Featured Product
This Week in Quality Digest Live
Risk Management Features
Wudan Yan
Cold plasma and high-pressure systems might help reduce the risks of foodborne disease outbreaks
Mike Richman
Whether close at hand or far afield, gratitude surrounds us
Paul Foster
Achieving sustainable continuous improvement
Amy Mahn
The five functions of NIST’s Cybersecurity Framework

More Features

Risk Management News
How to build your dream team, explode your growth, and let your business soar
Transforming a dysfunctional industry
An invite from Alcon Laboratories
Why not be the one with your head lights on while others are driving in the dark?
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
The audit solution provides 360-degree, real-time visibility into nonconformance status and completion
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.

More News

Sonal Sinha

Risk Management

Your Employees: A Principal Factor in the Supply-Chain Risk Equation

Develop a culture of compliance

Published: Monday, November 9, 2015 - 12:25

In a recent poll, employees (22.9%) were identified as the top source of supply chain fraud risk, followed by vendors (17.4%) and other third parties (20.1%), including subcontractors and their vendors. In calling new attention to the old cliché of “an inside job,” the statistics may prove to be somewhat of a wake-up call not only for business leadership but also for risk management professionals.

With all of these factors at play, preventing and detecting supply chain abuse is difficult—and overcoming the obstacles requires a culture of compliance.

Supply chain complexities create a breeding ground for risk

This is an era of complex supply chains. The supply chain landscape is increasingly mobile, global, social, and digital, and how well companies manage their supply chains plays a critical role in their ability to compete. Given the continued pressure to reduce the cost of manufactured goods, the rise of global sourcing and manufacturing, international trade, ecommerce, and demands from an unprecedented number of connected consumers will cause supply chain risks to grow and become more complicated. As the risks multiply in volume and variety, companies in virtually every industry are struggling to keep pace with external and internal supply chain vulnerabilities.

In the case of external risks, it’s critical that companies take operational responsibility for third parties to more holistically manage risks that can harm the organization and undermine its reputation. By addressing supply-chain processes, management, regulatory compliance, and safety, companies are better positioned to ward off high-risk events in the first place. In industries where products can affect human life (e.g., medical or automotive), supply chain risks and their complexities are heightened even more—compelling businesses to treat high-risk vendors as if they are part of the parent company. Regardless of industry, having a high level of operational accountability helps to mitigate third-party risks.

When it comes to internal risks, many companies have some policies and procedures in place. These may address nearly every aspect of the supply chain—from research and development, product development, and demand and supply planning, to manufacturing, delivery, and returns—but they are often siloed and lack interdependencies. What’s common to all of these internal compliance efforts, however, is an organization’s employees. And, more often than we might expect, employees leverage transactions involving third parties to their own benefit. It’s therefore imperative to factor employees into the supply chain risk equation, but many companies don’t.

Employees can pose a large risk when it comes to supply chain fraud and abuse

Employee risk must be considered for supply chains, just as it is in the context of anti-bribery and anti-corruption risks. There are a number of warning signs of potential supply chain fraud, including immature and biased bidding and procurement processes, flawed contracts without an exit strategy or termination clause, insufficient clarity in third-party invoices, and insufficient auditing of vendor practices. Additional red flags point to little oversight into the proper administration of agreements, poor relationships with specific third parties, and the use of sole-sourced agreements.

Companies generally don’t place an emphasis on or allocate resources to mitigating employee risks to the supply chain. They generally focus on other aspects of the supply chain, such as the risk around credit, product quality, logistics, and entering new markets and countries. In all this, they overlook employee risk. When it comes to suppliers, if companies do examine vendor relationships, it’s in terms of their business value and stability, and not in terms of who found the supplier in the first place, how the supplier was actually identified, and what information was used to validate the company. Organizations have few controls at their disposal to govern these activities.

In worst-case scenarios, the repercussions of employee risk can bleed into reputation risk. Lapses in ethics and integrity can have far-reaching consequences, especially given today’s digital world and the widespread adoption of social media. The effects from incidents can exact huge financial tolls and brand value loss. When employees, especially executives, appear negligent, it’s highly likely the company will fall out of favor with investors, who may even sell off their equity stakes. Risk events can even affect an entire industry, eliciting extensive investigations and increased regulations.

Vendor and other third-party relationships are often left ungoverned

Third-party risk is a rapidly emerging area of concern. Risk sources include vendors, subcontractors, resellers, and more. Risks can be extremely high in various industries, especially for global enterprises that face more intricacies in sourcing, manufacturing, and moving goods across multiple international borders. In addition, third-party risk management is now giving rise to questions about fourth-party risks—those that arise when a vendor subcontracts a part of its business to another third party. In some industries, such as financial services, companies are now being held accountable to know not just their vendors but also their vendors’ suppliers.

Initially vetting an organization is sometimes difficult, especially with independent or smaller “mom and pop” entities that don’t publish a lot of business content and may not even have a web presence. Companies may also have various naming conventions, and the data you do find may leave you wondering if the businesses are one in the same, or if the information applies to the company at large or an arm of it. In a survey conducted by MetricStream, results showed that overall controls for managing relationships with third parties are not strong. Although some companies are careful when first onboarding vendors, the majority noted that they lack formal programs to administer relationships effectively over the long term.

Without question, third parties increase a company’s exposure to both internal and external risks. Therefore, business leaders must develop robust processes for employees to follow in qualifying suppliers. Vendor programs, protocols, quality, and safety practices must be the subject of more forensic oversight. Companies must put procedures in place to adequately estimate the risks and costs associated with its supplier community. With stronger due diligence, contracting, and ongoing management, companies can ensure risks are better understood and mitigated throughout the life of any vendor relationship.

Anemic internal controls present a significant challenge to lowering employee risk

The lack of internal controls to monitor relationships or potential relationships between suppliers and employees is one of the biggest obstacles preventing companies from lowering employee risk. The Deloitte poll referenced above found that more than one-quarter of professionals (28.9%) acknowledge that they have experienced supply chain abuse during the past 12 months, yet almost as many (26.8%) have no program currently in place to prevent and detect those risks. Compliance resource constraints are often cited as the reason why supply-chain risk management isn’t more of a priority. Given the magnitude of current-day reputational, litigation, and regulatory damages, companies can’t afford to ignore internal or external supply chain risks.

Despite the resource limitations, companies cannot look at their supply chains in isolation. Expansive and complex, supply chains today encompass much more than just sourcing or distribution. The organization that is stuck in this traditional view runs a high risk of failing to address the many other moving parts in the supply chain, including employee risk. Even when organizations are evaluating a vendor risk-management program, they generally do not consider employee risk as part of the development of the program and the controls around it. Compounding the problem is the lack of data that exist between an employee and a potential vendor.

Technology may help companies with resource issues and data limitations. With an effective monitoring program, organizations can track and report on supply chain issues, incidents, exposures, and risks in real time. Using technology to standardize complaints management provides a platform for documenting customer issues and automatically routing them for further review and remediation. Additionally, compliance management systems provide a centralized and integrated approach to governing adherence to internal requirements as well as external standards.Finally, audit management technology allows companies to automate both internal and external audits to keep supply chain abuse in check.

Mitigate employee risk by creating a culture of compliance

With greater awareness of the value of today’s supply chain, business leaders can understand the range of supply chain vulnerabilities and the significant effect that any event can have on an organization’s ability to prosper. To lower the risk of supply chain abuse among employees, the most effective strategy lies in creating and cultivating a culture of risk management. Executives must establish a sound vision and set the tone at the top, and leadership must establish and reinforce a practical culture of compliance.

First, companies must document and communicate policies and procedures that clearly define what is and isn’t acceptable with third parties. If required, formal training can be conducted. Second, employee risk must be formally incorporated into vendor management programs. Third, policies and programs must explain practices for monitoring and enforcing noncompliance. It’s one thing to articulate a strong code of ethics, but the real key lies in governance. Governance requires a formal process of regularly inspecting what you expect or, more specifically, having a well-defined risk appetite and a code of ethics that is constantly reinforced.

It’s also crucial to embrace the information provided by internal risk events, by external loss events, and by “whistleblowers.” Internal events yield valuable knowledge to help mitigate future risks. Businesses can also learn from external losses at peer companies. Information on potential losses is also needed and can come from various sources, including whistleblowers. This again requires a risk-aware culture in which employees feel comfortable sharing concerns regardless of role or seniority. Issues, of course, need to be investigated and validated. In many cases, problems may simply be the result of insufficient training on policies and procedures, which is easily remedied.

Parting thoughts

The very scope and dynamic nature of supply chains would seem to create more opportunity than ever before for unethical employee behaviors and actions, and the mix of cultures, geographies, industries, regulations, and vendors makes developing internal controls difficult. Although technology may help companies focus limited resources, the more fundamental strategy for mitigating risk is to create a culture of compliance. Companies can outsource supply chain activities but not their accountability. This resides within the business and especially with the people, and it’s the people who can make all the difference—to the positive or the negative.

Discuss

About The Author

Sonal Sinha’s picture

Sonal Sinha

Sonal Sinha is the vice president of industry solutions at MetricStream Inc., developer of enterprisewide governance, risk, and compliance (GRC) solutions. Sinha is responsible for driving solutions and strategy for MetricStream in consumer packaged goods, retail, and technology industries. She has more than a decade of experience as a risk management, audit, advisory, and compliance leader for consulting and technology companies including Google, Visa and KPMG.