OECD calls for increased focus on Outsourcing, IT and Supplier Risk


At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD's Risk Management and Corporate Governance report, that "too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager". According to Monsieur Poret, the OECD's findings showed that companies' boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.

The report is the output of the OECD's peer review process which is designed to facilitate effective implementation of the OECD Principles and to assist market participants, regulators and policy makers. The process covers the corporate governance framework and practices relating to corporate risk management of the 26 jurisdictions that participate in the OECD Corporate Governance Committee. Its findings are based on general survey responses from participating jurisdictions as well as an in-depth review of corporate risk management practices in Norway, Singapore and Switzerland.

The report, which analysed both private sector and state-owned enterprises, found that "while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation." Risk governance standards tend to be very high-level. This limits their practical usefulness, says the OECD, as they should be more operational. And in the nonfinancial sectors, risk management is less prevalent. "Outsourcing- and supplier-related risks... deserve attention in both the financial and the nonfinancial sector."

The effectiveness of an enterprise's risk management culture can be critical to an organisation's success (or failure). The OECD lists accounting frauds (Olympus, Enron, WorldCom, Satyam, Parmalat), foreign bribery cases (Siemens) and environmental catastrophes (Deep Water Horizon, Fukushima) to demonstrate that the headlines are not restricted to the financial sector; cases where wrong-doing was compounded by corporate governance failure and deficient risk management systems, with company boards which failed to fully appreciate the risks that the companies were taking (if they were not engaging in reckless risk-taking themselves).

The typical modern enterprise has a complex supply chain with a multitude of third party and outsourced relationships. In the absence of an adequate risk management and assurance framework, says the OECD, reliance on these outsourced and third party relationships can quickly contaminate the organisation, especially if "only lip service only is paid to important parts of the company's value chain that are outsourced". A risk management framework should address all dependence on key suppliers or joint venture partners, with particular sensitivity to suppliers or other third parties located in countries that may follow different standards from the home country. Companies with diverse, global supply chains should operationalise strategies to cope with the risks which result from a lack of control over their suppliers and contractors spread out across various parts of the world.

Given high profile supplier failures such as Satyam Computer Services (subsequently rescued by Mahindra Group although not before several significant customers including Merrill Lynch (now a part of Bank of America) and State Farm Insurance terminated their contracts with Satyam), as well as headline hitting events such as factory fires and a building collapse in Bangladesh, companies should ensure that third party supplier risk management is given adequate resource and attention, including examining available insurance and other mitigation strategies such as dual sourcing, supplier assessments, contract compliance reviews, exit strategies and stress testing contractual remedies, where these have been negotiated, such as step-in rights and exit plans. 


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:


Pillsbury Global Sourcing Practice on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.