ESG and Supply Chain Compliance: What can businesses do to protect themselves?

The Problem:

When considering international markets and supply chains, growing concerns for globally active corporations include:

• changing public sensitivities
• related reputational risks
• substantial legal risks.

Risk management failures in local operations cause significant incidents, such as unrests and riots of workers, or political campaigns against Western businesses. These events cause serious damages to critical supply flows, local acceptance, finances, and brand reputation.

Currently, a growing number of governments in North America and the EU classify anti-corruption as being a national security issue and priority. Thereby reducing the tolerance for corporations with weak (or willfully blind) approaches towards compliance abroad; and thus enforcing legislation like the FCPA (USA) and UKBA (UK) with increased consistency.

Management cultures can still be impacted by outdated practices when bribery and a willful lack of local risk awareness was part of the game. This behavior can still haunt business operations today – especially in second and third tier local management and agency structures. Unwanted issues arising from uninformed and under prepared corporate level, often are a natural outcome.

However, the growing number of foreign compliance laws and a general ESG orientation in Western jurisdictions have been changing the compliance risk picture. The “Supply Chain Diligence Obligation Act” in Germany is the latest example and an EU-wide legislative push, that might even be stricter, is on the horizon. These laws extend accountabilities deep into the supply chains. That is, depending on jurisdiction and circumstances (“adequacy” for type and size of business), corporations become legally responsible for applying an enhanced risk management regarding:

• Directly controlled subsidiaries and agents.
• Suppliers in case of direct contractual relations.
• Deeper indirect supply relations, i.e. for the suppliers of their suppliers.

Thereby a substantial part of the problem is related to intentional threats and the need to prevent and counter them: From local crime structures, running forced and/or child labor operations, or hazard waste dumping schemes, to corrupt or populist local players. Local actors too often can blackmail or harm those businesses, who have a lack of experience in understanding, detecting, and managing local and regional risks.

The Needs:

Legally and practically, in terms of the necessary risk management, this especially means that organizations need to improve:

1. The functions of preventing and mitigating risks (for example, to train local structures and vendors in regard to obligations and awareness)
2. The function of detecting possible or actual violations (by having threat-based Red Flag Lists developed, and their application implemented effectively)
3. The functions of responding, reporting, and remediating in the event of incidents (such as through an adequate complaint management, understanding local players and partners, knowing how to deal with violations, and being prepared for the right actions towards local elements).
4. The overall quality of threat intelligence management and decision documentation.

The Best Practice Solutions:

Looking at the leading organizations in relation to global compliance risk management, we see that they often consider the following:

1. Learn that the underlying problem cannot be solved merely via PR/messages and charity/donations (the old “solution” approach).
2. Sustainable solutions are about actively managing the supply chain risks. Better understanding, vetting, selecting, and monitoring local realities and elements.
3. Understanding that compliance and ESG diligence cannot be handled without extending this risk management effectively into their procurement, business operations, and decision making as the 1st Line of Defense.
4. Management cannot rely on the narratives provided by local partners, managers, and stakeholders. These actors have their own biases and interests, too often ignoring dangerous local issues. Management needs to know and understand the local threat context, based on verified quality risk intelligence from independent sources and providers.
5. Addressing full spectrum of the risk management functions (Prevent, Detect, Respond) thoroughly. Since in all three of the functions, less prepared companies produce consequential practical failures:  

a. For Prevention, country-related threat awareness through up-to-date threat intelligence products and trainings is critical. Knowing what the local problems are (such as forced labor), who is behind them, and how such schemes can be recognized, is key.

b. With the functions of Detection and Response, the importance of proper programs is also important. A lack of preparation for detected incidents, too often causes overburdened responses – escalating negative effects that otherwise could have been contained.

In these foreign risk management matters RSB International, along with its legal service partners, support clients with their journey towards developing an advanced, adequate risk management system (program development; system/process improvement; developing dedicated local security officers); and helps deliver practical related services, from local threat assessments to enhanced checks on local vendors or managers (supplier diligence).