What you might find in the Shadows of a Supply Chain Compliance Audit

By Chris Els • June 26, 2024

Validating legitimacy of third parties and their own supporting ecosystems

IIn supply chain management, there are many ways technology can make a process more efficient, more cost effective, and more secure (safe). I am often challenged by the fact that no matter the purpose of a supply chain, it will invariably introduce many multiples of industry and geographies being serviced by large and small regulated, and unregulated, suppliers/vendors. Each industry and geography will introduce specific standards and regulations that need to be complied with.

One aspect of purpose for any business is to serve, to provide a product or service of the highest quality which will not harm a consumer of said service/product in any way. This approach is supported by consumers, indiustry, and regulators. We refer to this as complying with Global Quality and Health and Safety Standards, most of which will be identified on the product packaging or service contracts, which consumers and intermediary suppliers will be familiar with.

A further area of compliance that most consumers will want to support is how the process of manufacture and supply of products and services affect (and protect) their communities and the environment. ESG compliance and the strict rule of corporate policy supporting new regulations requires the entire supply chain of any given service or product process to acknowledge and comply with all of the orginators corporate policy, and which forms part of a documented process. Such documented process is crtiical to avoid litigation as well as disruption in a supply chain. However, a digital acknowledgement is not always sufficient for compliance. A supply chain participant also needs to demonstrate understanding and possibly have a physical validation to prove their understanding.

It must be realised that the originator (the company that owns the design and ultimately the distributor of final goods and services to the community) is responsible for the end-to-end supply chain compliance and will therefore dictate supply chain policy and compliance milestones, and continued inclusion of a supplier in said supply chain.

Compliance is most often regulated through certification and inspection, and therefore validating and managing documentation in a supply chain is of critical importance. It would be a costly mistake if a link is missing or broken in a supply chain. The cost will be felt by all parties in the chain and therefore it might be considered good practice for the entire supply chain community that has a direct input to the end-to-end process are connected and managed centrally to allow for collaboration and to maintain a focus on a successful completion of the chain. By link I mean a supplier/processor/vendor: a third party that provides a direct or supportive service to the completion of a named process which translates as a specific supply chain. It would be expected to have a supply or service level agreement linking each third-party supplier in the chain, but this is not to mean that each third party will meet the criteria to be considered compliance as a business entity or producer of product or service as specified by its own industry standards and local regulatory economic authorities.

Discovering legitimacy through formal supply chain documentation should be simple enough, and any missing information will point a forensic risk auditor to the point of failure. This also includes corporate Ethics and ESG policies. A process being managed and validated must always comply with the originating owner of the process. That’s not to say downstream suppliers should not have policies of their own, and where they meet the criteria, they may well be regulated to have their own policies.  By as and where a supplier is providing a third-party service of any type, they will need to comply with the originating clients’ policies as well as adhering to any downstream regulation that the originator will need to comply with.

We should not forget there are 3 fundamental elements to supply chain which dictate regulatory documentation and data flow:

Physical Supply Chain:
Goods and Services contracted between parties

Data Supply Chain:

The Information relating to the above shared between the parties including regulatory authorities or other unregulated recipients

Digital Security Supply Chain:

Open-Source Software and Hardware used for data communication

When establishing the legitimacy of a third party in a supply chain, you need to consider evidence relating to all 3 of the above types of supply chan. Generally, a supply chain cannot be considered safe and complete if one or more of the 3 elements is missing. If managed through a qualified and secure TPRM platform, each data point will have a related reference in each of the other supply chains nodes, which in turn delivers trusted evidence of ones supply chain, all third and forth parties in it, their compliance postures and bringing potential risks to your business continuity. 

In my next blog I will look at a use case of where a specfic juridiction regulation (The Uyghur Forced Labor Prevention Act (“UFLPA”) requires deeper validation throughout a supply chain process. Most obvious supply chain flows start with Design, and then move from sourcing raw material through to distribution to the consumer market. We look at the impact of a downstream party utilising services and materials in part sourced from suppliers located in the Xinjiang Province. How detailed does the Act go and how will it be enforced. https://www.dhs.gov/uflpa-frequently-asked-questions

Comment

P3 Audit

P3 Audit announces new Partnership with Croner UK.

By By P3 Audit Marketing Team June 26, 2024
P3 Audit, a specialist managed service provider of Global Third-Party Payroll Business Continuity and Compliance Testing, today announced that it has entered into partnership with Croner , one of the oldest and most trusted employer support services in the UK. Through this partnership, both P3 Audit and Croner bring added value and a connected service experience to their collective clients. Speaking about the partnership, Paul Holcroft, Managing Director at Croner, said: “We welcome the alliance collaboration with P3 Audit whose UK client base can benefit from our HR, employment law, and health & safety services. This cooperation also offers our clients the potential assurance that their third-party vendors are operating compliantly and without risking business continuity.” “ Croner extends compliance and business continuity to our clients who have welcomed work from home as a critical part of their operations, without realising the obligations and risk assumed by employers” said Chris Els, CEO of P3 Audit. “While P3 Audit focus on testing vendor business continuity as well as contract SLA compliance, we are proud of our partner collaborations that ensure extended business resilience for our clients.” To learn more about the P3 Audit expertise in Business Continuity Plan testing, or to discuss how you can maximise and galvanise your third-party vendor relationships, contact us today!
P3 Audit

Change

By By Chris Els June 26, 2024
Change is certain. If we can accept the certainty of change then we can be open to its predictability. If we can predict change, we can prepare for it. If we are prepared for change then we will no longer resist it, but rather anticipate it and take advantage of it. In outsourced relationships our success depended on collaborating with downstream professionals to fulfil functions where we were not the experts. It is rare that a client will have contact with a subcontractor or even be aware their services are outsourced further downstream. Regulatory compliance, especially relating to data security and privacy, is shining a light on the need for greater transparency in supply chain relationships. Accepting responsibility for the success of “change” means also taking accountability for user onboarding, user adoption, and successfully implementing new ways of doing things. This invariably means including new technology to empower new processes. When implementing something new, it is as important to sunsets the "old" as quickly as possible. Measures of success remain strategic business ambitions that initiated the change. Change management has been a critical part of any new technology adoption and, most importantly, in any implementation project. Investments in technology, new processes, and new people/talent are made precisely to effect change. If change is not required, then its simple - do nothing. If one is going to invest in Change, lets ensure Change Management is considered and committed to first. Consider Change Managers the Architects of Success. Controversial maybe, but if Change Managers have ownership of design, then let them be accountable for what technology, processes and people will be required to achieve the change. At very least ensure they are included in any proposed investments in change and its associated spend – people, processes, and technology. Change Management is a strategic function. A lack of investment in Change Management will lead to projects failing. Look a bit closer and one might find downstream processes and supply partners are left out of the Change Management process, and can be the point of failure of any new technology and processes being implemented. The basic principles of supply chain can be overwhelming. In any one process, there can be hundreds of downstream suppliers of product and services. These “unknown” participants can introduce threats to a program’s success, and ultimately risk a customer’s business continuity. Neglecting to include participating third parties in any change management program will prove costly. I was fortunate to meet up with Michele De Kreek of Up-Time Consulting. This specialist change management consultancy understands third parties’ impact and the importance of including them in any change management process. I asked Michele to demystify the function of change management for me:
P3 Audit

Third-party compliance basics

By By Chris Els June 26, 2024
The term forensic refers to the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence (as from a crime scene). Third-party process forensics looks to discover legitimate partnerships, their process practices and industry compliance to protect everyone in the shared supply chain.
P3 Audit

Unravelling the Gordian Knot

By By Chris Els June 26, 2024
The differences between supply chains, data supply chains, cyber supply chains, and software supply chains.
More Posts