White paper
How to mitigate risk in your supply chain
Abstract: U.S. companies face millions of dollars in penalties and public-relations nightmares when government agencies discover supply chain compliance violations. A proactive supply chain management approach can help avoid reputational and financial loss by planning ahead for disruptions rather than reacting when they occur. Automating processes that alert companies to compliance risks among suppliers is an essential component of this process.
How to mitigate risk in your supply chain
In 2016, Lumber Liquidators pleaded guilty to criminal charges of violating the Lacey Act, which prohibits the importation of illegally harvested timber. The largest importer of hardwoods in the United States was later sentenced to pay over $15 million in criminal fines and forfeitures as well as civil penalties.
Lumber Liquidators is not alone when it comes to suffering financial loss and reputational harm for making poor partnership decisions. In 2019, e.l.f. Cosmetics faced a $40 million penalty from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for illegally importing, from China, false eyelashes sourced in North Korea, a country that relies on forced labor.
Luckily for the company, it was able to settle the case for just under $1 million, thanks to an internal audit that discovered the violation, prompting the company to turn itself in. But e.l.f. did not escape harsh OFAC criticism, which described its compliance program as “nonexistent or inadequate.”
The company’s self-audit saved e.l.f. millions but not the public-relations nightmare that came when U.S. government authorities took it to task for supply chain compliance violations. “Even if the penalty monetarily was reduced, you have that issue of reputational damage for the brand,” says Karen Lobdell, senior product manager of ONESOURCE Global Trade at Thomson Reuters, a technology company offering risk mitigation solutions. According to Lobdell, e.l.f. might have avoided these damages, both financial and social, if it had mitigated its supply chain risk at the offset by proactively vetting its suppliers.
Implement a proactive approach to risk management
Up until about 20 years ago, supply chain management tended to focus on reactive over proactive strategies when dealing with issues such as compliance, damage or pilferage. In the age of climate change, pandemics and cyberattacks, reactive approaches are no longer viable. Today’s supply chain managers deal with a myriad of issues, including sustainability, ethics, governance, illicit trade, cybersecurity and infrastructure failures, all of which can, and do, negatively impact business operations, service level and public images. “Companies are taking steps these days not only to react, but to plan for disruptions,” says Lobdell. “They need to look at how they can be more resilient in case something does happen.”
As the last year and a half has shown, supply chain risks are increasingly prevalent. A 2021 survey conducted by the Business Continuity Institute showed that over 83% of businesses experienced supply chain disruptions over the last year, many of them unrelated to the pandemic. Forty-two percent encountered weather disruptions, an increase of 35% over the previous year. One-third of companies suffered cyberattacks and data breaches, a 26% increase over the prior year.
Pandemics will no doubt remain on the radar of supply chain managers for years to come, allowing them, hopefully, to proactively mitigate the effects of such outbreaks. But the same should apply to the raft of other supply chain woes that companies face, including the risks posed by dubious suppliers.
“One way they're doing that is through increased use of automation,” notes Lobdell. Vetting potential business partners involves screening them against denied party lists, a process that is easier said than done. “There are many ‘bad-guy lists’ out there,” explains Virginia Thompson, senior product manager of ONESOURCE Global Trade at Thomson Reuters. Some of them are very long, with over 100,000 different parties, and many lists change frequently. In 2020 alone, over 300 denied party lists had to be updated more than 350,000 times.
“You don't necessarily have to screen against hundreds of lists,” notes Thompson. “It depends on where you're doing business and what type of business you're doing. Some lists only apply if you’re doing business with the U.S. or a foreign government. Some lists only apply if you're doing business in a given country. You have to know which lists you should be screening against.”
Embrace automation to assess risk
That’s where automated solutions can help. These solutions, Thompson explains, provide both the functionality and content that allow companies to assess the risks associated with potential partners and transactions.
Functionality can be defined in two ways. First, the screening engine determines how the system makes comparisons, by looking at the name and address of a party. “You definitely want to be looking at the address as well,” says Thompson. “There are a lot of John Smiths in the world, and you want to make sure that you're looking holistically to capture address information.” That includes rules on handling things like abbreviations and punctuation when making comparisons that are not always a perfect match.
Second, screening functionality also involves how the process is managed in the long term. “You want to screen on a regular basis,” says Thompson. As denied party lists change over time, they need to be reevaluated against a company’s existing supplier list.
Content, too, plays a role in an efficient screening process, allowing companies to assess product, in addition to party, risk. “Your products pose risks as well,” says Thompson. “There are a lot of questions that have to be answered about them,” such as whether they are allowed to be imported or exported in the first place, whether a special license is required for a given transaction, and whether the product must first be tested to make sure it meets regulatory requirements.
Products are screened similarly to supply chain partners, but against data such as classified tariff numbers and export control numbers — while also being paired with the countries of origin or destination. “It's important to understand it's countries plural,” said Thompson, since products may be manufactured in one country and exported from another. The specific countries involved are important for several considerations, including sanctions regimes, anti-dumping duties and licensing requirements.
A growing number of companies are learning the benefits of automation in anticipating supply chain disruption. Recent studies from KPMG and Deloitte showed that 46% of companies are already using automated global trade management systems. Even more telling, 58% of companies said they are planning to invest more in global trade technology over the next three years, reflecting the value of these systems in mitigating supply chain risk.
Of course, not all companies have adopted a proactive approach to supply chain management. The Business Continuity Institute survey showed that a quarter of those performing due diligence on suppliers didn’t do so until after they had already signed contracts and were in business relationships. “That is not exactly the smartest way to do it,” says Lobdell. “Suppliers are a reflection on you. They're an extension of your brand, so it's important you know them well. You can't mitigate what you haven't identified.”
Conduct a targeted partner assessment
How should companies proceed with these crucial partner assessments? For Lobdell, “the five Ws” are key:
Who should be subject to risk assessments?
In a perfect world, everybody would be subject to screening, from tier one and all the way down. Though global assessment is the ultimate goal, for many, this is not realistic. In these situations, tools that identify those posing the highest risk can help companies prioritize the most important candidates to screen.
What should the risk assessment cover?
Companies should consider all applicable areas of risk that make sense for their business. It can vary depending on one’s industry, the company’s risk tolerance and the markets in which the company is doing business.
When should the risk assessment be performed?
Ideally, companies should conduct risk assessments up front. You want to rule out the bad ones first and avoid doing business with them.
Where should the risk assessments take place?
On-site assessments aren’t realistic for all business partners when they number in the thousands. More often, companies will conduct a combination of remote and on-site assessments. Remote assessments will help you drill down into those business partners that deserve to have that in-person visit.
Why do the risk assessments?
When companies fail to properly vet their partners, they run a high risk of facing penalties and reputational harm, both of which can cause irreparable damage to an unprepared organization. Conducting a risk assessment protects businesses from this harmful outcome.
The ultimate goal of partner and product risk analysis is to estimate the likelihood that a given company or its product could contribute to disruption in your supply chain, and what the potential consequences might be of such an occurrence. A company’s primary focus should be on mitigating, not necessarily eliminating, risk. Attempting to reduce the risk to zero creates an unachievable challenge, according to Lobdell.
“No supplier that you're doing business with is going to be without risk,” she adds. “But you can prioritize where you put your resources to mitigate risk and to perform corrective actions.”
Resource Link: tax.tr.com/globaltrade
Simplify your entire global trade management process with trade compliance information and facilitation tools that automate routine tasks, give you compliance confidence, and save time