Supply chain compliance
Supply chain compliance
A business’ supply chain can present significant compliance risks – and violations can lead to regulatory investigations that have the potential to cause great reputational damage. During the pandemic, short cuts were no doubt taken but checking regulatory compliance across a supply chain, particularly when onboarding new suppliers, now needs to be prioritised once again.
What are some of the key risk areas to consider?
Environmental, social and governance (ESG) risks – for example, human rights issues, both within the workforce (eg the use of forced/child labour and discrimination) and broader impacts on local communities (eg forced relocation of indigenous populations).The business may be required to take specific actions in respect of its global supply chain under ESG-related or employment laws in different countries – such as, the Modern Slavery Act in the UK and regulations relating to minimum wages or working time in respect of its workers. Health and safety issues (eg forced overtime or the lack of personal protective equipment) should also be considered along with global environmental standards relating to things like water usage, habitat preservation and pollution.
The collection, sharing and analysis of the data created across the supply chain, whilst of tremendous value, will trigger obligations under data protection law, be subject to potential restriction under competition law, and face further legal and contractual constraints, including where the data qualifies as intellectual property. Cyber security is also of paramount concern. Organisations need to be aware of every third party they interact with throughout the supply chain, from contracted maintenance companies to suppliers. Anyone with access to the organisation’s network or systems can be a risk. It’s important to remember that cybersecurity must go far beyond simply installing anti-virus software on company computers. It also needs to occur at every stage of the supply chain with every employee. In the digital era, the line between crime in the real and virtual worlds is severely blurred, so these risks need to be taken just as seriously as any physical security measure would.
What proactive steps can a business take to minimise its compliance risk?
- Governance and leadership: robust structures and processes will be required to be implemented from the top, through which the board of directors, executive leadership and compliance professionals design, implement, maintain and oversee the business’ ethics and compliance programmes and foster a culture of ethics and compliance within the organisation.
- Risk assessments and due diligence: risk assessments should be undertaken to identity key risks and applicable legislation pertinent to each stage of the supply chain along with due diligence of suppliers, prioritising those operating in high-risk jurisdictions, environments and/or industries.
- Supplier code of conduct: businesses should have in place a values-based, user friendly code of conduct that addresses the key ethics and compliance risks. Such code will need to reflect the standards expected and grant rights to audit compliance with those standards.
- The role of data and technology in making supply chains more resilient. Businesses should invest in technologies that allow them to connect with suppliers and make use of real-time data that can enable the whole supply chain to operate more efficiently on the basis of better informed decisions. If personal data is to be shared, compliance requirements need to be addressed.
This will necessarily involve ensuring a record of all processing activities; meeting obligations on lawful processing; complying with the principle of purpose limitation – not processing personal data in a way incompatible with the purpose for which the data have been originally collected; ensuring transparency for data subjects; and implementing appropriate and proportionate security measures to safeguard data against accidental losses, unauthorised access or cyber-attacks. Additional measures may be required depending on the nature of the business and different approaches may apply across individual countries.
In summary, targeted and tailor-made measures based on a thorough risk assessment will provide the best protection against regulatory risk stemming from each stage of the supply chain.
If you have any supply chain compliance queries please contact a member of our Commercial team.