Episode Transcript
[00:00:00] Speaker A: Hi everyone. Today we're going to take a look at social compliance auditing and the role it plays within the larger effort to manage supply chain due diligence. I'm your host, Bill Coffin and this is the Ethicast.
In an increasingly interconnected world where supply chains have become multi layered supply webs, the task of managing supply chain due diligence has become more important and more challenging than ever. A key aspect of this is social compliance auditing, the manner in which organizations ensure that their partners and third parties are abiding by human labor law. With us today to talk about this is Craig Moss, Executive Vice President of Measurement at Ethisphere and a director at the Digital Supply Chain Institute and the Cyber Readiness Institute. He is also on the board for the association of Professional Social Compliance Auditors. Craig is a prolific thought leader, public speaker and author on the subjects of value chain holistic risk management and AI. His most recent byline with the Dow Jones Risk Journal is Using Social Audits to Refine Supply chain due Diligence, which takes a deep dive into how social audits are not just a one and done exercise, but provide a valuable data set that can lend crucial insights to the broader effort to identify and manage enterprise wide risk. Craig, welcome back to the Ethicast. It's great to see you again, Bill.
[00:01:24] Speaker B: It's always a pleasure to be with you. Look forward to talking about it.
[00:01:28] Speaker A: To get us started, can you talk about why supply chain due diligence has become such a critical part of enterprise risk management and maintaining an enterprise's business continuity?
[00:01:39] Speaker B: Sure. I mean if we look at supply chain due diligence, there's really a lot of different topics. And the last, I think the last Ethicast I did with you, we looked holistically, we looked at the whole range of topics from corruption to cybersecurity to data privacy to social and environmental issues.
So today we're going to focus in specifically on social compliance, labor rights, human rights in the supply chain.
What we've seen here is there's an increasing number of regulations around the world. The German supply Chain Law in the US we have the Wager Forced Labor Protection Act.
A lot of these laws are all based on the OECD due diligence guidelines.
So what that did is kind of set up the stage for what does supply chain due diligence look like specifically for social or environmental issues.
So within that construct, what companies need to do is they need to be thinking about the supply chain due diligence and its application to their most relevant Risk areas. We talked about this in our last conversation.
Social compliance, labor rights, human rights in the supply chain is increasingly an important issue. Right? There's a lot of forced labor that takes place in supply chains around the world. There are. Excessive overtime is a ongoing issue in a lot of nations around the world. So that risk is always there.
And what companies need to be doing is to start to think, how do we start to manage that risk as part of an overall supply chain due diligence management system?
And then how does that feed into our enterprise risk management?
Example, just recently, Giant, the biggest bicycle company manufacturer in the world, had shipments held by U.S. customs. Because there was the possibility of suspected forced labor in their supply chain, that becomes a business continuity issue.
So I don't want people just to think this is a regulatory issue. This also is a business continuity issue. And regulations have been driving the behavior of large corporate buyers to encourage their suppliers to put a better program in place.
So if you're a supplier, I'm working now with one large automotive parts manufacturer, tier one.
The, the automotive OEMs are telling them, if you don't improve your social compliance management systems to manage your factories and your subcontractors, we're going to be shifting our orders to other people in the next two to three years.
So it becomes really a central part of business continuity and really can become a competitive advantage for companies if they get good at this.
[00:04:28] Speaker A: Social compliance audits are frequently criticized as being episodic and incomplete and even vulnerable to manipulation.
In what ways, though, does such criticism kind of miss the point of why we need social compliance audits in the first place?
[00:04:42] Speaker B: Well, you know, Bill, there are good and bad audits. They're good and bad lawyers, they're good and bad things in every doctors. There's good and bad in every profession.
So social compliance audit is a profession. And within that profession, there are really three things that drive what I consider a quality audit that gives you useful data.
So number one is governance of the firm itself. So what the audit firm itself, do they have the right governance standards or do they have the things in place that are preventing corruption and bribery, that are preventing conflict of interest?
Those are really one of the foundational elements is the governance of the firms that are conducting the audit.
Part two is the professional credential of the individual social audits. Basically, it is a person or a small team of people going to a factory or a farm or a warehouse.
And what do they do when they get there?
They're reviewing documents, they're talking to management they're interviewing workers and they are observing what's taking place there. So if I could go to a factory, if I'm really lousy at interviewing workers, I'm not going to be getting good data from the workers.
If I'm good at interviewing workers, that can uncover a lot of things that take place there that are really critical findings.
Document review is sort of an easier thing. Worker interviews is a really complex topic that it takes skill at. So those are the first two, governance of the firm, national quality and capability of the individual doing it. The third thing is really the rigor of the standard or code that they're auditing against.
Right. We could have a really low code, send in a really qualified auditor to audit against it, and we're not going to get something that's really useful because the code or the policy that they're auditing against is really either too vague or too general or not really specific about things like age of the workers in the place, number of working hours, things like that. So it's really those three elements that in my opinion create a better quality audit. Apsca, where I'm on the board, association of Professional Social Compliance Auditors, it's a mouthful.
What they do is they help with the governance of the firms and they help with the qualifications of the individuals. Are really their two key roles to try to elevate the profession. Just like lawyers have to pass the bar exam, things like that.
[00:07:19] Speaker A: How would you recommend organizations embed their social compliance audits within a larger risk based due diligence process?
[00:07:28] Speaker B: So let's step back here a little bit and so let's look at what does the oecd, what other guidelines recommend? So they want you to really do six things within a supply chain due diligence management program. One, to embed responsible business practices into how you operate. So now, right now I'm talking about your company, not your suppliers. You need to embed it in your policies and things like that. You need to identify and assess adverse impacts. What is our impact in the supply chain? Right. Are we causing problems through creating like last minute orders where we kind of know that somebody's going to be working like 100 hour weeks to try to fill the order to cease or prevent adverse impacts, to track the implementation, to communicate how things are being addressed and to remediate. So if you look at the OECD guidelines, it goes way, way beyond the idea of due diligence. A lot of people, and especially when I talk more in the legal profession, due diligence is more of A process that is going through to do discovery of what's happening in a location at a certain point in time.
OECD supply chain due diligence requires a full system, almost a continual improvement cycle where you're not only knowing but you're doing so that's one aspect of it. The other piece here is if we start to look at so what, what does a company need to do to be able to build that system to meet the due diligence guidelines.
There's really 11 things that we've identified.
Supply chain mapping. You need to understand where the suppliers are, who they are and that it sounds easy, but it's not easy, right? If you're, if you're a global company and you have different business units doing their own procurement, you have different regional offices. I deal with a lot of companies, they don't even know all their suppliers.
Part two, risk assessment, I mean that's foundational in everything we do at Ethisphere Bill is risk assessment. Everything should be risk based.
Strategy and goals.
How are we integrating this into our corporate strategy, policies and procedures is really foundational supply chain engagement. How are we as a company engaging with our suppliers around social compliance or environmental compliance?
That's a key part too. Is it something that we actually are committed to and want them to do or is it a check the box? Exercise, governance and oversight, pretty straightforward there. Training and communication, not only internally, but at some point communicating with our suppliers about these issues. If it's just a one and done in the contract, a quick check the box, you give them a purchase order and you forget about them. That's not good.
That ties into monitoring, then into corrective action and collaborative remediation. Here what we see in some industries is the idea of collaborative remediation. Because if you think about it, that factory, whether it's in India or China or Mexico or Brazil, probably has six to maybe 15 different large customers.
So if all of us go in individually and ask them to fix things, that's different than if we go in collectively, all the buyers go in. So there tends to be now good industry collaborative remediation programs.
Final two, stakeholder engagement. In the social compliance space, stakeholder engagement is really a critical part.
Community workers, NGOs, all of these are part of the stakeholders in addition to the supplier and the customer and the regulators. And finally reporting and disclosure.
A lot of companies, unfortunately, and this is the first article I wrote for Dow Jones, went into an over reliance on using data for meeting reporting requirements, where I think that data should be used More and more to drive the remediation and create scalable remediation. And I'm going to be writing about that in a future article. So those are really, I know it's kind of long winded, but those are really the elements of a program program a company needs to have in place. And then the other thing is if I'm the big multinational and I'm dealing with a large supplier, my supplier should have these things in place too because it Cascades down Auto OEM, Tier 1, Tier 2, Tier 3 in almost every industry. In the electronics industry, you know, that same idea holds.
[00:12:13] Speaker A: A lot of companies treat social compliance audits as a standalone exercise that completely covers their supply chain due diligence. I'm wondering though, Craig, can you talk about how companies need to connect their social compliance audit data with broader due diligence data across the enterprise?
[00:12:29] Speaker B: I think again, let's think about the role of the social audit. The social audit is sending an individual or a small team to a specific location.
So if I'm a large enterprise and I have 10,000, 20,000, 30, 50, 100,000 suppliers, that's really not a scalable model. Right. Even if I'm joining a collaborative program, things like Amphori or SETX in Europe, RAP or the Responsible Business alliance in the US or Social Accountability International, they'll have audit sharing programs which help to try to reduce audit duplication. But even with that and the strength of the collaborative programs, it's really not possible to audit every factory and it's really not efficient. The other flip side to it is I've been dealing with factories in Asia that literally have 30, 40, 50 social compliance audits a year because each of their customers are sending auditors in. That's not efficient either.
So what we want to think about is what is the actual role of the social compliance audit if it's well done and we kind of outlined what that consists of before, it really does provide really valuable data to all the aspects of the due diligence process.
It goes from is our code of conduct actually being implemented in that factory? Right. Most companies have now have a supplier code of conduct. That's the easy part. The real thing is, is it being implemented there so auditors can collect that data?
Two, they can start to identify issues that could should be flagged for future investigation.
The audit reports actually typically list what they call minor nonconformities and major nonconformities. So these are things that a brand or retailer can use to identify these minor things taking place there or are they major things that are really violating our zero tolerance policies.
It helps to then track baseline performance so you can collect this data and then track the performance of the supplier over time.
The other thing is, audits often do act as a tool of stakeholder engagement because the worker interviews, they're hearing the voice of the workers and in the social space. I think that that's really a critical element, you know, talking to the workers. How is it going for them?
Are the policies actually, the company's policies actually being lived or are they just on paper? And then finally, the audits do recommend remediation so that auditor can come out of there and say there are specific remediation activities that should take place. It could be a policy change, it could be a training change, whatever it is. It could be ways to reduce harassment in the workplace.
Audit reports, good audit reports also identify remediation so they really cover the full spectrum of that factory or farm or facility. If I'm the big brand or retailer, I'm getting good data on one place, but If I have 20,000 places, that's a whole different issue. That's where a good supply chain due diligence management system comes in into play.
[00:15:53] Speaker A: Well, Craig, this has been a really interesting and informative conversation. Thank you so much for joining us today and for giving this compelling look at supply chain due diligence and social compliance auditing.
[00:16:04] Speaker B: Thanks Bill, it's always a pleasure and I look forward to the next time.
[00:16:07] Speaker A: To read Craig's article Using Social Audits to Refine Supply Chain Due Diligence, please visit the Dow Jones Risk journal@dow jones.com it's the latest in a series of articles Craig has published and all of them are required reading.
Leave a link to Craig's article in the show Notes for this episode. To learn how AI is transforming the state of the art in ethics and compliance, check out Ethisphere's latest report, AI in Ethics and Compliance Risk to Manage Tool to Leverage, which features an overview of AI regulatory trends, AI governance best practices, and compelling use cases from ENC leaders at Cargill, Palo Alto Networks and Verisk. To read this report for free, visit ethisphere.com thanks for joining us. We hope you've enjoyed the show. For new episodes each week, subscribe to us on YouTube, Apple Podcasts and Spotify. And if you don't mind, please follow at the sphere on LinkedIn as well. Every like comment and share helps us and our mission to make the world a better place by advancing business integrity. That's all for now. But until next time, remember, strong ethics is good business.
[00:17:15] Speaker B: It.
