Regulations such as the German Supply Chain Due Diligence Act (LKSG), the Corporate Sustainability Due Diligence Directive (CSDDD), and the EU Forced Labor Regulation (EUFLR) mean increased scrutiny on global enterprise supply chains. The CSDDD, for example, requires covered entities to conduct due diligence not only on their own operations but also on those of their subsidiaries and other entities within their direct and indirect business relationships.
Navigating this increasingly complex international compliance landscape poses a daunting set of challenges to organizations, particularly those with thousands of direct and sub-tier suppliers.
The following heat map illustrates this challenge as organizations look beyond their tier 1 suppliers. The blue highlighted areas depict entities subject to withhold release orders and entities registered in Xinjiang that would fall under the Uyghur Forced Labor Prevention Act (UFLPA). Unsurprisingly, there is a huge concentration of these entities in China. However, expanding out just one degree, the red highlights illustrate where materials, subcomponents, and potentially finished goods have ended up. Many supply chains go much deeper than this one degree out, which only increases the complexity and difficulty of eliminating risk as organizations assess their sub-tier suppliers.
To help manage the challenge of mapping the complete supply chain, here are five best practices organizations should consider to onboard, assess, and monitor their sub-tier suppliers.
Best Practice #1: Pre-onboard with an initial risk assessment
Before expending the effort to onboard a supplier, make an initial risk assessment of the supplier and their upstream suppliers. Steps here could include background checks, financial risk assessments, and sanctions screening. Geography plays a key role here, as certain sourcing jurisdictions may represent higher potential risk of forced labor or other environmental or social concerns.
An initial risk assessment helps organizations classify low-risk versus high-risk suppliers, enabling them to focus scarce compliance resources on demonstrably higher risk relationships. Data uncovered in pre-onboarding can help organizations tailor request for information (RFI) questions and focus further public data searches.
Best Practice #2: Automate due diligence workflows
Strive to reduce manual effort, which can be time-consuming and error-prone, in the due diligence process. Automation can be employed to handle repetitive tasks like document review, bulk data analysis, and compliance screening.
Automated supply chain risk detection platforms help organizations keep pace with regulatory pressures by providing instant, highly relevant insight into supplier risk. Organizations can often tailor these platforms’ risk insights to reflect their unique risk appetites by deactivating irrelevant risk types, changing risk alerts’ priority levels, and creating custom risk categories. This ensures that organizations are able to quickly detect which suppliers, whether direct or upstream, will have the greatest impact on their specific compliance mandates.
Best Practice #3: Leverage supplier-validated and public data
Use multiple data sources to validate your preliminary assessment. Inside-out mapping (based on supplier-validated data) and outside-in mapping (using public data) are two techniques to assess sub-tier suppliers.
Supplier input on questionnaires is necessary for validating suspected risk and managing relationships, but organizations managing hundreds or thousands of supplier relationships must use these labor-intensive tools as confidently and efficiently as possible. Automated solutions that ingest and analyze publicly available data can deliver quick results and help fill gaps in self-reported data. Organizations can then ask smarter questions and be more targeted in applying manual auditing resources.
Best Practice #4: Make a plan to address identified risks
While automation plays a key role in your sub-tier supplier assessment, human intervention is required to develop your mitigation process. A key step here is to document due diligence efforts and mitigation actions for internal audit and external regulators.
Mitigation steps could include: additional site visits or background checks, implementing contractual and policy changes, identifying a backup supplier, and finding alternative suppliers.
Best Practice #5: Continuously monitor
Supplier activity is fluid, and the regulatory landscape is shifting. Assessing sub-tier suppliers and responding to emerging risk need to be ongoing efforts.
Keep the supplier investigatory process evergreen with ongoing, real-time monitoring against up-to-date public data. For example, if a supplier’s purchases change from one month to the next, automated risk detection platforms can surface changes in trade risk that will allow organizations to plan for how to mitigate this risk.
By implementing these five best practices across the upstream supply chain, organizations can achieve increased efficiency, improved accuracy, time and cost reduction through automation, and greater compliance confidence.
Our recent partnership integrates Sayari’s business risk intelligence and ownership data with GAN Integrity’s end-to-end third-party management automation, delivering a joint solution for onboarding, assessing, monitoring, and managing sub-tier supplier relationships.
Watch our latest webinar, Uncovering Hidden Risk in an Evolving Regulatory Landscape, to see this collaboration and sub-tier supplier investigation best practices in action.
