6 Minutes - Read Now 
Conducting due diligence on third parties has never been easy, but now, it’s more challenging than ever. Regulations and reporting requirements cover a wide range of risk areas from data privacy to forced labor to carbon emissions to corruption. Geopolitical tensions require quick shifts in supply chains, often compressing the available time to conduct due diligence. And the rapid acceleration in the use of Generative AI (GenAI) and AI Agents in supply chain management adds another layer of complexity across all risk topics.
If we step back and look at third-party due diligence holistically, there are eleven compliance and sustainability risks we see companies grapple with on a routine basis. It is a daunting list.
- Anti-bribery / Anti-corruption (including fraud)
- Conflict of Interest
- Competition
- Anti-money Laundering
- Data Privacy
- Intellectual Property Protection
- Cybersecurity
- Artificial Intelligence
- Social / Labor Compliance
- Environmental Compliance
- Trade Sanctions & Export Controls
The Challenges
There are factors that make managing the risk challenging inside a company, let alone in a supply chain that can include tens of thousands of suppliers.
Every company has inherent compliance and sustainability risks based on where they operate, what they produce, who they buy from and who they sell to. Realistically, making big changes in inherent risks is difficult and can be costly. Collecting and processing a large amount of consumer data generates data privacy risk. Contracting production to factories in emerging markets generates social and environmental risk. And using sales agents to sell to government entities generates corruption risk.
Compounding this challenge, many companies fail to coordinate between internal departments, with each risk siloed in a separate department. Cybersecurity is an IT issue. Forced labor is a sustainability issue. Corruption is a legal issue. Each department specifically focuses on “their” risks, and each department goes to the third-party relationship owner (e.g., Procurement, Sales) with different due diligence priorities.
And in addition to such internal challenges, suppliers may sometimes resist commiting to full transparency around their compliance and sustainability practices. Why should they share data that indicates they are not in complete compliance with a code of conduct? Why should they reveal that they are sub-contracting production to an unauthorized facility to meet aggressive production and delivery schedules?
Increasing transparency with suppliers is critical, but it requires effective internal collaboration. Suppliers need clear consistent messages about compliance and sustainability priorities. For this to happen, companies need to openly discuss relative inherent risk levels across the holistic range of compliance and sustainability risks. Which risk topics are most relevant and material to the company? This type of inherent risk prioritization doesn’t need to require an enormous amount of time and effort. For some companies a risk assessment is an in-depth annual process taking hundreds of hours trying to quantify the probability and potential financial impact of an incident. But for many companies that isn’t possible, or even necessary.
Prioritization is the Key
What is necessary is prioritizing the aforementioned 11 compliance and sustainability risk areas so companies can focus on measuring the maturity of the management systems in place to manage those risks. Instead of spending more time and resources collecting data on inherent risk, companies need to focus on developing and implementing management systems and controls that reduce risk to a tolerable level. Remember, we’re talking about due diligence here, so the point is to think beyond about inherent risk and gain an accurate picture of the residual risk of a subset of key suppliers.
Risk prioritization has internal benefits and benefits with the key suppliers. Namely, it enables supplier due diligence to focus on the most important risk areas, while resources can be spent assessing the management systems the key suppliers have in place to manage the most relevant risks.
Assessing Residual Risk
Program maturity assessments evaluate the management systems and related controls that are in place to manage the risks. The more mature the systems, the lower the residual risk. This is true both within your company and among your various suppliers.
A key supplier in a high-risk corruption country, for example, could have a lower residual risk than a key supplier in a low-risk corruption country. Why? The supplier in the high-risk country has mature anti-corruption management systems that have been developed over years of addressing the requirements of international buyers. The company in the low-risk country is a fast-growth company that hasn’t started to develop any type of compliance program.
Management systems have the same components regardless of the risk topic:
- Core Program Elements:
- Strategy & Goals
- Policies and Procedures
- Compliance Function
- Risk & Materiality Assessment
- Training & Communications
- Monitoring
- Corrective Action
- Employee Engagement
- Reporting & Disclosure
- Governance
- Third-Party Management
The key is to understand the existing maturity of each component measured against what is necessary – to know what good looks like.
Beyond Check the Box to Transparency & Improvement
Focusing on a subset of risks and suppliers provides a company with defensible logic around resources allocation. It can also shift the supplier relationship from an audit mentality to a collaborative improvement mentality, because you aren’t asking suppliers to do everything at once.
The result is increased transparency. More resources can be focused on improvement in key areas and less on auditing suppliers. Both parties benefit as management systems improve and residual risk reduces. Rather than a “check-the-box” activity that can encourage suppliers to “play the game,” the program maturity assessment establishes a baseline for improvement, and those results help prioritize what needs to be addressed.
The phrase “beyond compliance” has been around in compliance and sustainability for decades. Too often it was an idea imposed by a company on its suppliers. Too often it was used in a general, aspirational way. Focusing on specific actions to improve program maturity and reduce residual risk in targeted areas, however, provides a practical way to go beyond compliance.
In any organization’s compliance and sustainability journey, reporting plays an important role. But it is not an end in-and-of itself; it is a by-product. In many cases, reporting focuses on the activities and the outcomes, but not the maturity of the systems in place to achieve those outcomes.
Measuring program maturity and the resulting residual risk makes due diligence far more valuable. Instead of looking at the past, companies can use the data to learn from the past and impact the future.
Using the right data to improve compliance and sustainability management systems reduces risk across all risk topics and all jurisdictions. Remember, companies that leverage improvements in management systems reduce residual risks internally and in their supply chains to the benefit of all.
Author Bio
Craig Moss | Executive Vice President, Measurement, Ethisphere
Craig Moss is the Executive Vice President of Measurement at Ethisphere and a leading expert on using management systems to improve compliance and risk management performance within companies and across supply chains. He is responsible for developing and delivering programs designed to help companies and their supply chains measure and improve their compliance programs on topics including data protection, anti-corruption and cybersecurity. He has designed and led numerous programs helping Fortune 500 companies and private equity firms around the world to implement management systems to reduce supply chain risk and improve performance.
