in high reliability industries (e.g. mass transport, pharmaceuticals and medical devices, automotive and aerospace). In Australia, this area is becoming increasingly regulated with amendments to Australia’s Security of Critical Infrastructure (SOCI) Act which covers eleven critical infrastructure sectors and introduces new rules for managing supply chain integrity and security hazards. There’s a lot to unpack in this topic – I will cover some types of vendor fraud, particularly product substitution (sometimes called ‘product fraud’) in future posts.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is an ‘IP Audit’ anyway?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Intangible Assets – easily overlooked

I still remember performing my first ever Intellectual Property (IP) audit on my consulting journey. I had just graduated from business school which had opened my eyes to the world of commercialisation and IP assets, and how they could be exploited or misplaced. My client was a large player in global airport infrastructure services, and as part of their work the Executive Officer to the CEO thought it was important to identify and map their IP asset holdings. As I worked my way through the organisation, interviewing staff and cataloguing their IP, I still remember stumbling across the engineering laboratory hidden in one corner of a floor, out of sight.

Photo by Pixabay on Pexels.com

As I spoke to the team members there, I discovered not only did they maintain specialised electronic components for equipment used in delivery of their services, but in their spare time and with discretionary budget the team of engineers worked to invent their own solutions to airport infrastructure problems. This activity flew completely under the radar of the organisation’s executive, meaning not only did their work potentially miss out on dedicated funding which might generate a revenue stream or licensing opportunity for the organisation, but the IP was not properly protected – including from theft should those employees decide to resign and move to a competitor or start their own business.

Photo by RODNAE Productions on Pexels.com

This type of situation is encountered time and time again in Australian businesses. Our level of awareness and maturity in relation to IP is relatively low in most sectors, and my experience has been that in sectors which are aware of the fundamental concepts, IP assets are either managed very selectively or in many cases not at all. As an advanced economy with a strong STEM-based population and research capability, we need to get better at protecting our IP if we are to compete and thrive as a nation in a knowledge-driven world. Completing an IP Audit is one of the first steps to doing this.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What are intellectual assets?

Intellectual Assets are intangibles that have value to an enterprise including but not limited to “information, intellectual property, credibility and reputation, and brand identity”. Whilst the term ‘intellectual property’ is often used to commonly refer to sensitive information, six types of IP are recognised by the World Intellectual Property Organisation (WIPO):

  • Patents
  • Trade Marks
  • Copyright
  • Industrial designs
  • Geographical Indicators (e.g. ‘champagne’)
  • Trade Secrets

In Australia, we have another category of IP called ‘Plant Breeders Rights‘, and Geographical Indicators are registered under our ‘Certification Trade Mark system‘. Unlike other jurisdictions such as the U.S., Australian law does not explicitly recognise ‘trade secrets’ as a category of IP – instead, ‘trade secrets’ are considered a category of ‘Confidential Information’ (Dighe & Lewis, 2020, Twobirds.com). More on this in a future post.

According to IP Australia, “a trade secret can be any confidential information of value. Unlike other IP rights, trade secrets are protected by keeping them a secret, and are not registered with IP offices. The protection of a trade secret will cease if the information is made public, and trade secrets do not prevent other people from independently inventing and commercialising the same product or process”.

What is an IP audit?

According to the Queensland Government, “an IP audit is a review of the IP owned, used or acquired by an organisation. It aims to find out what IP is within an organisation, who owns it, the value of that IP, its legal status, and what to do with it“. Once identified, in addition to focusing on the legal status of your IP, you also need to understand whether it is adequately protected. For example:

  • Which threat actors might seek to steal or sabotage your intellectual assets? Employees, competitors, nation states (‘economic espionage’) or someone else?
  • What are the actual risks posed by these threat actors? Examples include theft, sabotage and IP infringement.
  • What internal controls do you have in place in terms of your holistic security programs to address the identified threats and risks? These may need to address insider threats, supply chain threats, and external threats (e.g. competitors).
Photo by Mark Stebnicki on Pexels.com

How are IP audits performed?

Once you have decided to undertake an IP audit, you need to develop your scope and methodology. This starts with developing your audit plan and audit team. I find its easier to divide the audit into two or three parts, as follows:

  • Step1 – data collection: systematically catalogue confirmed or potential IP and confidential information in a register. I use the organisation chart as a starting point for this.
    • Tip: its easy to get bogged down and start to catalogue every document. Instead, focus on categories of information (e.g. financials) and then narrow down in key areas.
  • Step 2 – initial assessment: once you’ve compiled your initial register, assess it to remove all unnecessary content by ensuring each entry meets the criteria for an asset. If not relevant, delete it. Hopefully you’re left with a relatively small number of manageable entries, the output of which is your register of ‘critical information assets’.
  • Step 3 – commercial evaluation: use your register of ‘critical information assets’ to review potential commerical opportunities (e.g. licensing), develop monitoring programs for infringement, or even sell the IP Rights to another party if no longer used or relevant to your strategy.
  • Step 4 – risk management: review your register of critical assets to ensure the information is adequately protected. This includes legal provisions (e.g. patents), employment contracts (e.g. non-disclosure and IP assignment clauses), information security programs, and supply chain or third party risk programs. Make sure your critical information assets are appropriately marked, secured (e.g. encrypted), access is controlled, and unauthorised dissemination is limited.
Photo by picjumbo.com on Pexels.com

Using the findings of your IP audit to better protect these assets

All to often, businesses take a purely legalistic approach to protecting their IP and Confidential Information assets. It is important to remember that just because your research is patented or because you have a non-disclosure agreement in place with your suppliers or employees it is not completely protected. Particularly in the case of confidential information, courts expect businesses to have implemented appropriate security programs to safeguard their information – it is not sufficient to rely purely on legal protections in the courts if something happens. Further, this sort of reactive response is not productive, is very expensive, and consumes substantial amounts of time from your board, executives and senior staff – time that could be more productively spent elsewhere.

Prevention and early detection is the key, but to do this you need to understand what your IP assets are (such as via the IP audit process), work out where their associated vulnerabilities or exposures lie (are they limited to your employees or do you divulge this information to your third parties too? if so, who has access…). Then you can wrap a combination of cybersecurity (e.g. networks, systems, encryption) and what I refer to as ‘non-cyber information security’ programs around this to build your protective bubble. These relationships are illustrated below:

Curwell (2002) – the relationship between IP and Confidential Information assets and Security

As you can see, there is more to protecting your IP and Confidential Information than patents, copyright and design rights. If you’re unfamiliar with how to build a program to protect your confidential information, take a look at my previous post here.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Ukraine and looming Russian sanctions – implications for supply chains

Posted on by

Paul Curwell, CPP, CFE, CISSP

Historically, awareness of sanctions has been mixed in Australia and typically strongest in financial services and commodities. This article examines what sanctions are, who issues them, the core components of a Sanctions Compliance Program, and what the introduction of sanctions on Russia as a result of any future invation of Ukraine might mean for Australian supply chains.

Moscow, one part of Russia which will feel the pinch of international sanctions.
Photo by u0414u043cu0438u0442u0440u0438u0439 u0422u0440u0435u043fu043eu043bu on Pexels.com

What are sanctions?

According to HM Treasury, “sanctions are restrictions put in place to achieve a specific foreign policy or national security objective. They can (a) limit the provision of certain financial services, or (b) restrict access to financial markets, funds and economic resources”.

Each jurisdiction uses its own terminology for sanctions, but the United Kingdom categorises sanctions into three simple categories:

  • Targeted asset freezes – for individuals and entities
  • Restrictions on financial markets and services – for individuals, entities, specified groups or entire sectors including:
    • Investment bans
    • Restrictions on access to capital markets
    • Directions to cease banking relationships and activities
    • Requirements to notify or seek authorisation prior to certain payments being made or received
    • Restrictions on the provision of financial, insurance, brokering or advisory services or other financial activities
  • Directions to cease all business – specifying the type of business and applicable to a specific person, group, sector or country

As you can see, sanctions and their impact can by quite broad and far reaching. One particular challenge with sanctions lies in identifying parties who are indirectly sanctioned. This requires more sophisticated due diligence and compliance oversight to manage properly.

Photo by RANJITH AR on Pexels.com

Who promulgates sanctions?

The UN Security Council (UNSC) has the power to levy economic and trade sanctions however this requires consensus from the five permanent members of the UNSC, which is rare.

In addition to the UNSC, individual countries have also recognised the strategic power of sanctions, resulting in country specific legislation that impacts companies and individuals resident of, or operating in their jurisdiction that has been enacted since the use of blockades during World War One (Mulder, 2022).

Some national sanctions regimes are politically motivated, such as where foreign dissidents, human rights defenders, or the political opposition are targeted, but this sort of behaviour is typically restricted to non-democratic countries. Globally, major sanctions bodies align with the worlds main financial centres, including:

Of these, OFAC is undoubtedly the strongest in terms or reach, influence and enforcement. This is because of the United States’ position as the global financial centre, with most companies having a presence or nexus to that market (including through their bank transactions). OFAC is also an active regulator, levying substantial fines and penalties on companies worldwide. This means that OFAC can be used as the benchmark for any sanctions compliance program – if you satisfy OFAC, you will probably satisfy all other regulators as well.

As it’s global power and influence grows, the People’s Republic of China is increasingly becoming a player in relation to sanctions as highlighted in the Atlantic Council’s Global Sanctions Dashboard. China’s rise and influence in relation to sanctions will be increasingly important.

Photo by Sabel Blanco on Pexels.com

What should a sanctions compliance program comprise?

In 2019, the U.S. Treasury published its 12-page guidance on designing and implanting a Sanctions Compliance Program in a document entitled “A Framework for OFAC Compliance Commitments”. OFAC expects regulated entities to undertake at least five core elements in their compliance program:

  • Management Commitment
  • Risk Assessment
  • Internal Controls
  • Testing and Auditing
  • Training

On face value, these elements are much like any other risk or compliance program we would expect to see. However, with sanctions the devil lies in the detail and particularly the complexity of the various regimes. This post is not intended to be a detailed overview of sanctions compliance, rather to provide context for the following discussion on what this means for supply chains.

If your sanctions program is not up to scratch, or if you don’t have one at all, seek specialist advice as the fines and penalties for non-compliance can be substantial and extend beyond the enforcement action to potentially mean your suppliers and customers will no longer do business with you due to the risk you present.

Photo by ThisIsEngineering on Pexels.com

What does the situation in Ukraine mean for supply chain hazards, as an example?

Under Australia’s new Security of Critical Infrastructure (SOCI) Act, one of the key elements of the associated Rules, Supply Chain Hazards, requires regulated entities to ‘establish and maintain in the entity’s program a process or system that the entity uses to minimise or eliminate the material risk of, or mitigate, the relevant impact of” amongst other things “(d) disruptions and sanctions of the asset due to a disruption in the supply chain”.

With the prospect of more sanctions on Russia, companies need to start working now to review their suppliers, update their risk assessments, and identify any potential connections to Russian individuals, entities and sectors. Some of the steps you may need to take include:

  • Examining the geographic presence of your suppliers – are any based and / or headquartered in Russia or its allies?
  • Ultimate Beneficial ownership or control – who (individuals) or what (other legal entities) one some or all of your suppliers and are any of them Russian, or do they have a nexus to Russia?
  • Once you have identified your suppliers and their beneficial owners, be prepared to conduct name screening against the relevant sanctions lists, or alternately use a reliable vendor solution such as Refinitive’s WorldCheck, Dow Jones Watchlist, LexisNexus World Compliance.
  • Identify any other potential foreign influence from Russia or its proxies that could impact your supply chain or operations.

If you are new to sanctions, your reaction is probably that this would take a lot of effort and involve some cost. In my experience, this is exactly the case. Once sanctions are promulgated, you need to compare the sanctions list(s) to your supplier data to ensure there are no matches. Your bank will do the same, so if you don’t do this you risk a supplier payment being confiscated by a regulator which can be hard to recover. In addition, intentionally or unintentionally breaking a sanction has serious criminal and civil penalties.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?

Posted on by

Author: Paul Curwell

Introduction

This article is the second in a series on Australia’s Modern Slavery Act, this time with a focus on due diligence practices. Readers of my previous post may recall that one of the requirements of the MSA is to ‘Describe the actions taken by the reporting entity and any entities it owns or controls to assess and address these risks, including due diligence and remediation processes‘ (p29). The Guidance goes on to say that due diligence is a key term within the UN Guiding Principles (pp46-47), and directs readers to the OECD Due Diligence Guidance for Responsible Business Conduct as a source of ‘key international standards and guidance’ (p90).

In this second article, I aim to help readers understand the Australian Government’s expectations of a Reporting Entity’s human rights due diligence program so as to comply with the MSA in a clear and practical manner.

Australia's Parliament House
Australia’s Parliament House

The UN Guiding Principles establish the concept of ‘human rights due diligence’

The United Nations Guiding Principles on Business and Human Rights (UNGPs) were endorsed by the United Nations Human Rights Council in June 2011. The UNGPs are intended to apply to both nation states and businesses regardless of factors such as size or jurisdiction, and set out the intended duties and responsibilities of both parties. Under the UNGPs, what constitutes ‘human rights’ are defined as those rights outlined in the International Bill of Human Rights and the International Labour Organisation Declaration on the Fundamental Principles and Rights at Work (UNGP 12).

Of the 31 Guiding Principles, three in particular establish responsibilities for business in relation to human rights due diligence, as follows:

  • GP 13 – requires businesses to avoid causing human rights impacts through their operations or activities, and to seek to prevent or mitigate any adverse human rights impacts linked to them
  • GP 15 – states that in order to meet their human rights responsibilities, businesses should have: (a) a human rights policy, (b) a human rights due diligence process, and (c) a process to enable remediation
  • GP 17 – states that human rights due diligence is required by business to ‘identify, prevent, mitigate and account’ for adverse human rights impacts. This activity “should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are assessed”

The Australian Government’s Modern Slavery Act Guidance for Reporting Entities is aligned to the UNGPs, hence an understanding of them is useful when designing a due diligence program in order to comply with the Modern Slavery Act.

The OECD’s Multinational Enterprise Guidelines compliments and expands upon the UNGPs

In May 2010, the governments of the 42 OECD and non-OECD countries which adhere to the OECD Declaration on International Investment and Multinational Enterprises and related Decision, of which Australia is a member, commenced work to update the original OECD Multinational Enterprise (MNE) Guidelines originally developed in 2000. In addition to providing concepts and principles, the Guidelines provide specific guidance in eight domains:

  • Human Rights
  • Employment and Industrial Relations
  • Environment
  • Combating Bribery, Bribe Solicitation and Extortion
  • Consumer Interests
  • Science and Technology
  • Competition, and,
  • Taxation

The revised version of the MNE Guidelines included a new chapter on Human Rights which is consistent with the UNGPs. The MNE Guidelines are intended to provide “non binding principles and standards for Responsible Business Conduct”, and are “the only multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting” (p3).

The MNE Guidelines contain a number of requirements pertaining to Human Rights Due Diligence (i.e. Modern Slavery Act due diligence practices), however this guidance aligns with that of the UNGPs and does not warrant repeating.

Why should the OECD’s MNE Guidelines matter to Australian businesses?

Australia is a signatory to the OECD Declaration on International Investment and Multinational Enterprises and Decisions. To effect this, the Australian Treasury manages Australia’s OECD MNE ‘National Contact Point’ to promote and implement the MNE Guidelines. The Government expects Australian businesses to comply with the MNE Guidelines and the OECD Due Diligence Guidance for Responsible Business Conduct and associated sector due diligence guidelines (see below) as they “represent standards of behaviour that supplement Australian law and therefore do not create conflicting requirements“. Non-judicial complaints can be brought against Australian businesses, and are investigated by an Independent Examiner (currently WA Barrister Mr John Southalan).

To assist business in interpreting and implementing the MNE Guidelines, the OECD has produced its Due Diligence Guidance for Responsible Business Conduct, supported by additional sector specific due diligence guidance for:

The OECD also introduces new sector-specific guidelines periodically.

The OECD has developed guidance for business on how to undertake ‘human rights due diligence’

Photo by Roman Pohorecki on Pexels.com

As an Australian, I struggle with the way the ‘human rights due diligence’ concepts are presented in the UNGPs and OECD guidelines. We so frequently design our governance, risk and compliance frameworks along the lines of ISO31000 – Risk Management and ISO19600 – Compliance Management Systems that it is easy to forget these elements are not so ingrained overseas.

I raise this because the OECD Due Diligence Guidelines for Responsible Business Conduct (DDGs) introduce a six-step due diligence process which contains some functions we might ordinarily consider constituting part of a risk and compliance framework, as follows (Figure 1, p21):

  1. Embed Responsible Business Conduct into policies and management systems
  2. Identify and assess adverse impacts in operations, supply chains and business relationships
  3. Cease, prevent or mitigate adverse impacts
  4. Track implementation and results
  5. Communicate how impacts are addressed
  6. Provide for, or cooperate in, remediation where appropriate

Although the OECD states that businesses may not see these elements as being exclusive to a due diligence program per se, the DDG also states the focus of human rights due diligence processes should be external to the business itself (as opposed to risk management’s traditionally internal focus) and focused on its extended operations, products or services, and its ‘business relationships’ (what Australians might consider as Third Party Risk Management).

Human Rights Due Diligence can build off (although it is broader than) traditional transactional or ‘Know Your Counterparty’ (KYC) due diligence processes

The DDGs are not intended to replace those practices commonly referred to as ‘Know Your Customer‘ (KYC), ‘Know Your Supplier‘ (KYS), ‘Know Your Partner‘ (KYP) or ‘Enhanced Due Diligence‘ (under AML/CTF laws, legislated in Australia as ‘Enhanced Customer Due Diligence’) (p16). These due diligence activities are different to human rights due diligence, albeit there will likely be some overlap, and commonly focus on around some variation of the following nine key areas:

  • Identification and Identity Verification
  • Legal entity formation and directors
  • Determination of Beneficial Ownership
  • Financial viability, credit ratings and performance
  • Litigation, bankruptcy & lien searches
  • Name screening (adverse media, Politically Exposed Persons, Sanctions)
  • Assessment of management’s style, integrity, competence and track record
  • Reputation in business, industry, the company or community
  • Disclosed and undisclosed Conflicts of Interest, Related Party relationships and other red flags

Simplifying the OECD’s six-step due diligence process

When I look at the OECD’s six-step due diligence process outlined earlier, Step 2 constitutes what I would consider to be the crux of the actual due diligence (Figure 1, p21). The purpose of Step 2 is to “identify and assess actual and potential adverse impacts associated with the enterprise’s operations, products or services”, which the guidance decomposes into four elements:

  • 2.1 – Develop an enterprise-level risk assessment to identify the areas of highest risk based on a range of internal and external factors, including information gaps. Complete the due diligence from areas of highest to lowest risk
  • 2.2 – Undertake iterative and increasingly in-depth assessments of operations, suppliers and other business relationships to identify and assess adverse Responsible Business Conduct impacts, starting with the highest risk areas first from 2.1 (above)
  • 2.3 – Assess whether the enterprise caused (would cause), contribute to, or whether the adverse impact is (would be) directly linked to its operations in order to determine an appropriate response (i.e. is it actually involved, or potentially involved)
  • 2.4 – Prioritise the most significant risks and impacts for action based on severity and likelihood

Step 2.1 will resonate well with anyone familiar with the principles of risk management in that resources should always be concentrated towards those areas of the highest risk exposure.

Step 2.2 is an interesting one. In Terrorist Diversion (Routlege, 2021), I wrote the chapter on due diligence practices for non-profit organisations. In this, I outlined a risk-based process where the level (extent) of due diligence initially undertaken is predicated on the perceived inherent risk prior to commencing due diligence. Where indications are encountered that an entity is actually higher risk whilst performing the diligence, the extent of diligence can be easily increased. Step 2.2 aligns with these principles.

Steps 2.3 and 2.4 start to get into matters of liability and social responsibility for any identified (or potential adverse) findings, and subsequently a treatment plan. Depending on your organisation, this may or may not be the responsibility of the team actually performing the due diligence itself.

To make it easier for readers to follow all of this, I have developed this simple cheat sheet which I hope will be a useful resource (please remember to cite me appropriately).

– (C) Copyright Paul Curwell (2000, Australia). http://www.forewarnedblog.com

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.