Ethics and compliance officers have long had an uneasy relationship with corporate sustainability efforts, mostly because most compliance officers aren’t quite sure they want – or know how to handle – responsibility for it.
Well, what if we’ve been thinking about the intersection of compliance and sustainability all wrong? What if, at the bottom of all this, it’s really about supply-chain risk?
This question has been on my mind since Microsoft published its latest corporate sustainability report a few weeks ago. The software giant made decent progress reducing its own carbon emissions, down 6.3% from 2020 emission levels; but emissions from its supply chain jumped 30.9% in that same period. When you add all that together, it means that Microsoft’s total emissions rose by 29.1%.
Moreover, almost all of Microsoft’s carbon emissions (more than 96% , according to the company) come from its supply chain. So, if Microsoft wants to keep reducing its carbon footprint and achieve its sustainability goals, it can only do that by managing its supply chain more carefully and precisely. The math doesn’t work any other way.
We could say the same for a host of other ESG goals, too. Want better cybersecurity? Then you’ll need to assess and manage the security of your supply chain, since that’s where most cybersecurity breaches come from these days. Want to avoid human-trafficking or forced-labor violations? Then you’ll need to assess and manage the practices of your suppliers and sub-suppliers, since those distant corners of the global supply chain are where such abuses tend to hide.
Whether we talk about carbon emissions specifically, or ESG issues broadly, or even the seemingly endless range of issues we squeeze under the umbrella of “third-party risk management,” the answer is increasingly the same: it is a supply-chain management challenge as much as it is a compliance challenge.
What does that mean for compliance officers?
Let’s first consider what this means for a corporation overall. From there we can derive a few implications that affect compliance officers specifically.
- First, companies will need better tools to manage these supply-chain issues. For example, you might need better contract management capabilities, to be sure suppliers will agree to your risk management needs. Those needs might be better reporting of certain incidents (say, a cyber breach, discovery of forced labor, or environmental performance metrics), or they could be certain duties you want the supplier to perform (due diligence on its own suppliers, who are your sub-suppliers). Regardless, if you can’t enforce contract management consistently, you won’t get the risk assurance you need.
- Second, companies will need better tools to monitor supplier behavior, since it’s quite possible your supplier might deceive you or even just suffer some incident without knowing about it. The monitoring tools could include more diligent adverse media reports, more thorough cybersecurity scans, and even a more robust and far-reaching whistleblower hotline. Indeed, it’s almost inevitable that these tools will be a blend of traditional speak-up mechanisms and more proactive measures a company takes to find problems directly.
- Third, companies will need better policy and procedure management to coordinate all this effort. After all, most companies already undertake at least some of the measures described above – but if they aren’t doing so in a consistent, cohesive way, they still end up with less risk management and more confusion than necessary.
For example, procurement teams might invest time and effort to automate vendor onboarding processes; but if they don’t consult with sustainability or cybersecurity teams, those groups might then need to re-assess the procurement-approved vendors and end up cutting some that don’t meet sustainability or cybersecurity standards. That wastes money, confuses employees, and alienates your supplier base.
In other words, supply-chain management is a team effort. Compliance officers should be an important player on that team, but successful supply-chain risk management – and all the compliance, sustainability, and cybersecurity objectives included therein – depends on the whole team working together.
Defining roles and responsibilities for team success
Let’s get back to what all this means for compliance officers.
More than anything else, it means that compliance officers must sit down with other executives in the Second Line of Defense to define what your supply-chain risk management efforts will look like: who does what, and who is in charge.
The team in charge could be an enterprise risk management function, that takes supply-chain risk under its purview. Or maybe it’s a souped-up procurement team, armed with the right policies, procedures, and data to take a more comprehensive view of third-party risk. Ultimately each business will need to find its own structure that works best.
Compliance officers will need to push for clarity on exactly what their responsibilities are. For example, will you be in charge of filing reports to the proper regulators for any Modern Slavery Act obligations you might have? That seems plausible, since working with regulators is with a typical CCO’s purview. But would you also be responsible for performing Modern Slavery Act due diligence on vendors, or would that task be better achieved by assigning it to a procurement function with broad responsibility for vendor due diligence and onboarding?
Compliance officers also need to ensure = they have access to the necessary data to do their jobs. This can be especially challenging for supply-chain data, because so many groups (procurement, compliance, sustainability, IT security, finance) might possess useful data – but if that data isn’t stored in one collective repository, labeled and validated in the right way, you might never know the information exists.
This is the world rushing toward global businesses: one where managing behavior of your supply chain is just as important as managing the behavior within your own enterprise. Do that task well, and all sorts of objectives – sustainability, security, compliance, financial – become much more attainable.
Successful compliance programs aren’t hinged on any singular activity, solution or process. However, effective compliance programs take third-party risk management seriously and leverage purpose-built solutions. You probably see where this is going. For more information on creating a sustainable supply chain through third-party risk management, check out our solutions.