[00:00:00] Speaker A: Hi everyone. New supply chain regulations are here and we're going to show you what to make of them. I'm your host, Bill Coffin and this is the Ethicast.
The EU's new corporate sustainability due diligence directive regulation will massively impact how organizations will manage their supply chains going forward. And the Ethicast is running a special four part series to give you what you need to know, not just to comply with this new regulation, but to use it as a blueprint for advancing your supply chain program to even higher levels of success. We have a terrific panel assembled for this discussion featuring Patrick Nates, CEO of Vector International, a business consultancy around responsible business with a special focus on esg, headquartered in Brussels, Belgium. Patrick is joined by Rob Bales, Director of sustainable supply chains at Control Risks, a global specialty risk consultancy headquartered in London, England. And they are hosted by Ethaseer's own executive vice president and resident supply chain expert, Craig Moss. And now, without further delay, here's Craig, Rob and Patrick.
[00:01:15] Speaker B: Hi, I'm Craig and I'm back with Patrick and Rob for session number two of Supply Chain Due diligence and its impact on your organization.
In this session, what we want to really start to think about is how do you measure what's going on, what is material to your organization and perhaps most important, how do you prioritize what to do based on the risk that you face from an environmental and a social standpoint in your supply chain? What we see now is that really companies have to establish some visibility into the supply chain. You have to know who the suppliers are beyond tier one. Ultimately, in certain segments, like in conflict minerals, companies are used to the idea of going all the way to the mine. In some of the apparel industry, companies are used to the idea of where did the cotton come from. But these ideas are going to become more prevalent in other industries as the new supply chain due diligence regulations take root and companies are really required to start to meet them.
One of the things I want to highlight before I turn it over to my colleagues is really the idea of the risk assessment piece of this. And good compliance programs, regardless of the topic, are risk based. You have to understand your risk because you cannot protect everything equally well. And understanding your risk is also how you can start to transition from where do we just want to meet the risk or where do we want to just minimize the risk to where do we want to sell at something and perhaps gain a competitive advantage as a company and an organization. So as we go through the discussion today, really be thinking about Prioritization one, gaining that visibility but then prioritizing what do you do in a breadth case across your whole supply chain and where do you go in depth in your supply chain? So with that I'm going to turn it over to Rob here. Let's hear a little bit from you about both supply chain mapping but also some of the work you're doing around helping companies to prioritize.
[00:03:29] Speaker C: Yeah, sure.
And I, and I, and I think Craig, you know that point around risk assessment and visibility is absolutely key because if you don't have visibility in the upstream supply chain, how do you, how do you expect to understand or identify and measure and quantify the risks?
[00:03:45] Speaker B: Right.
[00:03:46] Speaker C: So what's not, what's not measured doesn't get managed. What's not visible doesn't get managed. So that's really the reason for traceability. Traceability data is not an end. Collecting that data is not an end in itself. It's you collect that data to serve a purpose. And you know, and in this case what, you know, what the regulations are driving at really is that that purpose is to reduce, manage and mitigate the negative upstream impact, both social and environmentally.
There are of course across, you know, many of these different regulations, quite a lot of, there is quite a lot of difference in nuance in terms of what they are asking for around supply chain mapping traceability. So there's no one specific requirement that is telling you across all legislations how far back in the supply chain you need to go, where you need to go. Right. That that really is for companies to interpret, you know, so thinking about the German Supply Chain act for example, just to throw kind of sprinkle a few examples in here, the majority of the focus of that regulation is tier one suppliers. But it does clearly state that if there is allegation or evidence of a non compliance or a violations social environmental, then the company should be required to then trace and look upstream.
That's a different prescription to what the EU deforestation due diligence is asking, that is very specifically asking companies to trace commodity flows back to the production unit and all the plot of land. So it's a very specific requirement around geolocation which again is different from what you see, let's say from the EU Sustainable Batteries Directive.
And the Sustainable Batteries director talks about the need for controls and transparency and the chain of custody system to identify upstream actors. So you can see there's all these sort of variations that are being asked. But I think undoubtedly the direction of travel is towards traceability and transparency. But the Key point is, and I think if any company was asking for our advice and counsel on this, it would be the risk based approach, right? So it would say regardless of, you know, obviously you need to look at each regulatory set of requirements, but what you need to do is understand where your biggest risks are in the, in the supply chain and that's where you put your traceability effort. So you don't need to trace every single link in the supply chain back to origin for 30,000 tier one suppliers, which we know, you know, some companies can have that volume of supply. You don't, you don't need to do that. What you do need to do is focus on your highest risk categories and raw materials and that's where you need to trace back upstream, just making sure then, you know, speaking to that point around prioritization that you need to then look at that next step, which is, well, where is my biggest risk and what is it that I need to do to do that risk prioritization exercise. And you know, we can talk about more on that. I'm sure we will in subsequent sessions. But that, that, you know, that's really a case of, you know, and it can be done in multiple ways, drawing upon different data sets that sit in the public domain, which can provide, you know, the necessary data to speak around inherent risk or potential risk in certain geographies. You know, we know that jurisdictional or national level country ratings are available on different categories of risk.
And what we see a lot of companies doing is combining those with materiality assessment information, stakeholder engagement data and or combining that with things like criticality and sort of running that through a weighted model to say, well, look, these are all of the impacts and issues that we potentially have. But based on the data and our models, we can say that our high risk is 10% of that and that's very achievable.
[00:07:58] Speaker B: You know, you brought up a couple of points and one of the things that I see with some companies is they don't have centralized procurement or purchasing. So that creates the complexity for a company is if I'm a purchasing person for department A or business unit A, I might not even know who the suppliers are in business unit B. Patrick, what are some of the challenges that you see in supply chain mapping Both at Tier 1 and then beyond that, and you have so much experience in this field.
[00:08:29] Speaker D: Also, let's start with the term supply chain mapping. I think there is two elements in that terminology that kind of mislead everybody to think of something while it's actually something Else. Let me just start with supply chain. It isn't really a chain, is it? I mean, it really is. More clusters were constellations as you and I have talked about, Craig. Right. They are not linear, they are highly complex. And a particular supplier can be at the same time a tier 1, a tier 2, a tier 3 and a tier 4 to the same company.
That's some of the complexities that supply chain mislead people to think it's a linear flow. I think the second thing that is somewhat misleading in that terminology, supply chain mapping is a map, is a pretty static thing where at least it's very slow moving. But supply chain and business is dynamic. It changes us literally every single day. It is transactional and it's temporary in nature. You know, when you think about the buying function, it is a temporary function and as such your supply constellation is actually moving all the time. So it's much more like a video or a journey rather than a map. And I think we need to understand that first. I think the second thing is that in larger companies it is, as you said, very often different divisions have different procurement teams where different functions buy things. And therefore there is not a central repository. I mean, case in point.
We recently dealt with a case in Thailand, Myanmar, where the company was adamant it was not present, but yet it was somewhat present through one of their subsidiaries. And I say somewhat because it took literally about nine weeks of convincing to the corporate office that they actually were in that particular factory. It was buried down in one of the subdivisions. So I think that's a challenge. But let's go back a little bit with that identification of know where you are and what you do first. Temporary and transactional. Start, stop, start, stop. You know, most of the time buying is not a continuous item. Neither is the relationship with some of your suppliers. Then there is the complexity of what I would call the intermediary supply chain actors. A lot of companies decide to use business partners, sourcing agents, importers, exporters as intermediaries and they consider those the tier one. But then they do not ask their tier one to be transparent about the tier one to those intermediary actors, which confuses the actual where was the product really?
I think the next thing of course is what actually is your core product?
And that's an interesting question because the core product or where you could have a core impact is not necessarily the product that you put on the market. You have to look at what is the business impact that you have. And sometimes that business impact sits in services and those services can be offered remotely. Think about it. Service providers, think about help desk, et cetera, et cetera. Call centers. Those don't necessarily pop up, but they are significant actors for an organization that doesn't sit in what I would call the supply constellation at first glance. The other thing, of course, is generally the lack of standardization of terminology in between divisions of a company, but also between different companies. It's quite interesting when I talk about a tier one supplier and I talk to five different companies, I probably will get three different answers what that means. So, again, I think there is just a difficult level of standardization that we need to achieve first before we can begin to share data, which comes with yet another challenge, which is the reluctance to share information. A lot of organizations still believe that their suppliers is a competitive advantage to their particular business, while it is not. I mean, give me your country and give me a product and I will tell you in a week all your suppliers in the country. And out of a score of 100, if I get it wrong, you can deduct 2 points. If I score more than 90, it basically means you don't have a competitive advantage. I've done this now probably 30, 40 times in the last 10 years, and I've won the bet every single time. But still, companies believe that supply chain information is that competitive advantage. It is not. And then the last challenge with all of this, that throws even more complexity. And I don't like complexity. I like to simplify things. But I think we need to understand the environment is all the unauthorized work that is going on, unauthorized subcontracting, unauthorized raw material, sourcing, gray goods, et cetera. Finally, there's all the transition points in the product flow. When you think about, you know, we talked about earlier, conflict minerals. Conflict minerals that, you know, might already might originate somewhere in Africa, you know, being smelted in Thailand and eventually end up in the United States. Sometimes you forget that these actually have transit points in countries like Tanzania and Mozambique that have significant risks to them. So these are all of some of the challenges. So now we have a forest of complexity. And this is where I definitely, you know, second, both of you, which is we need to understand what is important and we need to understand what is the risk tolerance that we want to have as an organization before we dive further. Otherwise, you know, we get lost in the veracity and the amount of data we're going to collect. So then what do we do with it? We've got too much and we don't know what to do with it. Let's step back and let's identify what is core and what is a risk tolerance and then push forward to that point.
[00:15:34] Speaker B: I think that establishing an enterprise wide risk tolerance is a challenge for companies. I see many, many organizations where different departments have very, very different risk tolerance. And that's really a dangerous situation for a company to be in. That's part of the reason why doing the risk assessment and understanding how to prioritize based on risk is so important. And one of the things that I want to comment on here is right now, with the data availability, understanding the inherent risk of a certain company in your supply chain is relatively easy. Okay? You know that the inherent risk is there because they're based in a certain country. You know that they are. Maybe they use employment agencies. If it's a social issue, you know the kind of manufacturing process, you know that they're using hazardous materials in their metal finishing, you know, all these things that's relatively easy to get to today.
But inherent risk is really not what I think companies should be basing their ultimate decisions on, particularly with your strategic suppliers.
If you look, as Patrick mentioned, a lot of your suppliers are going to be transactional. They'll be 1, 1, 1 and done.
What I see companies doing and have been doing for a number of years is looking for key strategic suppliers. And in those relationships, it makes sense for you to actually invest the time and energy to help them improve their own internal ESG governance so that it reduces your risk. And the way to do that, in my opinion, is to go beyond thinking about inherent risk, to be thinking about residual risk. So I have the risk of a company based on what they do, where they do it, how they do it. But then I need to look at the maturity of the controls that they have in place.
Controls in place, if they have the policies, if they have the training, if they have done their own internal risk assessment, if they are using stakeholder engagement, all of those factors create a control or management system that is going to reduce their residual or leftover risk to them, but also to you. So increasingly, what I focus on with companies as you go up the maturity curve is to be able to understand residual risk of your suppliers and you can't do it across all of them. That gets into the breadth and depth approach that we mentioned in the first session. But you have to understand where it's really important to go in depth and where it's important to go in depth, you have to go beyond understanding inherent risk to really look at the residual risk based on the control maturity that companies have in place. Let me go back to Rob first and then Patrick, anything you want to wrap up on the topics of prioritization and risk from my side.
[00:18:38] Speaker C: I think one important factor to remember in all of this is around that drive for supply chain visibility is a lot of drive that's coming from other business functions as well, which is really around the business case for traceability and supply chain mapping data. And of course, all that's driven by issues around supply chain disruption.
A lot of the supply chain root and branch problems that emerged out of COVID and then with geopolitical issues where companies are really struggling to get product through supply chain, raw materials through supply chains into products. So there's a, there's a real general direction of travel, as I've already said, towards traceability data, which I think is being, being underpinned by that business case now. And that's very strong. And that's, and that's a really, that's a really positive thing. But just on your point there, Craig, around the need to prioritize, you know, but look beyond inherent risk, I mean, that's really where the hard, the hard yards are, right? That's the residual risk. That's where you've really got to do the work. You've got to roll up your sleeves and you've got to engage with those suppliers.
And of course you have to prioritize because you can't, you can't invest that level of effort with, with every supplier. But that's really where the gains are, right? And if you can do that and you can get that right, then that's, that's when you're going to start meeting regulatory obligations, but also going beyond those to drive those positive impacts upstream.
[00:19:58] Speaker B: Patrick, anything you want to say to wrap up?
[00:20:00] Speaker D: I think risk is all about the residual risk. You know, it is about, you know, what controls do you have in place to manage that risk. Because ultimately that's what the OECD guidance and the different legislations are asking.
And when you look at managing that risk, you know, you are looking at controls, but you also need to look at the decisions that you take with that. And so again, I'd like to bring back, you know, do organizations really have an internal standard for risk tolerance? Because risk at the end of the day can be super scientific and mathematical, but in reality, risk is perception based. What I consider risky, somebody else might consider not risky at all, right? So a lot of it has to do with the perception of the individual that makes decisions. And in an organization, that is the perfect scenario to make completely different decisions. And to any outside audience, including the regulator, it would mean that you are situational rather than systemic and therefore that you are not necessarily diligent. So the definition of risk tolerance of, you know, is there something that we cannot accept and we need to fix before we continue? Is there something that, you know, puts it at a higher risk so, you know, we will descale or where those definitions of zero tolerance, significant, manageable, acceptable, unacceptable risk in an organization is critical for anybody that is involved in the decisions around supply constellations.
[00:21:57] Speaker B: Yeah, I agree completely. And the idea, as you and I talked about before and some of the work I'm doing at the Digital Supply Chain Institute is really looking at these constellations. We call them constellations of value because they are dynamic and the risk is going to change and somebody that's a competitor in one constellation could be a key partner in another constellation. So all of these things are dynamic. And we're now laying this overlay of ESG on top of these shifting business relationships. And to your point, you really need to understand companies need to understand the likelihood and negative impact of the different events that could take place from an environmental and social standpoint in their supply chain. And that's really how you start to build up that residual beyond residual risk, that risk tolerance. So with that, we're going to wrap up. Our next session is going to be looking at the internal changes that need to go on inside your company to be able to deal with this supply chain due diligence, both the regulations and the requirements. And then in session four, we're going to look at how that's going to impact your relationship with your suppliers. Thanks very much and we'll see you again soon.
[00:23:16] Speaker A: To learn more about how Vectra International can help you improve your organization's ESG performance, enhance your quality assurance processes and transform your business, please visit vectrainternational.com that's V E C T R A H I n t l.com and to learn more about how control risks can help you advance your ethics, compliance and governance programs, as well as a host of additional services, please visit controlrisks.com and finally, for a host of helpful resources to help you better understand and manage your supply chain due diligence process, please visit the Ethisphere resource
[email protected] resources I'm Bill Coffin and this has been the Ethicast for more episodes please Visit the Ethosphere YouTube
[email protected] ethosphere and if this is your first time enjoying the show, please make sure to like and subscribe on YouTube, Apple Podcasts and Spotify. Thanks for joining us. And until next time, remember, strong ethics is good business.
