Managing Third-Party Risk through the Integration of Corporate Responsibility and Sustainability Supplier Programs

Written by Barb Brown

What are the consequences of being in business? This is a question we often ask our clients as they consider compliance requirements, what standards they should set with regard to ethics and integrity, and how they manage their corporate responsibility/sustainability impacts.

As the world becomes flatter and technological advances accelerate, stakeholders are demanding greater transparency. They not only want to know what your company does, but what intended and unintended consequences occur in the world because you are in business. This translates into your executives having increased expectations for you (compliance, ethics, and corporate responsibility officers) to identify and determine your company’s greatest impacts and risks, both inside and outside your organization, and where those impacts occur across your value chain. Increasingly, the pressing need is a focus on third-party risk.

Leading companies, including those honored on Ethisphere’s 2014 World’s Most Ethical Companies® list, are demonstrating how they assess and actively manage third-party risks. These include retailer Gap, Inc.; consumer goods pioneer Colgate-Palmolive; technology giant Cisco; and international conglomerate GE. One way these respected brands are uncovering their third-party risks is by leveraging their sustainability reports as a management tool. All four adhere to the Global Reporting Initiative (GRI), the most widely used sustainability reporting framework in the world, (full disclosure: BrownFlynn is the first US-certified training partner for the GRI and a GRI organizational stakeholder). GRI requires reporters to conduct a “materiality” assessment to objectively and systematically assess what corporate responsibility topics reflect the organization’s significant economic, environmental, and social impacts; or, substantively influence the assessments and decisions of stakeholders and, further, “where” those impacts occur.

Take Gap, Inc. and its approach to supply chain risk. Gap created its Human Rights Policy in 2010. The policy underscores the company’s longstanding commitment to respect and promote fundamental human rights in every aspect of its business. What does Gap mean when it says, “every aspect of its business”? It states that this includes not only its wholly owned operations, but everything across its branded apparel supply chain. Within Gap’s GRI report, they explain issues and impacts within their supply chain, such as human rights, and where in their supply chain these risks occur. The report cites new compliance issues such as the California Transparency in Supply Chains Act, stating, “to address this urgent issue, in 2012, we monitored 96.4 percent of the factories that produce our branded apparel, and we partner with expert stakeholders including the Interfaith Center on Corporate Responsibility, the Not For Sale campaign, the Responsible Sourcing Network, and the UN Global Initiative to Fight Human Trafficking.” Further, Gap dedicates an entire human rights section within its 2011/2012 Social and Environmental Responsibility Report to addressing specific actions and risks taken on these issues “where the impacts occur” in different geographic locations.

For multi-national conglomerate GE, within the GE Sustainability area of its site, the company discloses its approach to supply chain risk by stating, “GE’s Supplier Expectations govern all facets of the company’s relationships with suppliers, and include specific prohibitions against forced, prison, or indentured labor, and prohibitions against subjecting workers to any form of compulsion, coercion, or human trafficking.”

They go on to say that, “GE’s ethical supply chain program is multifaceted and risk-based. All suppliers must agree to comply with GE’s Supplier Expectations as part of our contracting process. We expect our suppliers to obey laws that require them to treat workers fairly, provide a safe and healthy work environment, protect environmental quality, and comply with prohibitions against forced, prison, or indentured labor…” GE prioritizes with whom they do business based upon detailed on-site assessments—in other words, “where the impact is occurring.” Their assessment takes into account the country where the supplier is located, the supplier’s past performance, and whether the supplier is producing parts or components that will be incorporated into GE products.

Colgate-Palmolive outlines the programs and tools it has to help ensure its suppliers are operating responsibly. It begins with Colgate’s Supplier Code of Conduct. Through both contracts and purchase orders, Colgate requires suppliers to abide by the Code’s standards, including applicable labor and equal employment laws, as well as environmental, health and safety regulations, and to the Foreign Corrupt Practices Act and Anti-Bribery Policy. Further, Colgate’s Supplier Responsible Sourcing Assessment program requires that suppliers complete an industry-standard self-assessment questionnaire focused on labor practices, health and safety, environmental management, and business practices. When suppliers are assessed as high risk, Colgate performs third-party audits of their facilities and now uses the assessment program as part of their supplier qualification process.

Colgate points to collaboration as one way it uncovers best practices with regard to third-party risk. Colgate is a member of SEDEX, the Supplier Ethical Data Exchange, which is the largest collaborative platform for sharing ethical supply chain data, as well as AIM-PROGRESS, a global industry forum to promote responsible sourcing practices and sustainable production systems. Through these platforms, suppliers share assessment and audit data that often have the same suppliers in common, enabling members to gain information more efficiently and reduce the burden on suppliers.

The benefits of increasing transparency and addressing sustainability in the supply chain go far beyond managing third-party risk. Tech giant Cisco credits its supply chain work with allowing it to “build customer trust, reduce costs, secure continuity of supply, respond to stakeholder needs, and protect our brand. Collaboration with suppliers also encourages innovation to develop more sustainable products for our customers.” Cisco points to its materiality assessment as an important tool that they refer to throughout the year to guide strategic decisions in each of the three major issue areas: environment, society, and governance.

As transparency through reporting and third-party risks continue to take on increasing importance, compliance, ethics, and corporate responsibility officers must work together to conduct materiality assessments and determine what their greatest environmental, social, and governance risks are and where they are occurring, and put practices in place to manage them accordingly. The Corporate Responsibility Topics graphic

[see Figure 1] provides a broad list of the issues often discussed (and debated) in the sustainability field. There is no requirement to report on all of these issues, but there is growing demand from regulators, stock exchanges, and large buyers (e.g., your customers) for reporting on the most material issues.

The key to achieving efficient and effective results with a sustainability or corporate responsibility program comes from being focused. One way to stay focused is by utilizing a thorough process for assessing the most material issues, which is outlined in Figure 2. Such a process will not only help identify the most important and material issues within your organization, but also along your value chain—assisting you in identifying and then managing third-party risks.