Confronting the code of conduct gap
Guy Harrison, General Manager, Dow Jones Risk & Compliance, discusses the company's recent research into third-party risk management.
Third-party risk management systems and processes are in need of significant upgrades as supply chains become more global
Dow Jones Risk & Compliance, recently examined the third-party risk management practices of U.K. companies with a particular focus on the vetting of suppliers in lengthening supply chains.
In August, its team surveyed 250 U.K.-based procurement professionals across five sectors: engineering and construction, oil and gas, IT and technology, media and telecoms and manufacturing.
The survey uncovered that the policies designed to vet suppliers and vendors against indicators of bribery and corruption risk are poorly understood and inconsistently applied.
The findings were concerning—but perhaps not altogether surprising. Especially not when one considers the operational constraints faced by the teams responsible for supplier onboarding and vetting through the supply chain, be that in procurement or other business units.
The results paint a clear picture of an industry facing an enormous task.
Half of the U.K.-based procurement professionals believe ‘corners are cut’ in order to vet and onboard suppliers more quickly. As you can see in the graph below, this sentiment varies across sectors. Generally speaking, however, it appears that the need to meet business demands often trumps the need for rigorous third-party vetting.
Nearly half of respondents are not wholly confident that all of their existing suppliers have been vetted properly and believe one-third of new supplier onboarding in the last 12 months is likely to have been executed improperly.
While more than 60 % of procurement professionals believe that their organization’s code of conduct with regard to third-party risk management is consistently applied when necessary, one-third believe their colleagues do not understand supply chain risks. Only 22% are “very confident” that employees would be able to identify a breach.
A third of procurement professionals say their organizations do not extend their vetting to fourth-party vendors and therefore have no visibility of their supply chain beyond immediate suppliers.
Less than half (45%) have regular training and certification programmes to ensure the code of conduct for third-party risk management is fully understood and applied.
Finally, more than two-fifths (43%) of procurement professionals recognize the need to make changes and overhaul their approaches but many are likely hindered by resource constraints. 52% expect their third-party vendor management budgets to stay the same or face cutbacks and 24% plan for reduced budgets.
These results are especially worrying given that the pressure on third-party risk management systems is only going to increase as supply chains become more global.
In fact, the professionals surveyed expect the number of third-party suppliers that they rely on to increase by 40% age points over the next three years. That’s a significant increase and one that businesses need to prepare for.
Businesses that cannot clearly articulate their risk appetite—and that do not share that information effectively with their workforce—may be set to face tough questions from regulators, damaging financial penalties and discredited reputations.
Is there an upside to all this? Dow Jones Risk & Compliance believes there is.
The ‘code of conduct gap’ research identified it can be addressed with proper technology, tools and a commitment to training across the business.
Employees are going to become even more important as the first line of defence. All organisations, whether dependent on in-country or expansive global supply chains, must embrace the need to empower their people to understand, implement and actively maintain policies and processes around third-party risk management. To that end, it is vital that employees are provided with the right level of training and ongoing support.
Technology is another key factor. Businesses do not always have the resources to establish adequate checks and balances in their due diligence processes. In fact, Dow Jones Risk & Compliance has seen many instances of global businesses relying on spreadsheets and emails to keep track of their vetting and onboarding.
Solutions based on high-quality data and integrated workflows can help automate and streamline these processes, while ensuring compliance with regulatory requirements for documented decision-making and audit trails. The right technology can drive a risk-based approach that helps surface the parties within your supply chain—based on considerations such as jurisdictions or type of business relationship—that carry the highest level of risk.
A risk-based, technology-driven and employee-tested approach ensures you are protecting your supply chain in all the right places, and therefore are better protected overall.
For more information on all topics for Procurement, Supply Chain & Logistics - please take a look at the latest edition of Supply Chain Digital magazine.