Part 1 - Who is Assent Compliance?
In this White Paper, I explore supply chain data management with several members of the Assent Compliance team to introduce the topic, consider the development and synergies between several different types of compliance disciplines, the impact on organizations of compliance failures in this area and what are some of the drivers for continued legislation and regulation in this area. I began with Matt Whitteker, one of the co-founders and Vice President, Growth, at Assent.
We began with the market need that Whitteker observed. Literally in a cab ride one day with a friend, who worked for a nationally registered tests laboratory in Canada, this friend was describing how difficult it was to do supply chain consulting. The friend related how difficult it was to obtain solid, verifiable data on company suppliers. From this discussion, Whitteker had the idea to start a company around supply chain data management.
The next step was to recruit a software developer. They created a small software development company and built an application specifically around material compliance. The next step was to move to collecting data. From there, they moved to data management and supply chain data management programs. Out of this emerged a fully commercialized product compliance management suite. Assent started acquiring customers at a fairly rapid rate and fast forward about a year and a half from there won a major RFP with one of the world’s biggest industrial manufacturers of glass. Whitteker called this “the ESPN turning point in the company’s history or at least the first one”. Moreover, when the Dodd-Frank conflict minerals provision came into effect, Assent was one of a very few number of companies in the marketplace that had a solution to collect and manage data on ethical sourcing.
One of the areas which has long intrigued me is the role of non-lawyers in conjunction with the type of services that Assent provides. Typically, a lawyer is not involved with the collection and storage of data. That role has typically been more in the bailiwick of a company such as Assent. However, merging the two skills sets can bring a much-enhanced overall process to supply chain management.
Whitteker said that a large part of the benefit derived from working with Assent is the value from the type of data collected. This enables legal or supply chain professionals, risk officers or procurement officers to more fully manage the data. It means as soon as it comes into the organization, they can run risk profiles on the data. If there is conflicting data, it can be identified and rectified. Whitteker says that with “any type of data we are collecting and managing, the overlaying value comes from the actions that you can take from it. And in many cases, you identify this exactly correctly. It is the legal and risk profile that you derive from the data which has been collected.” At the end of the day, it is the technology that underpins data management. But, more importantly, it empowers people to take legal actions, run the risk profiles or “decide whether they frankly want to do business with that supplier or not.”
I asked Whitteker about where Assent might be headed and he noted that the “vision for the future is one that we own the category of supply chain data management.” He believes that there should be a specific category carved out for this niche. The field is simply too massive a category and every single company from the smallest to the largest has a supply chain. The bottom line is that anything your organization purchases is through your supply chain. Assent strives to be the category leader for supply chain data management, both upstream and downstream. This means collecting data from your suppliers, responding to requests for data and managing all the data is the trajectory that Assent is on and it is one that the entity is really excited about it.
Part 2 - Introduction to Supply Chain Data Management
What is supply chain data management? To answer that question, I turned to James Calder, Assent’s Vice President, Compliance & Regulatory Programs, at Assent Compliance. We begin our introduction of the topic of supply chain data management by focusing on the complexities of supply chain data exchanges. In my experience, and with the quantum of data generated by the supply chain, it is sometimes difficult to cut through the chaff and determine what is real and what is white noise. Further, while the complexity certainly is present, Calder noted it “is important to get data with respect to your supply chain as most companies are nowadays who are manufacturing products, with complex products in a complex supply chain that is typically touching on certain geographies all around the world”.
This dependency on suppliers is now a huge part of business risk, revenue and success. Calder said, “To mitigate any kind of business risk to achieve that business success, there needs to be clear access to the supply chain data and also ensure that that data is up to speed and the quality is up to speed. The complexity comes because you need to actually attribute certain qualities with every single supply chain data.”
Calder provided several different types of data that is critical in the management of supply chain. He listed such types of data that could relate to the quality of a business entity; individuals who are important within the business entity; the material composition of products that are supported by a business entity. He also noted the data could be “related to the activities which occur around the production of those materials and parts supported by that business entity.” Literally, each one of those topics can determine if your product can be sold within a market.
But is also includes such data as if your product is ethically sourced, are your products going to receive or be assessed certain duties, and even could terrorists import your product into a market? If you are sourcing products from a company which is on a sanctions lists it can create business risk. All this means the complexity of getting that data is significant because you have to map all those different data points from your supplier.
But supply chain data management is not simply the external data from your suppliers or even with whom you are doing business, you must map that data to your internal data qualities because typically it is not just a pass through of data. Calder noted this is because you are “taking all that data and then you have to roll it up with respect to all those parts and suppliers into the story you present to your prospective customers. This requires a lot of business intelligence. It also requires an understanding of your market need because just getting data and passing it to your downstream supply chain does not always represent the full story.” All of this means complexity in supply chain data management is significant because your organization may literally have thousands of suppliers that represent millions of parts and materials.
We next turned to managing the supply chain data. I asked Calder how does a company think through managing that internally versus using an external third party and really what types of economies of scale a third party brings to the overall topic of cost of managing supply chain data? He began by noting there are two costs, “the immediate direct costs which are incurred by your business to utilize your internal resources, your internal technologies and your internal understandings to collect this data, aggregate this data, and then communicate that data.”
However, beyond this direct cost, there can well be a secondary cost. This is the cost which occurs when your organization fails to adequately manage its supply chain data and can lead to a market loss or reputation damage. Such failures could also lead to some type of enforcement activity which could translate in to fines, product removal or loss of investor confidence if things are not done well. So those are the direct internal costs and indirect external costs. Now these costs are usually born because of individuals “who are educated have a very strong vocational background or being dragged into sort of administrative activities which are not utilizing their core capabilities.”
The external supply chain data management entity brings a level of professionalism and expertise that is not typically available inside most organizations. This expertise allows the legal department, compliance department, supply chain or risk management professional to engage in activities which are not only better suited to their skill sets but also brings more value to their organizations.
Part 3 - Development of Supply Chain Risk Management
How did supply chain risk management develop? I found a surprising answer when I visited with Travis Miller, Compliance & Regulatory General Counsel at Assent Compliance. Miller had a very interesting and, indeed, unique perspective on the origins of modern-day compliance programs. He draws the origins of compliance through the US environmental movements. The first of which began in the 19th century as the conservation movement. This movement began around the eradication of such animals as the buffalo and carrier pigeons. It also included the creation of our national park system, that started in an attempt to respond to those issues and similar.
Miller identified the second big environmental movement beginning with the publication of “Silent Spring” by Rachel Carson in the early 1960s. There was increased awareness of air and water pollution. This led to the formalization of an environmental movement and such events as Earth Day, which is still celebrated. It also led to US regulatory responses, beginning with the creation of the Environmental Protection Agency (EPA) under the Nixon Administration. Additionally, Congress passed several key pieces of legislation including the Clean Air Act, Clean Water Act, and Endangered Species Act.
All of these US and global environmental initiatives led the need for greater transparency in supply chains. Companies began to be required to disclose the chemicals and ingredients in their products. This type of transparency evolved into different directions to such areas as conflict minerals. Of course, consumers played a role as well through their purchasing power and decisions. Many purchasers of consumer products did not want to purchase products which contained dangerous chemicals or damaged the environment. Miller believes all of this is “really the background that led us to where we are today and what is driving a lot of action and what’s really kind of garnered the ethos of the population.”
All of the above led to supply chain risk emerging as a business continuity risk. From investments in physical plants and facilities outside the US, to other issues of sourcing, labor controls and business practices, have all become key risks in your supply chain. Yet when there is overseas manufacturing there may not be any way to regulate these dangers to consumers or end users. What Miller observed is that “in reaction to all of this regulators and policymakers started to think and they came to the conclusion that what we can regulate is the product and the supply chain which produces that product and the components that were used to produce that product.” It is from this perspective that a compliance response to “supply chain risk really started to develop and there has been a surge over the last 10 years.”
Miller said understanding industry standardization has led to a series of best practices for managing supply chain compliance, you can see not only where supply chain compliance derived but also see where it may well be headed. He stated, “Everything you can think of from the chemical itself, to chemicals which are mixed together, to every single thing is produced from chemicals. It also includes the nut that goes inside the washing machine as well as the washing machine itself and all have disclosure initiatives”. Miller used the following to illustrate this point, “you have a bit of a diamond shape in the supply chain. There are a few people that do extractive. Next are those who turn the extractives into chemicals, which is a larger group. From there it goes into component manufacturing. And then those component manufacturers (also known as the Original Equipment Manufacturers [OEM]) then have to provide information. Basically, anybody that makes anything out of that washer or that nut, and they have to give you all the substance information you need globally.”
This means that every one of those OEMs is going to ask for information in their own format. A company could spend an inordinate amount of time responding to these information requests in non-standardized formats. A key component of supply chain risk management is taking these disparate forms of information and standardizing them across an entire supply chain or even industry. In this manner, there is one document that everybody can ingest or agrees is acceptable. Now you can communicate that to everybody and it gives you a fighting chance to be able to meet the requirements of all these various companies and all of these various industry sectors in silos.
This approach resonates with the business community because it ties two disparate strands together. First, it allows companies to not only understand their legal obligations but respond to them as well. It also allows companies to move forward in a more business efficient manner. Miller concluded by noting the real advantage of effective supply chain risk management is “you are going to save a bunch of time, a bunch of money, a bunch of internal resources and that’s really what drives the business community to take these types of industry standardized approaches and these types of decisions.”
Part 4 - Failures in Supply Chain Compliance
We next consider what is the impact on organizations which sustain a supply chain compliance failure. I explored this topic with Jared Connors, Senior Subject Matter Expert, Corporate Social Responsibility at Assent Compliance.
We reviewed two significant compliance failures in the area of Corporate Social Responsibility (CSR) and in the product regulation arena. Connors related that a very well-known case study in the CSR world that involves Nestlé S.A. and their shrimp boat fleets near Thailand. In this is a situation Nestlé found labor rights violations on commercial shrimp boat fleets. The company came forward and determined it had to address these issues into its supply chain, even though it was not the company’s Tier One suppliers that had this issue. Nestlé moved to create a program to address these issues, gain transparency within their supply chain and make their supply chain aware of their expectations to comply with labor laws locally.
Obviously, this was in the context of modern-day slavery regulations but the company recognized it had a problem. To Connors, it is “a great example of a company who did the probably the best possible job they could with addressing the risk issue because they, they opened their own kimono. They were willing to talk about what was going on. They were talking about what they needed to be able to do about it.”
The second example Connors cited was in the area of product recall. In 2017, Performance Designed Products, LLC, maker of Energizer-branded chargers for gaming console controllers, recalled 121,000 of its Xbox One 2X Smart Chargers after receiving reports about overheating devices. This story is not as widely known, “but for those of us in the materials compliance space, many of us probably recall this story a few years back where an organization had to go through a massive recall because of a substance violation.” He said the problem was in the product material which went into the console. He said what the fallout “really taught us was while an organization may have been gathering information from their suppliers, they may not have been gathering enough information or the right information. It was a wakeup call for companies in their materials compliance programs to say, what’s the right information I should be chasing and how should I be evaluating this?”
Connors said both examples spoke directly to questions such as “What are you trying to get out of your program? What do you view as successful? Is it simply just checking a box and having that response from a supplier that may not necessarily be validated? Are you actually trying to walk the talk here of what your Code of Conduct says?”
Interestingly, Connors pointed to the area of conflict minerals for another example of the direction ethical sourcing is taking. He noted there is a legal reporting obligation for conflict minerals to do with the sourcing of tin, tantalum, tungsten and gold. However, he has seen organizations go beyond what the regulation requires. This means they are going beyond these four minerals and saying to their suppliers they want fuller and more robust disclosures to help protect themselves and more fully fulfill their ethical obligations. A key reason is what Connors termed “the name-shame game” and companies want to get ahead of the curve now by putting in procedures to help control this issue and manage this risk.
We next turned to what a compliant process should look like. It begins with a risk assessment to see what your organization has in place or what it might need. Does it have a conflict minerals program, a human trafficking and slavery program, or a product regulatory program? From there it moves to a gathering of information on your suppliers in terms of their policies and procedures and gathering substance data from your suppliers.
You should move to have a management procedure in place, which lays out what you are going to be doing throughout the year. It also sets the next steps of the workflow, which could be either data collection or data analysis depending on how you gathered the data, whether it is directly or indirectly from your suppliers. Next, how is your organization going to set expectations for corrective actions, both inside and outside the company? What will the expectation look like and what will your company to report on? Connors said, “These are really important aspects to understand, so you start with your management procedure. Go through your data collection analysis and your corrective, remediation phase. From there move into your reporting.”
We concluded by looking at what some supply chain compliance program reporting might look like. Connors began with some basic questions such as: “What does my reporting look like? What kind of KPIs am I going to try and set?” He then provided an example of a company which set an expectation that it was going to report on the results of its CSR survey. In this company’s opinion the results came back very poorly, however because it was the first year of the survey, many suppliers were only just learning of the expectations. Here the answer might be rather than setting the expectation right off that your organization is going to publish KPIs on everything you gather from your suppliers; the focus should be on “planting the seed with your suppliers. Then ramping them up and helping them walk the path, holding their hand and taking them down the road to make these expectations are to make these changes. And that’s what’s really important for those in the most effective programs.”
The failures of supply chain risk management are becoming more costly in the realm of public reputational damage. The response is more efficient and effective risk management.
Part 5 - Market Drivers for Continued Supply Chain Risk Management Development
Perhaps one of the largest challenges in the businesses world today is the impact of external stakeholders on business behavior. There has been a magnification through social media. This has led to a recognition that there are numerous external stakeholders that a company, if not has to answer to directly, must at least pay attention to in today’s connected world.
Miller believes that in many ways “it gets back to the corporation or a business purpose.” When corporations and businesses were first initially formed, it was supposed to be a social good. Yet thought time, that ethos changed into more of a “continuous existence of the corporation, not simply to achieve a corporate good.” He feels that what is happening is a reaction to that, even “a very visceral reaction. In many ways that people are saying that corporations are not upholding their end of the bargain. Simply put they are not doing what they were originally intended to do and now people are expecting more of them.”
He believes that there is a large movement to go back to some of those requirements and original purposes corporations were created for. This has become the driver behind a lot of new initiatives. It has led to items that were once voluntary are now becoming mandatory through the implementation of a lot of rules, regulations, laws, market access requirements. All of this is particularly true in the supply chain and the CSR space.
Yet the other interesting factor that in many ways this social drive is not simply through regulatory enforcement, like fines and penalties for paying bribes for violations of the Foreign Corrupt Practices Act (FCPA), but rather in much more social areas as a byproduct of our social media culture generally referred to as “name and shame”. Miller related that even for corporations “so much of what we decided to do as people is really dictated by those around us and their perception. When the perception is that you are doing something negative as a brand or as a company, this can oftentimes be more catastrophic, at least as catastrophic as a very significant financial penalty.”
Miller believes that much like FCPA enforcement, which was quite light for 25 years, “you are probably seeing a very similar trend right now with labor practice violations.” He believes that it is “only a matter of time before either the law is changed to allow for financial penalties or that some clever policy or some clever enforcement authority finds a way to hold companies accountable for not doing anticipated they should be doing. As laws become more mature, I think you are probably going to see a lot of that coming about in the next several years.”
We concluded by considering whether there would be a move towards more of a public-private partnership in the overall fight against supply chain abuse and exploitation in all its forms. Miller believes regulators and policy folks are willing to say that business should be done ethically. The problem now is there is no single benchmark to hold companies against or even up to. Miller feels that it is up to business to take this step and initiative the conversation. It is not simply the regulators who are going to come up with ways to set expectations. Yet this can be done in a public-private partnership between business and government. Miller believes this is what formulates a better way that all businesses can operate. Such a collaboration allows a wide variety of companies to demonstrate, explain and share how they themselves are successful in the supply chain risk management arena. Miller concluded that it is “almost a race to the top scenario that gets created when policymakers and regulators collaborate” because they can demonstrate why the actions they are taking are so valuable.
To receive more of the latest news and content on a variety of regulatory and supply chain data management topics click here and sign up for the Assent Compliance newsletter.