In addition to local regulations, CPR organizations may also be subject to extraterritorial legislations, such as the FCPA and MSA. The MSA, for example, applies to companies with a global annual turnover of at least GB£36m and business connections to the UK, which can include any supply chain relationships, such as vendors, customers, consultants or other intermediaries.
Technology-enabled supply chain integrity management
Currently, many CPR organizations are managing their supply chain integrity risks manually and in a fragmented manner. For example, the status quo for many organizations is that the business unit or compliance function sends questionnaires to third parties. Different teams may use inconsistent processes and criteria to assess different risks in silos across ESG metrics (including modern slavery risks), bribery and corruption, cybersecurity and data protection. After the questionnaire has been completed, the business unit or compliance function decides whether further reviews and approvals are required prior to proceeding (or not). This process is inefficient, costly and often ineffective, especially when the CPR organization is dealing with many third parties spread across various countries.
Leading CPR organizations that successfully manage their supply chain integrity risks, including modern slavery, have developed technology-enabled frameworks. Such frameworks embed third-party screening tools based on workflow approvals. Such tools are deployed as part of the organization’s onboarding procedures and used for continuous monitoring. The frameworks also increasingly incorporate the latest digital technologies, such as artificial intelligence to identify and analyze risks as well as blockchain to evaluate historical transactions connected to a specific third party.
Further, CPR organizations that excel in managing supply chain integrity risks have strong policies and procedures in place, such as a code of conduct that extends to third parties and includes references to modern slavery. Such policies and procedures are regularly reviewed and updated based on periodic risk assessments.
These organizations also often require their suppliers to provide certifications to confirm that materials and services associated with products comply with local and international laws governing fraud, bribery, corruption and modern slavery. Compliance with the CPR organization’s integrity polices and certifications is often tested through the execution of third-party audits.
As CPR organizations work on reinforcing supply chain integrity for a post-pandemic world, their management should consider the following questions:
- Does the management have real-time insights into all third parties involved in their supply chains and the potential risks that they pose to the organization?
- Does the organization’s policies on third parties address key risk areas, including modern slavery, anti-bribery, anti-corruption, cybersecurity and data protection?
- Does the organization conduct ongoing monitoring of its third parties’ compliance with different relevant global and local regulations as well as internal policies in a consistent and holistic manner?
- Are whistle-blower or speak-up programs effective in allowing the organization’s employees and third parties to raise concerns if they have witnessed or been exposed to unethical conduct?
- In the event of a regulatory investigation, is the organization able to provide documented evidence of adequate procedures in its third-party due diligence and ongoing monitoring program?
This article was authored by Ramesh Moosa, EY Asean and Singapore Forensic & Integrity Services Leader, with contributions from Associate Partner Saket Bhartia and Manager Philipp Kloeber of Forensic & Integrity Services at Ernst & Young Advisory Pte. Ltd.