Transcription
Mitigating compliance riskImplications for globalsupply chains
The global supply chain compliancelandscape is more dynamic today thanduring any other time in history. Increasedstakeholder expectations, heavy fines resultingfrom non-compliance with environmentalregulations, delayed market access due tocomplex global trade rules, and a multitude ofoverlapping product integrity requirements arecommon challenges organizations navigate.To manage supply chain compliancerequirements efficiently and effectively,organizations need not only the knowledge,access to information, and ability tointerpret the impact of existing compliancerequirements, but they must also have thecapability to scan the horizon for new andrapidly emerging requirements.2
What is Supply Chain Compliance?For the purposes of this white paper, “supply chaincompliance” refers to organizational adherence toestablished guidelines and requirements that relate toeach risk domain along the supply chain continuum, aswell as to an organization’s ability to meet or exceed theexpectations of its stakeholders with regard to sourcing,manufacturing and delivery of products. Guidelines andrequirements can be in the form of: National, state/provincial and local mandatoryregulatory requirements (e.g. REACH, RoHS, WEEE, etc.) Industry standards (e.g., ASTM) Bilateral and multilateral trade agreements Internal corporate policy (e.g., supplier code of conduct) Contractual obligations Customer and non-governmental organization(NGO) expectations.Unique challenges exist with regard to effectivelymanaging supply chain compliance risk. Such effortsinvolve close collaboration among functions withinan organization and third-parties, including suppliers,distributors, brokers, and other intermediaries (e.g., freightforwarders). There are a vast number of requirementsthat must be monitored and adhered to in order to avoiddisruptions to the supply chain, potential regulatoryscrutiny, and negative impacts to the organization’sbottom line and reputation. An effective supply chaincompliance program enables better control and visibilityinto the supply chain, allowing for smoother operationsand the movement of goods.Current EnvironmentIn today’s global market, the lack of visibility into tier 2 suppliers, internal and external data dependencies, complexinterpretation of requirements, and emerging unforeseensupply chain risks combine to create a challengingenvironment. Supply chains are dynamic by nature andthe rapid pace of new product introductions, shiftingthird-party provider landscape, and global logistics anddistribution disruptions further complicate matters.Questions organizations should ask include:How do we obtain information about our supply chaincompliance requirements? Do we conduct due diligence of our suppliersand utilize analytics to obtain additional insightson supplier financial viability, contract complianceto service level agreements (SLAs), andthird-party affiliations? How do we obtain data on product changes made byour suppliers at the material or substance level? Are billsof materials (BOMs), safety data sheets (SDSs), and billsof substances (BOS) complete, verifiable, and linkedto our compliance systems (e.g., global trade, productsafety certification and testing)? Do we rely on supplier certificates of compliance (selfcompleted acknowledgements of compliance) withoutindependent validation? If we have a supplier verificationprogram (i.e., executed by internal audit, the compliancefunction, or independent consultants), do we utilize ahistorically-based transactional approach, or a predictiveapproach using advanced risk analytics? How do we scan for emerging compliance requirementsand interpret the impact?How do we coordinate and communicate compliancerequirements throughout our supply chain to enableeffective execution? Do we have a collaborative, enterprise-wide process forcommunicating compliance requirements? How do we validate compliance execution, either by thebusiness (i.e., operations and logistics) or third-parties(e.g., suppliers, brokers)? Do we clearly assign compliance execution ownershipand communicate compliance requirements in aneffective manner to ensure proper execution? Changes to product specifications and the introductionof new products require close coordination amongall functions impacting supply chain compliance.Does our governance structure enable effective andefficient sharing of information between Research andDevelopment, Engineering, Marketing, Compliance, andthe Supply Chain functions within our organization?As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, andother consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLPis not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and itssubsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.3
Compliance in a Dynamic EnvironmentThe struggles companies face with managing supply chaincompliance become more evident when taking a deeperdive into the core issues many organizations face.1. Visibility and transparency: Today’s customersand regulators expect nothing short of completetransparency into the origins and composition ofproducts entering the marketplace. As a result,most organizations require real-time information onsupply chain activities. Knowledge of what is beingpurchased, the composition of foods and products(e.g., ingredients, substances, materials, or chemicals),product flow paths, and from whom and wherethey are ultimately sourced are critical elements ofsupply chain visibility and essential to supply chaincompliance. Lack of real-time visibility into supplychain network nodes and transparency into sourcingpractices leave organizations vulnerable to complywithin the required timeframes.2. Communication and collaboration: Ensuringconstant engagement and linkage of individualsthroughout an organization is imperative. Upstreamdecisions and potential changes to a product orpackage that are not communicated throughout anorganization may present future, and sometimeshidden, downstream impacts. These events have thepotential to negatively impact product imports/exports.Delays to market access are likely to occur, and withincreasingly short product lifecycles, delays may resultin lost sales or product obsolescence.3. Execution: Regulators are increasingly scrutinizingcompliance adherence by commercial enterprises,which can result in costly audits and fines. Ineffectiveexecution by the business (e.g., implementing newlabeling requirements) may delay normal businessoperations, require retooling, or result in unsaleableproduct; therefore amplifying the loss of sales,operational costs or product write-downs.4A supply chain compliance program is a key element ofa broader enterprise compliance program. Linkages andinterdependencies exist between an enterprise-widecompliance program and extended enterprise compliancerisks associated with supply chains. Extended enterpriserisk management is the practice of anticipating andmanaging exposures associated with third parties acrossan organization’s full range of operations as well asoptimizing the value delivered by the third-party ecosystem.A harmonized and integrated enterprise complianceprogram – one that includes appropriate supply chainrisk-management activities and controls – will eliminateredundant efforts, enable execution, and facilitateadherence to compliance requirements by the business.A harmonized and integrated enterprisecompliance program – one that includesappropriate supply chain risk-managementactivities and controls – will eliminate redundantefforts, enable execution, and facilitate adherenceto compliance requirements by the business
Deloitte’s Enterprise Compliance FrameworkTMSupply chain compliance is an enterprise-wide responsibility, and collaboration is essential to effectively managecompliance requirements and minimize any disruptions to operations. Guidance from the compliance function(s),sustainability, quality assurance, engineering and the customs / trade group must be timely and actionable to enableeffective execution by the supply chain function (i.e., supplier management, sourcing, operations, procurement, andlogistics) and third-parties (e.g., brokers, third-party logistics providers, etc.). The Deloitte framework below illustratesthe key areas of a supply chain compliance program that organizations should consider.An effective compliance program should consider regulatory requirements, industry standards, organization codes,stakeholder interests, and leading practices. The framework highlights the elements of an effective enterprisecompliance program (inner “wheel”), which should be designed, implemented, and maintained in a consistent mannerto an organization’s supply chain risk profile (outer wheel).Trade(Import/Export)Product Safety& ibilityGovernance andLeadershipRiskAssessmentsand DueDiligenceExtendedEnterpriseComplianceTesting lture ofEthics andComplianceCase Managementand InvestigationsStandards,Policies, andProceduresTraining andCommunicationsEmployeeReportingSupplier Integrity &Social ResponsibilitySecurity(Cyber &Physical)Logistics &Distribution5
Compliance Program Framework Elements (inner “wheel”)Governance and Leadership: Structures and processes through which the board of directors, executiveleadership, and compliance professionals design, implement, maintain and oversee the ethics andcompliance programs and foster a culture of ethics and compliance. This area also includes formalcareer-development plans and programs that help to position ethics and compliance as a key functionwithin the organization.Risk Assessments and Due Diligence: Processes to identify and prioritize ethics and compliancerisks throughout the organization. These are thoughtfully designed programs to assign responsibility formitigating identified risks and also include protocols related to screening new hires, particularly employeesin positions of significant authority.Standards, Policies and Procedures: A values-based, user-friendly code of conduct that addressesthe key ethics and compliance risks. These are plain-language standards, policies and procedures thattogether create controls to address key ethics and compliance risk areas that face the organization.Training and Communications: A risk-based ethics and compliance training strategy intended toeducate employees about legal and policy requirements, raise awareness, and influence attitudes andbehaviors. Systematically developed ethics and compliance training and communication plans are alsoincluded which is designed to provide individuals with skills or information related to risks likely to beencountered in the execution of their responsibilities.Employee Reporting: “Speaking up” programs composed of policies, procedures, and reportingchannels for employees to ask questions and/or report potential violations or concerns without fear ofretaliation. Such programs are often extended to an organization’s third parties or suppliers. These alsoinclude information systems for the collection of ethics and compliance related data and metrics fromthroughout the organization.Case Management and Investigations: Case management systems that capture, categorize, prioritizeand assign accountability with regard to ethics and compliance questions, disclosures, and potentialviolations brought forward by employees. This also includes formal protocols and procedures that clarifythe principles and steps to be followed with regard to investigations across all issue categories.Testing and Monitoring: Testing programs within the compliance and audit functions that addressboth the design and operating effectiveness of key ethics and compliance program elements and controls.This also includes the processes for the ongoing monitoring of key compliance risks and early warningsof ethics or compliance breakdowns. Mechanisms for leveraging the output of testing and monitoringactivities for continuous improvement of the ethics and compliance programs are also present.Extended Enterprise Compliance: Refers to a holistic, comprehensive third-party compliance program,which, by extension, includes the elements of an effective compliance program referred to in this section.A third-party compliance program helps an organization manage a variety of risk areas throughout thelifecycle of third-party relationships. This also includes a centralized and integrated approach to screeningand vetting third-party business partners. It is critical that the integrated approach links the organization’sthird-party compliance program to the broader ethics and compliance program.Continuous Improvement: Protocols and procedures for helping to ensure that appropriate remedialaction is taken following ethics and compliance breaches or failures. This also includes periodicevaluations and assessments related to the design and implementation effectiveness of the organization’sethics and compliance program. Formal mechanisms for feeding risks associated with ethics andcompliance failures into periodic risk assessments are also present.6
7
Supply Chain Compliance Risk Profile (outer "wheel")Most supply chains share common compliance risks, ranging from environmental compliance to product safety toanti-corruption. Each risk domain includes a host of sub-risk and domain-specific attributes that should also be takeninto consideration.Trade (import / export)As emerging economies continue to experience explosive growth, manufacturers are finding lucrativemarkets for their products where none existed previously. However, with this opportunity comes a needto stay abreast of a wide array of complex regulations that impact where and how organizations dobusiness in other countries. Similarly, companies bringing raw materials or finished products into marketsoften need to contend with a complex web of import requirements. A strong compliance program shouldinclude a formal process for identifying and responding to import and export requirements to ensure thatregulations are met consistently across the organization.Many organizations can benefit from implementing trade management databases and solutions thatperform a range of functions, including: classifying products across all businesses maintaining a compliant and controlled repository for all sensitive bills of materials and classifications automating both import and export processes expediting customs clearance Centralizing and controlling global trade and logistics.Supplier Integrity and Social ResponsibilityMany consumers and NGOs have been especially vocal about such issues as worker exploitation, additivesin foods, and fair trade practices. These issues may fall under the umbrella of Corporate Social Responsibility(CSR). In this context, stakeholders are demanding – more than ever before – companies to be moretransparent about the social impact of their business practices. As part of an organization’s effort to ensureintegrity and social responsibility, guidelines requiring companies to report on employee related humanrights, anti-corruption and bribery matters, conflict minerals, and other topics that impact their supply chainshould be established and monitored.Environmental ResponsibilityEnvironmental regulations play a big part in supply chain compliance. Governmental agencies such as theEnvironmental Protection Agency (EPA) and Department of Transportation (DOT) promulgate regulationswith which companies must adhere to to avoid significant business impacts. Given the complex regulatoryenvironment, the organization should create a centralized approach for sensing and assessing thechanges or additions to the regulations as well as the impact to the organization’s supply chain to ensureproactive identification and execution to comply.8
Product Safety and IntegrityObtaining safety certifications is critical for manufacturers selling products in the United States. Certificationand testing requirements have grown more stringent in recent years after a series of highly publicized recalls.A large array of agencies and regulatory bodies oversee product safety, certification, and testing, in additionto the safety of the work environments for manufacturing those products. A compliance program shouldinclude tracking and managing required certifications and supporting documentation that ensures productsproduced by the organization are compliant with all applicable regulations.SecurityAs supply chains become increasingly more techy savvy, there is continued exposure to security threatsboth digital and physical in nature. It is critical to include within a robust compliance program a processfor managing and monitoring cyber security threats and risks. By developing a comprehensive program,an organization can ensure that as their use of technology increases, there is a dedicated approachestablished to keeping the organization’s supply chain and related data secure.Technical RegulationsThe innovative use of materials introduces product design complexity that presents challenges regardingthe identification and interpretation of technical regulations. Organizations require full disclosure fromtheir suppliers to ensure proper product labeling, and compliance processes that document the rationalefor how technical requirements were interpreted and implemented.Labor and EmploymentCompanies continue to have a responsibility to source products that support fair wages and treatment foremployees, as well as safe facilities. Companies are continually working to ensure their supply chains reflectthe highest ethical standards. Including ethical sourcing as a component of one’s compliance program willhelp demonstrate the organization’s commitment to sustainable sourcing and product development.Logistics and DistributionDynamic shifts in consumer behavior are present today and this relatively new, “right now” deliverypressure is requiring logistics networks and the supporting apparatus to immediately respond. In anenvironment where the way business is being conducted is changing seemingly daily, it is critical fororganizations to have an understanding of their third parties' (carriers, 3PL/4PLs, etc.) compliancestandards. As suppliers, distribution centers and consumption points shift, transportation providers needto ensure regulatory compliance is maintained.9
The Path Forward — Mitigating Supply ChainCompliance RisksThe above areas illustrate some of the complexitiesorganizations face in designing a supply chain complianceprogram, and the measures they can take to mitigatecompliance risks. Companies are increasingly challengedto monitor and manage supply chain compliancerequirements, and to minimize disruptions that can impactbrand reputation, operational execution, and financialperformance. Improved visibility, collaboration, and controlover supply chain compliance execution are key outcomesof an effective supply chain compliance program.Companies have several options when designing asupply chain compliance solution that fits their businessmodel and corporate culture. Establishing a centralizedcollaborative approach to governing supply chaincompliance, such as a virtual supply chain center ofexcellence (CoE), can be an effective construct for a10global, matrix-based organization. Conversely, engaging athird-party to provide supply chain compliance managedservices can be a cost effective model for resourceconstrained organizations that have limited complianceheadcount or capability to implement process andtechnology improvements since an outsourced modelrequires minimal to no capital investment.Regardless of the approach taken, a properly designedsupply chain compliance program will enable a holisticmethod for the organization to discover, prepare, analyze,and respond to existing and emerging supply chaincompliance risks and requirements. Designing a scalableand flexible solution that leverages advanced analytics willenable organizations to adapt and proactively monitorongoing compliance in today’s rapidly dynamic supplychain environment.
11
ContactsFor more information, please contact:James CasconeDeloitte Advisory PartnerDeloitte & Touche LLP 1 714 913 1056cjcascone@deloitte.comNicole SandfordDeloitte Advisory PartnerDeloitte & Touche LLP 1 203 708 4845nsandford@deloitte.comVanessa VaccaSenior ManagerDeloitte & Touche LLP 1 415 783 4711vvacca@deloitte.comMaurice CrescenziSenior ManagerDeloitte & Touche LLP 1 973 602 4183mcrescenzi@deloitte.comBryan GoshornManagerDeloitte & Touche LLP 1 312 486 4277brgoshorn@deloitte.comAdditionally, visit our website www.deloitte.com/us/extendedenterpriseriskAbout Deloitte’s Supply Chain Risk Advisory PracticeWe help clients achieve their objectives by developing supply chain risk management programs that improve supply chain compliance,enhance assurance of supply and mitigate the impact of global supply chain risks.Deloitte Ranked#1 in SupplyChain by KennedyConsulting andResearch Advisory"Of the multi-service firmsthat deliver supply chain riskconsulting services throughsupply chain, operations,and risk practices, the firmDeloitte achieves the greatestcombination of breadthand depth.""Deloitte has some of thestrongest SCM capabilities in themarketplace. The SCM practicehas both broad and deepfunctional capabilities. Clientsappreciate Deloitte's hands-on,results-oriented approach."Quote Source: Kennedy Consulting Research & Advisory; Supply Chain Risk Management Consulting, 2012 – 2015 Report; 2012 Kennedy Information, LLC.This document contains general information only and Deloitte is not, by means of this document, renderingaccounting, business, financial, investment, legal, tax, or other professional advice or services. Thisdocument is not a substitute for such professional advice or services, nor should it be used as a basis forany decision or action that may affect your business. Before making any decision or taking any action thatmay affect your business, you should consult a qualified professional advisor. In addition, this documentcontains the results of surveys conducted by Deloitte or its affiliates. The information obtained during thesurveys was taken “as is” and was not validated or confirmed by Deloitte or its affiliates.Deloitte shall not be responsible for any loss sustained by any person who relies on this document.Copyright 2015 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited"In addition to Deloitte's leadingrisk practices, Deloitte's supplychain and operations practicesare not only the largest in theindustry, but also can tout deeptechnical knowledge including,for example, food science andengineering experts."
program - one that includes appropriate supply chain risk-management activities and controls - will eliminate redundant efforts, enable execution, and facilitate adherence to compliance requirements by the business. A harmonized and integrated enterprise compliance program - one that includes appropriate supply chain risk-management
