[author: Alek Chance, Pacific Strategies & Assessments]
Risk and compliance professionals have long used enhanced due diligence (EDD) as an essential tool for identifying critical regulatory risks. Much of the time, key drivers of EDD efforts are compliance concerns such as those arising from the FCPA or OFAC regimes. However, as the risk and compliance landscape continues to evolve, business’ exposure to risks arising from sustainability, human rights, and social responsibility issues has grown.
Both internal and external factors are prompting risk management programs to take a broader view of the potential risks posed by third parties, suppliers, and other business partners. While it is no doubt challenging for risk management programs to pivot, it is important to remember that compared to other information streams, human-led due diligence research, ranging from desktop research to source interviews and site visits, is an agile resource that can screen for a growing range of concerns.
Regulatory Changes and Sustainability
In the past, sustainability and social responsibility as compliance matters often fell into the category of “soft law” involving the voluntary adoption of various internationally recognized standards. This is changing. With the Global Magnitsky Act, the US added certain human rights violations as subjects of its already robust sanctions program. In the UK, the first individuals targeted under the new post-Brexit sanctions program were human rights violators. New legislation concerning forced labor in supply chains is under consideration in Washington, and the EU is set to require larger companies to conduct due diligence on human rights and environmental issues along their value chains.
Other recent or forthcoming laws in France, Australia, California, the Netherlands and the United Kingdom impose varying degrees of due diligence or disclosure requirements on businesses to combat human rights violations or environmental destruction. These issues are not only more important from a compliance perspective, but they increasingly have the potential to cause severe reputational problems as well.
Evolving Views on Risk Management
ESG is another factor pushing towards more comprehensive risk assessments. ESG (the evaluation of environmental, societal, and governance issues associated with an investment or counterparty) is built upon the notion that sustainability problems in the value chain present real material risks in addition to raising ethical concerns. ESG was created initially as a concept to inform investment decisions. But because ESG assessment frameworks provide such a comprehensive view of risk, they can unify the concerns of many stakeholders under a single umbrella and provide the basis for a more integrated approach.
Expanding the Scope of EDD
Human-led EDD has long been the standard for vetting third parties or other businesses that present elevated FCPA or similar risks. But it is inherently agile, and with the right due diligence team, many of the research and investigative methodologies used to focus on anti-bribery or sanctions compliance can be readily adapted to focus on other issues in response to changing client concerns.
While FCPA compliance continues to be an important focus of EDD work, many companies are adding other issues to their lists of key concerns. The most common are human rights violations. But EDD reporting can—and routinely does—identify a wide range of increasingly relevant issues from a compliance perspective. This includes slavery, indigenous peoples’ rights, child labor, land tenure issues, trade in conflict minerals, war profiteering, environmental degradation, and many more.
Employing a Risk-Based Approach
Every third-party or supply-chain risk management program should ensure that its due diligence provider has the capacity to identify sustainability issues. At the minimum, desktop EDD research can be used to explore red flags or gaps within a counterparty’s voluntary disclosures.
A better way is to adopt a more focused risk-based approach which begins by mapping out problem geographies, sectors, and transaction types and then allocates resources appropriate to the degree of risk identified. A palm oil plantation in Sumatra presents different inherent risks for human rights and environmental problems than an app developer in Taipei.
Read: US Conflict Minerals Management: Is Your Supply Chain at Risk?
Getting started with a simple geographic or sectoral risk map may be easier than you think. Just as Transparency International’s CPI score or the World Bank’s Worldwide Governance Indicators are often used by risk professionals as a jumping-off point for identifying location-specific corruption risks, there are many valuable resources that can identify elevated sectoral or geographic risks for human rights and environmental issues. Depending on the situation, EDD methodologies can then range from records and media searches to collecting commentary from human sources, site visits, and deep-dive research in public documents.
Tapping an Underutilized Resource
To be clear, no EDD program can or should develop an ESG profile for a third party, supplier, or customer in the same way that an investor analytics firm does for a publicly-traded company. But as ESG continues to evolve into a unifying framework for thinking about risk and long-term resilience, it makes sense to use EDD to address emerging regulatory risks and the concerns of new stakeholders. Most large companies already have up and running programs that focus on FCPA or similar regulatory concerns. Wherever such programs are limited only to looking for “traditional” regulatory risks, they are probably an underutilized resource.
When so much information about prospective business partners or investments is derived from voluntary disclosures, EDD stands out as a source of substantive, independently verified information. It will only grow in importance if, as expected, more robust mandatory due diligence requirements start appearing in key jurisdictions.
Leverage Due Diligence To Strengthen Supply Chain Risk Management
View original article at Risk & Compliance Matters