Large corporations, manufacturers, providers of luxury goods, automotive companies, and so on have wide and varied third-party supplier networks. The number of organizations within a third-party network needed to deliver each finished product or service can be vast. Suppliers within a value chain can span hundreds of thousands of smaller businesses in different regions all producing parts, widgets, software, and labor.
Within a vast network of suppliers and suppliers’ suppliers, some of the connections to businesses with undesirable or illegal practices can be lost without a robust and through risk-based approach (RBA) to due diligence.
Assessing and mitigating risk across large supplier networks is crucial to compliance with regulation such as the Uyghur Forced Labor Prevention Act and the German Supply Chain Act. Legislation of this kind is growing, and it is here to stay – these laws are fundamentally re-shaping how global organizations deal with their value chains, affecting entire business models. Enrico Aresu, Director - Industry Practice Lead - Financial Crime Compliance & Third-Party Risk DACH – BeNeLux – CEE, said: “Moody’s clients tell us that if they get supplier risk management wrong, it could threaten their entire future and the existence of their business. The stakes are extremely high in this area of risk management and compliance.”
Effective supplier risk management is important for profit, operational resilience, and preventing reputational harm, which can result from negative media coverage of “bad practices” found within the supply chains of legitimate businesses.
Conducting risk assessments and monitoring third parties through each layer of a supplier network can be difficult to execute and time-consuming to complete, but the process of compliance with supplier due diligence regulation, forced labor laws, environmental and social governance makes it imperative.
The best way to achieve compliance with relevant third-party risk management laws, in order to protect operations and reputations, is to take a transparent risk-based approach that addresses the due diligence process according to company policy and in compliance with regulations. These processes help companies understand how businesses within their counterparty network are connected and what level of risk they pose.
However, one of the biggest challenges in building a robust RBA is how fragmented the data, technology, and processes can become, especially across major global organizations. Some large businesses will have more than 50 different enterprise resource planning (ERP) systems involved in risk and compliance activity. Therefore, having a single view of counterparty risk across the entire profile of suppliers is ideal.
Know your business (KYB) checks can be carried out on any organization around the world, verifying information such as company address and beneficial ownership information, along with numerous other pieces of data that build a picture of risk and enable further investigations or enhanced due diligence to take place.
When a high-risk third party is uncovered through a workflow of checks, organizations are then able to make decisions with confidence about who they work with, while being proactive about possible preventive measures to mitigate risks according to their risk appetite.
KYB solutions can be the key to helping large organizations and those with complex supply chains find the right trade-off between robust global standards and local requirements i.e. balancing efficiency and effectiveness.
In recent news, there have been reported instances of luxury car brands who were prevented from delivering goods into the US market because of subcomponents included in their vehicles. Parts were found to have been produced in a specific region of China subject to the Uyghur Forced Labor Act.
The Uyghur Forced Labor Prevention Act is aimed at preventing the import of goods made with forced labor from the Xinjiang Uyghur Autonomous Region of China. The Act was motivated by reports of human rights abuses against the Uyghur population and other ethnic minority groups in the region. The Act essentially presumes goods manufactured in Xinjiang are made with forced labor and are therefore banned unless the importers can prove otherwise. This shifts the burden of proof to companies, compelling them to ensure and demonstrate their supply chains do not involve forced labor.
Subcomponents identified as being from Xinjiang included in specific cars could mean vehicles are held and potentially denied entry into the US. And this protocol would be the same for any other goods and products. Provenience of parts produced in the Xinjiang region of China doesn't mean every application for export will automatically be rejected, but it does mean there is a high probability there will be issues if the application isn’t supported with the correct documentation that proves thorough and robust due diligence took place.
Enrico again: “Manufacturers and producers should have triggers for enhanced due diligence that clear any possible suspicion of modern slavery or forced labor in their supply chains. The right automated KYB solution can identify suppliers based in China, and it can help create a picture of risk across the supplier network - for example, if an element or a component is produced by a third party in Xinjiang. With certification that assessment has taken place, it’s possible to then ask the US Congressional Budget Office for shipment authorization.”
This underscores the importance of proactively managing supplier risk and of conducting enhanced due diligence on suppliers in high-risk regions before producing goods and trying to ship them. Automated risk analysis can uncover issues to avoid costly delays and compliance breaches.
While inclusion of parts produced in Xinjiang making their way into a supply chain appears to be a basic error, there are significant complexities at play that shouldn’t be underestimated.
Moody’s Orbis database highlights one Chinese supplier of car parts who had more than 88,000 other companies in its universe. They had multi-layered, complex ownership structures too, which could have been designed to obfuscate the connection with Xinjiang. And one subcomponent could be the tip of the iceberg. While it is, of course, each company’s decision where it sources parts, these decisions need to be factored into a risk-based approach to compliance, otherwise it could create exposure to risk and reputational harm.
With access to the relevant data, and tools to interpret that data during enhanced due diligence, it is possible to find connections to high-risk or vetoed organizations. Robust supplier due diligence and risk assessment processes enable firms to be more effective at finding areas of higher risk, non-compliance, and threats to their business.
Corporations of all types and sizes need to be cognizant of these kinds of supplier-related risk, exercising diligence and caution. Firms need to be aware of how to assess complex corporate structures if they plan to go into partnership with them.
The key questions then are:
A risk-based approach to compliance with laws, sanctions and new sustainability requirements, involves the identification, assessment, and understanding of the unique risks each organization may face. This approach then influences the organization's policies, procedures, and controls to effectively manage and mitigate identified risks, which can vary in nature significantly depending on the organization's size, risk appetite, location, customer base, products, and services.
With the right balance between workforce, technology, and data, companies can achieve a robust risk-based approach to due diligence that is appropriate to their business and its operation. This enables them to understand where issues lie across their counterparty network and take appropriate action in compliance with regulation and company policy.
Moody’s can work with companies in the any sector to support enhanced due diligence and develop a risk-based approach to supplier risk management.
Please get in touch for more information or to discuss your processes with us.