Regulations such as the German Supply Chain Due Diligence Act (LKSG), the Corporate Sustainability Due Diligence Directive (CSDDD), and the EU Forced Labor Regulation (EUFLR) mean increased scrutiny on global enterprise supply chains. For example, the CSDDD requires covered entities to conduct due diligence not only on their own operations, but also on their subsidiaries and indirect business partners.
Navigating this increasingly complex international compliance landscape is challenging, especially for organizations with thousands of suppliers.
The following heat map illustrates the challenge of looking beyond tier 1 suppliers. Blue areas show entities in Xinjiang subject to the Uyghur Forced Labor Prevention Act (UFLPA), mostly concentrated in China. However, just one degree away (in red), we see where materials, subcomponents, and potentially finished goods from these entities have ended up. Because many supply chains go much deeper than this, eliminating risk becomes increasingly difficult.
To help manage the challenge of mapping the complete supply chain, here are five best practices for onboarding, assessing, and monitoring sub-tier suppliers.
Best Practice #1: Pre-onboard with an initial risk assessment
Before investing time in onboarding, conduct an initial risk assessment of the supplier and their upstream suppliers. Steps could include background checks, financial risk assessments, and sanctions screening. Geography plays a key role, as certain sourcing jurisdictions may carry a higher risk of forced labor or other environmental and social concerns.
An initial risk assessment helps organizations classify low-risk versus high-risk suppliers, enabling them to focus scarce compliance resources on higher risk relationships. Data uncovered early can help organizations tailor request for information (RFI) questions and focus further public data searches.
Best Practice #2: Automate due diligence workflows
Reduce manual effort, which can be time-consuming and error-prone, in the due diligence process. Automation can handle repetitive tasks like document review, bulk data analysis, and compliance screening.
Automated supply chain risk detection platforms help organizations keep pace with regulatory pressures by providing instant, highly relevant insight into supplier risk. Organizations can often tailor risk insights to reflect their unique risk appetites by deactivating irrelevant risk types, changing risk alerts’ priority levels, and creating custom risk categories. This ensures organizations can quickly detect which suppliers, whether direct or upstream, will have the greatest impact on their compliance mandates.
Best Practice #3: Leverage supplier-validated and public data
Use multiple data sources to validate your preliminary assessment. Inside-out mapping (based on supplier-validated data) and outside-in mapping (using public data) are two techniques to assess sub-tier suppliers.
Supplier input on questionnaires is necessary for validating suspected risk and managing relationships, but organizations managing hundreds or thousands of supplier relationships must use these labor-intensive tools as confidently and efficiently as possible. Automated solutions that ingest and analyze publicly available data can deliver quick results and help fill gaps in self-reported data. Organizations can then ask smarter questions and be more targeted in applying manual auditing resources.
Best Practice #4: Make a plan to address identified risks
While automation plays a key role, human intervention is required to develop your mitigation process. A key step is to document due diligence efforts and mitigation actions for internal audit and external regulators.
Mitigation steps could include additional site visits or background checks, implementing contractual and policy changes, identifying a backup supplier, or finding alternative suppliers.
Best Practice #5: Continuously monitor
Supplier activity is fluid, and the regulatory landscape is shifting. Assessing sub-tier suppliers and responding to emerging risk must be ongoing.
Keep the process evergreen with real-time monitoring against up-to-date public data. For example, if a supplier’s purchases change from one month to the next, automated risk detection platforms can surface changes in trade risk, allowing organizations to mitigate immediately.
By implementing these five best practices, organizations can achieve increased efficiency, improved accuracy, reduced costs, and greater compliance confidence.
Our recent partnership integrates Sayari’s business risk intelligence and ownership data with GAN Integrity’s end-to-end third-party management automation, delivering a joint solution for onboarding, assessing, monitoring, and managing sub-tier supplier relationships.
Watch our latest webinar, Uncovering Hidden Risk in an Evolving Regulatory Landscape, to see this collaboration and sub-tier supplier investigation best practices in action.
