Hidden problems that can trigger a chain reaction

When it comes to risk, a company’s supply chain is like an iceberg: much of it is submerged and out of sight. For some major corporations with thousands of third-party vendors, full transparency of their supply chains is not deemed a necessity, let alone feasible. In fact, a StrategicRISK survey found that very few corporates have transparency of their supply chains (see graph, opposite). But what are the implications of this lack of transparency, and how can this impact a company’s reputation?

“We are seeing an interesting shift in supply chain management – and it’s been driven by consumers and customers,” says Kate Hughes, chief risk officer at Telstra, the Australian-headquartered telecoms firm.

“Expectations are changing. [Customers] want to know exactly where products are coming from, how they were made and under what conditions.

“They want to know who their service providers, such as banks and technology partners such as Telstra, are working with, and how they are managing their impacts.”

Hughes says companies are responding to this – and they need to respond – as they will be held to account by those who buy their products or services, as well as by investors and the court of public opinion.

“However, this is an area of complexity, especially for large companies such as Telstra with deep and long supply chains,” Hughes adds. She says many companies have strong due diligence when bringing in suppliers, but this is not enough.

“Companies ensure suppliers have no human rights abuses, that they are not involved in corrupt behaviour and their finances are solid. But then what?

“Responsible and sustainable supply chain management doesn’t end with the contract, it’s ongoing. Because if a supplier

acts outside of the law, or indeed in a way that doesn’t match societal – or company – expectations, it is most likely the big, well-known brand associated with that supplier who will be targeted.”

Rachelle Koster, partner risk advisory, crisis management and resilience at Deloitte, agrees. She says sustainability and procurement teams in corporate Australia are increasingly focused on supply chain transparency.

“We have seen companies experience reputational risks because of governance, conduct or operational risks eventuating in their supply chains,” she adds. “In these situations you have to own your crisis. Your ability to pass the buck to somebody in your supply chain when something goes wrong is not an effective response strategy.”

Koster says it is extremely challenging to oversee large supplier ecosystems to mitigate potential reputational or crisis events: “Every organisation will have their own risk appetite around these things.

“Some companies have more than 10,000 suppliers, so the procurement part of their business can be really challenging.

“Through analytics we have seen that a lot of companies want to drill down and truly understand their end-to-end supply chains through a series of operational risk-related lenses.”

HAPPY CLICKERS

Suppliers’ cyber security is also a worry for corporates (see pages 4-5). Many are concerned about reputational risk should one of their critical suppliers suffer a data breach or leak that affects their customers.

MailGuard chief executive and founder Craig McDonald says that over the past six months, he has seen an increasing number of emails being sent to businesses from what appear to be brands that we trust, like a telco, bank or government body.

“The problem is that staff are being ‘happy clickers’, leaving the company and being taken offline due to ransomware, for example,” he says. “A major problem is failing to understand the ramifications of these problems within the supply chain.”

Several manufacturing and warehousing groups have come under attack, he adds, and customers are no longer able to reach them. “That has put a lot of pressure on the companies they supply, even though those companies have not directly been affected.

“This has highlighted some of the touch points that can undo a business.”

These supply chain transparency issues all beg the same question: how does a risk manager go about mitigating the risks they create? Leesa Soulodre, RL Expert’s chief reputation risk officer, suggests several avenues to explore.

“Implement an early-warning system to increase transparency and monitor risks and issues in all tiers of the global supply chain, and ensure a life-cycle risk management approach,” she says. “Point-in-time analysis does not work. Reviewing a supplier not only when they are onboarded, but also on a daily basis throughout the relationship, will ensure that sustainability, security and reputation risk issues are identified early for risk mitigation.”

Tools for this measure include SAP, Oracle, WorldCheck, SmartWatch, RepRisk and SAS, says Soulodre. “Get the board and CEO on board,” she adds. “Leverage tone at the top to build an active reputation risk management and risk-aware culture around the importance of a responsible supply chain and CSR programme. Without this, tactical efforts will fail.”

ZERO TOLERANCE

She says it is vital that staff are educated on the programme and understand the consequences. “You need to ask, is this supplier’s activities legal, ethical, acceptable, defendable, sensible? If we make the decision to support this supplier, does this change who I say I am as a person? Does this change who we say we are as a company?”

Soulodre says all tiers of the supply chain must show zero tolerance of child labour, modern slavery, bribery and corruption, money-laundering and extortion. “This should be clearly articulated as part of the signed supplier code of conduct and checks for breaches must form a critical part of the ongoing factory audit process by a specialised and independent third party.”

In addition, risk managers must factor in outrage and velocity into their risk assessment: “Implement a rating system and rate the supplier based on the audit result and what is published in the public domain. Understand their sensitivity to this topic as gauged by your risk intelligence.”

A red rating, for example, could be assigned when one of the audit requirements has not been met for critical risk issues and when stakeholder outrage is low.

“Make sure a regular audit cycle forms a part of the ongoing supplier due diligence programme, and records and results are located in a central place, easily accessible by frontline staff. Also, when an issue occurs in your supply chain, do not defer the blame to your supplier. Reputation risk is your responsibility and yours only.”

Soulodre says risk managers must accept accountability and demonstrate empathy to those affected.

“Explain the facts: who was affected, what was affected, when it happened, where it happened and why it happened. Articulate a clear action plan and timeline to address the issues and advise immediately once the risk has been contained.”

It is also important to collaborate with your supplier to achieve this objective, she says.

“Put them on notice, if they must be terminated. Live up to your promises to your stakeholders and demonstrate the steps your company has taken to ensure this will never happen again. Communicate. Communicate. Communicate.”

Once your stakeholders allow you to go back to business as usual, Soulodre says, then and only then can you address the liability and responsibility of your supplier.