Europe's Escalating Regulatory Framework: Mapping Efforts to Mitigate Supply Chain Risks.

On April 24, 2024 the European Parliament approved a law mandating large companies in the European Union to verify their supply chains for instances of forced labor or environmental damage, and to address any identified issues. The Corporate Sustainability Due Diligence Directive (CSDDD) was supported by a vote of 374 to 235, with 19 abstentions.

This directive requires companies to thoroughly audit both their "upstream" partners involved in design or manufacturing, and "downstream" partners responsible for transportation, storage, and distribution of products. Business organizations have expressed concerns that the directive will impose additional regulatory layers, potentially impose severe sanctions, disadvantage European firms compared to international competitors, and deter investment in Europe.

The rules, which were softened to gain acceptance from some EU members worried about excessive bureaucracy, will take effect in 2028 for companies with over 1,000 employees and a global turnover exceeding 450 million Euros. Originally, the proposal targeted EU companies with more than 500 employees and 150 million euros in turnover.

The law obliges companies to prevent, cease, or minimize potential or actual harm to human rights and the environment, including issues like child labor and biodiversity loss. It also necessitates remediation of any adverse impacts caused. Financial entities are required to assess only their upstream partners.

Additionally, companies must develop strategies for transitioning to a low-carbon economy. Penalties for non-compliance can reach up to 5% of a company's global turnover.

Despite adjustments, Germany did not support the final version of the directive. The EU’s largest economy had already taken more steps towards regulating corporate supply chains with its own legislation, the Supply Chain Duty Act or "Lieferkettensorgfaltspflichtengesetz," enacted in June 2021. This law, which targets companies based in Germany with at least 3,000 employees, is set to broaden its reach in 2024, lowering the employee threshold to include companies with at least 1,000 employees.

The German legislation applies to all types of suppliers, requiring companies to proactively monitor direct suppliers while adopting a more reactive approach to indirect suppliers, based on substantiated claims or incoming news of violations. It mandates the establishment of a risk management system, regular risk assessments, and the implementation of preventive measures to mitigate any adverse human rights impacts within their supply chains. Additionally, companies must create avenues for complaints, allowing rights holders and whistleblowers to anonymously report any violations.

Like the EU’s recent directive, the effectiveness of the German law will hinge on thorough implementation and the willingness of companies to adjust to these new regulations, ultimately pushing forward corporate accountability on a broader scale.

As we look across the Atlantic, in March 2023, The U.S. Department of Justice Criminal Division updated its guidance for the Evaluation of Corporate Compliance. Under its guidance for ‘Third Party Management’ is reinforced that a well-designed compliance program should apply risk-based due diligence to its third-party relationships. Under its subheading of ‘Management of Relationships’, it asks how a company trains its third-party relationship managers about compliance risks and how to manage them and does the company engage in risk management of third parties throughout the lifespace of the relationship, or primarily during the onboarding process?

So how can companies, not only in the EU, but around the world, ensure they are doing their part?

In choosing business partners Mercedes-Benz expects its business partners, such as suppliers and sales intermediaries, to comply with its Integrity Code and laws. Depending on the specific risk, they conduct integrity checks on business partners before entering into any contracts. The employees responsible for choosing the business partners are obligated to screen them to the extent allowed by law using a transparent selection process. This process ensures that potential business partners fulfill the requirements and standards of this code. Even after entering into contracts, Mercedes-Benz expect their partners to comply with these requirements. They undertake to base their actions on these values and continuously reflect upon them and these partners are urged to communicate the Integrity Code and the resulting obligations to their employees and suppliers.

Similarly, at Bosch, one of Germany’s largest multinational engineering and technology companies, mandate in their Our Code of Conduct for Business Partners that suppliers adhere to the universally recognized labor standards set by the International Labour Organization (ILO). This encompasses the prohibition of forced and child labor, ensuring non-discrimination, upholding occupational health and safety standards, fostering fair working conditions, and safeguarding freedom of association. Additionally, they expect their suppliers to commit to environmental protection and resource conservation. Like Mercedes, Bosch are vocal about requiring their partners to hold their own suppliers and other third parties accountable to these principles to the fullest extent possible.

Canada too has joined this fast-growing group of regions making supply chains a priority, bringing its Fighting Against Forced Labour and Child Labour in Supply Chains Act, also referred to as the Modern Slavery Act (MSA) on January 1, 2024.

Back in the United Kingdom, the recently introduced "failure to prevent fraud" offense under the Economic Crime and Corporate Transparency Act mandates significant changes for organizations in the UK. This offense, likely to be implemented sometime in 2024, could expand corporate criminal liability and simplify the prosecution of organizations for fraud committed by employees or third parties that benefit the organization. Again, we are seeing a global movement in training and third-party due diligence. This new provision could ask organizations to intensify their training efforts, particularly for employees in higher-risk positions. This includes detailed case studies within training materials to help employees recognize and understand potential fraud scenarios. The aim is to ensure that individuals are well-informed about the nuances of the offenses and the organization's specific vulnerabilities to fraud.

And for third parties, well, due diligence is crucial, such as agents acting on the organization's behalf. The Act will demand that organizations conduct due diligence not just for transactions and contracts but also for the ongoing monitoring of third parties. This could include integrating fraud due diligence into existing processes like anti-bribery and corruption checks.

Some broader requirements could see organizations asked to conduct comprehensive fraud risk assessments, potentially revising existing assessments to better cover outward fraud and implement effective audit and monitoring systems for fraud, particularly focusing on medium and high-risk third parties. Asking third parties to comply with your own policies and procedures, and even going the step further and requiring them to undertake training to ensure they are aware of your code of ethics may be a prudent risk mitigation exercise.

Overall, with the impending requirement for more structured training and rigorous third-party due diligence, organizations must prepare for a thorough overhaul of their current fraud prevention strategies to align with the new legal landscape set by the Act. This involves a proactive approach to training and third-party interactions, ensuring that all possible measures are taken to prevent fraud.

Also in January, the Financial Reporting Council (FRC) introduced the updated 2024 UK Corporate Governance Code (The Code), emphasizing the board's responsibility to manage risks, including those associated with third-party suppliers. Boards often lack a clear view of the risks and assurances provided by these third parties.

The Code stresses the importance of evaluating the quality of controls managed by third parties. Typically, third-party questionnaires are used to assess these controls, but they may not offer enough assurance to meet the new Code's standards.

In addition to companies performing stringent due diligence before engaging any key third-party service provider to ensure they have robust controls, they should also maintain a detailed inventory of these third-party suppliers to identify and assess their risk levels, to align with the recent Code updates.

Supply chain transparency and governance is a primary concern for investors. Wellington Management, one of the world’s largest privately held asset managers, stated that allegations of modern slavery in a company’s supply chain can result in financial losses, regulatory enforcement action, and/or lasting reputational damage. While every business is at risk of exposure to modern slavery, we believe companies can mitigate this risk through good policy, processes, and practice.

The recent reforms highlight the need for stringent oversight of controls by key suppliers but are organizations ensuring some of their higher risk suppliers are aligned with their own controls, code of conduct, or internal training?

Organizations have been performing Third-Party Risk Management (TPRM), and Third-Party Due Diligence (TPDD) for the longest time. But how should organizations up their game? Before we look at this, we need to understand the difference between the two.

TPRM is a broad, ongoing process that involves identifying, assessing, and controlling risks presented by third parties (vendors, suppliers, partners) throughout the duration of a relationship. This includes risks in areas such as cybersecurity, compliance, operational processes, and reputational impact. TPRM is continuous and aims to mitigate risks by implementing controls, monitoring third-party performance, and ensuring that the third-party aligns with the organization's standards and regulations on an ongoing basis.

TPDD, on the other hand, is often a component of TPRM but is generally a preliminary step taken before entering into a contract or relationship with a third party. It involves a detailed examination and assessment of the third party to understand the potential risks and benefits of the partnership. Due diligence includes reviewing the third party's financial status, business operations, legal compliance, and reputation. It's a critical phase to ensure that the collaboration will not negatively affect the organization’s integrity or financial position.

While TPDD is about thorough vetting before entering into a partnership, TPRM focuses on continuously managing and mitigating risks throughout the relationship. Both are essential for maintaining healthy, compliant, and profitable business relationships, but to ensure that your third party and supplier is aligned with your organization’s values and code, we should be offering our suppliers and third parties ethics and compliance training.

Training third parties and suppliers, especially key employees within those entities, on the same content your organization uses can be crucial to ensure alignment in values and messaging. It is now imperative that your vendor community understands the values and ethical behaviors expected of them, while representing your organization and providing your team the ability to audit vendor performance.

Charles Jennings and Lori Fena published a book called ‘The Hundredth Window’ that deals with computer security and privacy. The key premise is that if you have 100 windows and 99 of them are locked, you are 100% vulnerable thought the open window not the 99% secure. So, with the scrutiny/emphasis on employee compliance training, and ensuring 100% completion, why are we not looking to ensure our suppliers are also 100% compliant (or at least as near to 100% as we can)?

Third-Party and Supplier Training (TPST) should be the glue that connects these best practices together. Your 100th window lock.

Key Regulatory Risk Landscape in Supply Chain Risk 

 

Current Regulation

Effective

Key Requirements

Germany

Supply Chain Due Diligence Act - Lieferkettengesetz

2023

Companies with more than 3,000 employees (reducing to 1,000 employees from 2024) must establish risk management systems, take preventive measures against human rights and environmental risks, and establish complaint procedures.

EU

Corporate Sustainability Due Diligence Directive (CSDDD)

TBD

Companies with over 1,000 employees and turnover of EURO 450m are required to identify and prevent adverse impacts on human rights and the environment across their global supply chains.

UK

Economic Crime and Corporate Transparency Act ("Failure to Prevent Fraud" Provision)

TBD

Organizations would need to demonstrate that they have adequate procedures in place to prevent fraud by persons associated with them, similar to the "failure to prevent bribery" offense under the Bribery Act 2010.

USA

California Transparency in Supply Chains Act

2012

The law applies to retail sellers and manufacturers doing business in California that have annual worldwide gross receipts exceeding $100 million. Covered companies must disclose on their websites the efforts they undertake, if any, regarding audits of suppliers to assess compliance with company standards for trafficking and slavery in supply chains.

Canada

Fighting Against Forced Labour and Child Labour in Supply Chains Act - Modern Slavery Act (MSA)

2024

Companies based or doing business in Canada must detail the steps taken during the previous financial year to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains. They will meet two of the following three criteria for at least one of its two most recent financial years:

>$20 m or more in assets
>$40 m in revenue
>250 or more employees