Look around the business landscape today, and supply-chain risks are everywhere – which means that sooner or later, those risks will appear on the compliance function’s radar screen too. They probably already have.
Indeed, as corporations barrel toward 2025, rising supply-chain risks are perhaps the only thing they can take for granted. The incoming Trump Administration might embrace deregulation in many forms, but it’s also going to embrace more aggressive use of sanctions – that’s a supply chain risk. The European Union and China might then respond with sanctions or export restrictions of their own – those are supply chain risks too. As for cybersecurity risks in your supply chain, those have been going nowhere but up for years and that’s not changing in 2025 either.
So, what role should the chief compliance officer play in this particular risk management niche? Which parts of supply chain risk are your responsibility, and which parts aren’t?
Or an even better question: are there opportunities for a forward-thinking compliance officer to make you and your team more important to the enterprise by taking the lead on this multi-dimensional headache?
That’s the question worth contemplating over holiday break.
The compliance function has an opportunity here
The fundamental challenge is that supply chain risks come in so many shapes, sizes, and categories that organizations struggle to manage them all in a disciplined manner and at enterprise level. Most companies can’t even decide who should be in charge of this stuff, let alone how to handle it all.
For example, most large companies have a procurement function that’s in charge of finding suppliers and sourcing goods. Procurement teams, however, tend to view sourcing as a question of cost. They’re often not equipped to assess the cybersecurity or corruption risks of potential suppliers, or the financial consequences of a crucial supplier that suddenly becomes unavailable (thanks to sanctions, export restrictions, weather events, or whatever else).
Management teams do know all that at a theoretical level, and different parts of the enterprise can figure out all those risk management questions – but most companies still struggle to bundle all that insight into a single supply chain risk management function. They don’t have a “chief supply chain risk officer” who can collect and consider all that data, to be sure management has a clear and complete understanding of its supply chain risk.
Chief compliance officers can’t necessarily step into that role – but you can bring valuable experience and perspective as your company tries to address its challenges with supply chain risk. That’s the opportunity here, as companies figure this puzzle out.
Consider the skills a good compliance officer can bring to the situation:
- An understanding of how to assess vendor risk, even if you primarily focus on corruption, sanctions, or privacy issues
- An ability to take regulatory requirements for due diligence and translate them into actual due diligence procedures
- An ability to work with operations teams in the First Line of Defense and other risk management teams in the Second Line, to develop compliance policies and procedures for the enterprise to follow
Those are the skills companies need for an effective supply-chain risk management program. The challenge is to figure out the new tools, processes, and working relationships you’ll need to make that supply-chain risk capability a reality.
It’s about data and collaboration
So, let’s say you are eager to play a larger role in supply-chain risk management. Exactly what should a compliance function do to achieve that? We can identify a few steps right away.
Foster a better relationship with your CISO, because cybersecurity risks will be a huge part of the picture. Ask the CISO to help you develop and/or share a risk assessment questionnaire for your suppliers. Develop a process to map out which suppliers have access to critical data or IT systems, and then figure out which regulatory obligations your company has for cybersecurity (say, regulations that require multi-factor authentication) might need to extend to those suppliers.
Drive all business functions to tap into the same sources of data. One threat to strong supply-chain risk management is that different silos (cybersecurity, procurement, finance, and yes, even compliance) all look at their own private piles of data to make decisions about supplier risk. That leads to confusion and uncertainty about how to proceed, which is the last thing senior management wants to hear from its risk assurance team in the Second Line.
So, work with your IT team and those various business functions to assure everyone drinks from the same repository of data as you assess a supplier’s various risks. That gives you the confidence and evidence you need to make better decisions.
Streamline and integrate your vendor due diligence and onboarding processes. Let’s remember that suppliers are people too. If your risk assessment, onboarding, and monitoring processes are too cumbersome for them, they’ll either rush through the process with inadequate information or just drop you as a customer entirely.
You need a streamlined system that suppliers won’t feel burdened to use; and that system will then need to consolidate supplier-provided data with any other information you obtain from external sources, all into the single repository mentioned earlier.
Pay attention to alerting and escalation processes. Sooner or later, some key supplier will drift into a high-risk category. How can you assure that when that happens, the right people will know about it? How can you assure they take action in a timely manner, rather than ignore the alert they receive?
Effective supply chain risk management is about responding to changing patterns of risk in your supply chain. Work with all teams that have a stake in supply chain risk management to be sure that when those risks rise, there is a process – and accountability – for someone to act on them.
This will take time
No company will tame all its supply-chain risks overnight, and it’s quite possible that other teams will ultimately be responsible for the issue. But the threat of poor supply chain risk management is clear and present, and compliance officers are well-suited to guide everyone else down the right path. The sooner you start, the more valuable a player you can be.
Risk management resources
Supply chains are just one of several categories of risk that your organization needs to address. If you’re looking for resources to help you address third-party, regulatory and compliance program operational risk, check out the Risk Resilience Guide for expert insights and steps to help ensure your organization is proactively addressing risk.
