What you might find in the Shadows of a Supply Chain Compliance Audit
Validating legitimacy of third parties and their own supporting ecosystems
IIn supply chain management, there are many ways technology can make a process more efficient, more cost effective, and more secure (safe). I am often challenged by the fact that no matter the purpose of a supply chain, it will invariably introduce many multiples of industry and geographies being serviced by large and small regulated, and unregulated, suppliers/vendors. Each industry and geography will introduce specific standards and regulations that need to be complied with.
One aspect of purpose for any business is to serve, to provide a product or service of the highest quality which will not harm a consumer of said service/product in any way. This approach is supported by consumers, indiustry, and regulators. We refer to this as complying with Global Quality and Health and Safety Standards, most of which will be identified on the product packaging or service contracts, which consumers and intermediary suppliers will be familiar with.
A further area of compliance that most consumers will want to support is how the process of manufacture and supply of products and services affect (and protect) their communities and the environment. ESG compliance and the strict rule of corporate policy supporting new regulations requires the entire supply chain of any given service or product process to acknowledge and comply with all of the orginators corporate policy, and which forms part of a documented process. Such documented process is crtiical to avoid litigation as well as disruption in a supply chain. However, a digital acknowledgement is not always sufficient for compliance. A supply chain participant also needs to demonstrate understanding and possibly have a physical validation to prove their understanding.
It must be realised that the originator (the company that owns the design and ultimately the distributor of final goods and services to the community) is responsible for the end-to-end supply chain compliance and will therefore dictate supply chain policy and compliance milestones, and continued inclusion of a supplier in said supply chain.
Compliance is most often regulated through certification and inspection, and therefore validating and managing documentation in a supply chain is of critical importance. It would be a costly mistake if a link is missing or broken in a supply chain. The cost will be felt by all parties in the chain and therefore it might be considered good practice for the entire supply chain community that has a direct input to the end-to-end process are connected and managed centrally to allow for collaboration and to maintain a focus on a successful completion of the chain. By link I mean a supplier/processor/vendor: a third party that provides a direct or supportive service to the completion of a named process which translates as a specific supply chain. It would be expected to have a supply or service level agreement linking each third-party supplier in the chain, but this is not to mean that each third party will meet the criteria to be considered compliance as a business entity or producer of product or service as specified by its own industry standards and local regulatory economic authorities.
Discovering legitimacy through formal supply chain documentation should be simple enough, and any missing information will point a forensic risk auditor to the point of failure. This also includes corporate Ethics and ESG policies. A process being managed and validated must always comply with the originating owner of the process. That’s not to say downstream suppliers should not have policies of their own, and where they meet the criteria, they may well be regulated to have their own policies. By as and where a supplier is providing a third-party service of any type, they will need to comply with the originating clients’ policies as well as adhering to any downstream regulation that the originator will need to comply with.
We should not forget there are 3 fundamental elements to supply chain which dictate regulatory documentation and data flow:
- Physical Supply Chain:
Goods and Services contracted between parties
- Data Supply Chain:
The Information relating to the above shared between the parties including regulatory authorities or other unregulated recipients
- Digital Security Supply Chain:
Open-Source Software and Hardware used for data communication
When establishing the legitimacy of a third party in a supply chain, you need to consider evidence relating to all 3 of the above types of supply chan. Generally, a supply chain cannot be considered safe and complete if one or more of the 3 elements is missing. If managed through a qualified and secure TPRM platform, each data point will have a related reference in each of the other supply chains nodes, which in turn delivers trusted evidence of ones supply chain, all third and forth parties in it, their compliance postures and bringing potential risks to your business continuity.
In my next blog I will look at a use case of where a specfic juridiction regulation (The Uyghur Forced Labor Prevention Act (“UFLPA”) requires deeper validation throughout a supply chain process. Most obvious supply chain flows start with Design, and then move from sourcing raw material through to distribution to the consumer market. We look at the impact of a downstream party utilising services and materials in part sourced from suppliers located in the Xinjiang Province. How detailed does the Act go and how will it be enforced. https://www.dhs.gov/uflpa-frequently-asked-questions