Everyone makes mistakes. But have you ever made a $10 million mistake? 3M has.
In 2020, the retailer was fined nearly $10 million when their suppliers were found to have worked with an Iranian company. And the financial losses didn’t stop there: they had to spend even more hiring a new trade compliance specialist, revamping their sanctions training, control processes as well as finding new suppliers for that particular product.
Every business has to juggle a lot of priorities. On top of managing cash flow and balancing budgets, you need to source reliable suppliers to produce your goods. If you don’t have a strong supply chain, you could end up losing loyal customers and revenue.
We’ve found that using international suppliers is commonplace with American manufacturing companies. Our recent research study, The Murky Waters of Overseas Manufacturing, revealed that 64% of North American manufacturing companies use suppliers in Asia to produce their goods, for example. 25% said most of their international manufacturing was done in the UK or Europe, with 10% relying on Mexico and 8% offshoring to India.
When you work with international suppliers, what they do and how they conduct themselves reflects directly on your company. So, if one of your suppliers sources materials from a country that’s on a sanctions list or is alleged to use child labor to produce your goods, that will come back on your company. And it’s not just about sanctions and child labor – you need to monitor and manage your global suppliers against all sorts of other risks, including local regulations that cover employment, child labor, forced labor, health and safety, ESG, just to name a few. I’m sure it can be daunting to navigate through the weeds of supplier compliance. But as with most challenges, the most daunting tasks become manageable once you have a process and tools in place.
So, let’s dive into the world of supplier compliance and learn more about what your business can do to stay on the right path.
How well do you know your suppliers?
What is supplier compliance?
Let’s say your company is a clothing retailer. Like 43% of North American manufacturers, you might use suppliers in China to produce your clothing. Perhaps you’ve been using a supplier for the last year and have been happy with the production quality and timeliness of delivery of goods from that supplier. Yes, that’s something you should be looking for with a supplier. But it’s not the only thing that matters.
What if that trusted supplier has been using child labor to produce your goods? Sure, your company isn’t directly employing child labor. But if you choose to work with suppliers to produce your goods, you have to be able to confirm that your goods weren’t produced by children.
To get supplier compliance right, you need to constantly track and audit your suppliers to make sure they’re not engaged in unethical and illegal practices. That means keeping track of not only your direct suppliers, but the businesses that provide support and supplies to them. Every link in your supply chain needs to comply with local regulations where they’re based.
But it’s impossible for any person (or even team) to have complete knowledge of market regulations – sanction lists are being constantly updated and laws evolve to reflect the state of the world on a regular basis. There are currently over 30 active sanctions programs in the US. Some of these are country-specific, such as the sanctions against Cuba and North Korea. Others target specific activities, like terrorism and narcotics trafficking.
The types of regulations you should be focused on when monitoring and managing your global suppliers include:
Labor and employment laws: Are your suppliers paying their employees according to the local minimum wage requirements? Are their working hours in line with local regulations or are they working excessive hours each week? Fast-fashion brand Shein is currently under fire for alleged 75-hour work weeks.
Health and safety: The physical working conditions for every employee across your supply chain should be safe. Are the factory buildings your suppliers use to produce your goods in good shape or are they falling apart at the seams?
Child and forced labor: This one should be a no-brainer. Don’t use suppliers that use child labor or forced labor. The US and Canada have both recently introduced stronger laws against child and forced labor, which include hefty fines for businesses that get caught.
Anti-corruption and bribery: Make sure your suppliers aren’t engaging in criminal activity like bribery. In January of this year, for example, software company SAP learned this lesson the hard way when they were fined $222 million for bribing government officials in Indonesia and South Africa to win business. One of the ways you can manage this risk is to check your suppliers for political connections (screening against PEP lists).
International trade: Sanctioned entities are off-limits for your business. Remember the 3M case? It’s not the first and it won’t be the last time a company finds itself in hot water because its supplier violated sanctions – even if they didn’t mean to.
Data privacy: Your customers and your suppliers are entitled to the security of their data and to have it housed in a manner that complies with regulatory standards. This is especially important when you’re working with European suppliers, where GDPR laws apply. For example, when GDPR came into full effect in 2018, American online retailer Modcloth was forced to stop all operations in Europe.
Environmental, Social and Governance (ESG): This refers to scoring businesses in relation to their impact on the environment, social and governance issues. They should be complying with all local ESG laws. This is becoming more and more important to consumers. In 2023, for example, H&M was sued for “misleading” sustainability marketing. ESG guidelines try to make sure companies are operating responsibly and sustainably – exactly what you want your suppliers to be doing.
What teams are responsible for managing supplier compliance?
Remember, supplier compliance doesn’t just affect one part of your business. Its effects can be far-reaching – from compliance fines and revenue losses to negative media and damage to your brand reputation. So, it shouldn’t be the responsibility of just one person or one team. Teams should be speaking to each other, working from the same set of processes and guidelines and sharing and cross-checking information. This is the only way that you’ll be able to build a strong supplier compliance strategy that actually works.
The teams involved in supplier compliance should include:
Compliance: Let’s start with an easy one. Companies who have the resources to do so should have an in-house team dedicated to supplier and customer compliance. This team will keep the closest eye on your suppliers, making sure that no regulations are being violated and communicating with manufacturers and suppliers. This team should also conduct both scheduled and surprise visits to your suppliers around the world to see if they meet your compliance standards.
Legal: The unfortunate reality is that when your suppliers violate local regulations, that can result in hefty fines, drawn-out legal battles and financial losses for your company. Your legal team should be working closely with your compliance team to mitigate these risks up front before they even happen. They should also make sure they contractual provisions to deal with indemnities and insurance to help soften the blow of fines. And of course, if one of your suppliers is found to be in violation of regulations, then both teams should work together to handle the case and minimize the damage to your bottom line and reputation.
Procurement/Supply Chain: Your procurement and supply chain teams are responsible for evaluating, qualifying and choosing suppliers that your company uses. So, compliance due diligence should be part of this process. But to ensure that you can ‘de-risk’ your supplier chain, diversity in procurement options is essential. The more international suppliers you use, the less you’ll rely on one supplier or area. That way, if a country suddenly lands on a sanction list or becomes unstable, you’ll have other options.
Operations: Your operations team is focused on making sure your business is running as effectively and efficiently as possible. If your production slows down, that means you can’t fulfill your customers’ orders and you could lose revenue down the line. So, if a supplier is found to be non-compliant, do you have a back-up plan? What would your company do in different “worst-case” scenarios? Your operations team should know the answers to these questions and have clear plans in place.
Finance: Some finance teams might think supplier compliance has nothing to do with them. It’s something the compliance, procurement and legal teams focus on, right? Wrong. Your finance team, including your CFO, need to be involved. Why? Because if a supplier is using child labor or forced labor, just as an example, you could end up losing a significant number of your loyal customers and the revenue they bring in. That means your bottom line is going to take a hit. So, you need to prepare for these scenarios and do the necessary forecasting and budgeting to
7 common supplier compliance mistakes
You can’t fix something if you don’t know why the mistake happened in the first place. Makes sense, right? The same goes for how you manage supplier compliance.
Perhaps you signed a supplier and things have been going well for the last two years. But in the third year of working with them, you discover that they’re using child labor to produce your goods. Or maybe your team hasn’t been fully aware of all the local labor laws and industry standards that your suppliers should comply with.
These are just a few mistakes we’ve seen companies make when it comes to managing supplier compliance. To help, we’ve outlined seven of the most common supplier compliance mistakes.
Mistake 1: Not understanding what compliance information you need
Your suppliers should be able to answer any questions you have about their supply chain and work environment. They should also provide you with a baseline of information you can use to assess your supplier. For example, a Certificate of Conformity (CoC) is required for products to be exported to many countries, such as food from Egypt. Before you work with a supplier, you need to have proof that they comply with all local regulations – look at things like certificates, customer data policies and whether they’ve been subject to any legal filings or negative media recently.
When you work with suppliers abroad, you need to familiarize yourself with the local labor laws. Your suppliers are governed by these laws, but that doesn’t mean that all of them follow them very closely. If something suspicious is going on, you’ll be able to catch it much more quickly if you know which laws the company could be breaking.
This is where a wide range of data is incredibly useful. For each company you work with, you should know:
Who they are and what they do (and how they do it)
Where do they get their materials from and where do they operate
Whether they have legal filings against them
If any officers in the company have been convicted of fraud, bribery, or other financial crimes
If any sanctions apply.
Mistake 2: Not having accurate information on suppliers
When you’re dealing with supplier compliance, things can get very serious, very quickly. We’re talking about things like forced labor here. So, you need to have accurate, reliable information about your suppliers on a regular basis.
We get it. Not every company has the resources, bandwidth or skillset to fully manage supplier compliance. But the stakes are way too high to ignore the potential risks. In most cases, medium sized organizations use legal teams and procurement can manage supplier compliance. But if you end up hiring outside help to manage supplier compliance (or a specific aspect of it), then make sure they have the right background, experience and track record. The last thing you want to do is hire an outside firm or consultant without the right experience or skills. That will just open your business up to more risks. And you don’t want that. Do you?
You also need to make sure the information you’re using is up to date. Sanctions lists are constantly being updated by the Office of Foreign Assets Control (OFAC). In fact, there are over 30 active sanctions right now with updates being made daily. Sanctions are there for a valid reason. So, your business needs to make sure you’re not using suppliers who don’t pay attention to them or are on them themselves. And if you’re using an outdated sanctions list from three years ago, you won’t know if one of your suppliers is in violation of the most current sanctions.
Keeping an eye on your suppliers is an incredibly important part of supplier compliance. But if the information you’re analyzing isn’t up to date and accurate, the decisions you make could have a lasting impact on your business financially and reputationally.
The good news is you don’t have to rely on manual work to stay up to date on supplier compliance. Using the right compliance software can automate a lot of the work for you. When your supplier compliance software monitors your suppliers and alerts you if anything changes, you can save time and resources managing your supply chain.
Mistake 3: Not having enough knowledge of local market regulations
Let’s say you use suppliers in India, China and Bangladesh, then you need to know and stay on top of the local regulations in those countries. Why? Because your goods are being produced by your suppliers in those countries. So, the laws of those countries rule. And if your suppliers violate those rules, then you could pay dearly.
Remember, supplier compliance is about checking every element of your supply chain – it's not as cut and dry as checking for sanctions and calling it a day. Your supplier compliance procedures should also include regulations like labor laws, health and safety regulations, ethics violations, environmental legislation, international trade laws, data privacy laws and anti-corruption and bribery violations.
Just a few examples of the regulations you may be dealing with include:
OFAC’s 50 Percent Rule, which states no entity can be more than 50% owned by a sanctioned person.
Laws against forced labor, such as the Uyghur Forced Labor Prevention Act, which restricts imports from Chinese suppliers thought to be using forced labor.
Rather than struggling to stay on top of the changes, your business should rely on a global, accurate, singular data source to inform your supplier compliance policy. Integrating your supplier information with a compliance database can set you up for continuous monitoring and compliance alerts that stay up to date – even if you don’t know when something’s changed, your compliance software should.
Mistake 4: Not knowing if a supplier has been sanctioned
It sounds like it should be straightforward – your suppliers have either worked with a company that uses materials from a sanctioned or unethical company, or they haven’t. Well, it’s not always that simple. Sanctioned entities can hide their identities behind shell companies and aliases, making it easy for them to continue to do business. If you’re caught doing business with a sanctioned entity, it doesn’t matter if you didn’t know who they were – you'll be fined all the same. Or maybe your supplier hasn’t been sanctioned – but if they’ve been doing business with a sanctioned entity, the pentalty for you is the same.
In 2019, for example, cosmetics brand e.l.f was fined $1 million for violating North Korean sanctions. Of course, an American company shouldn’t work with North Korean suppliers – but as far as e.l.f. knew, they were working with a Chinese supplier. They had imported eyelash kits from their Chinese supplier and found out after the fact that the Chinese supplier had used a North Korean manufacturer. Even though e.l.f. didn’t realize what happened until an internal audit brought it to light, they then self-disclosed to OFAC, which can limit the fine amount. Despite this, they were still fined $1 million. Now just imagine how steep that fine would be if they hadn’t run a compliance check.
Remember, what your suppliers do directly reflects on your business. You need to investigate your suppliers on multiple levels. It’s not enough to look at the company once or twice: you should be doing it continuously.
We found recently that only 32% of manufacturing companies surveyed run compliance checks on their international suppliers once a month. Increasing compliance checks on your suppliers helps you identify the potential compliance risks before they become issues for your company’s reputation.
Mistake 5: Not monitoring for changes in supplier compliance
Our research study The Murky Waters of Overseas Manufacturing found that 42% of businesses admitted they’d still work with an international supplier that was on a sanctions list or involved in corruption, bribery, fraud or slave labor. While that figure may sound shocking to many, the fact of the matter is that many companies don’t take supplier compliance as seriously as they should – and that can lead to huge problems further down the road.
Matthew Debbage, CEO of Creditsafe US and APAC, knows this all too well. “Many companies are simply running compliance checks to tick a box and show that they did the necessary due diligence. But they’re not using the results to protect the integrity of their global supply chains.”
We live in an age of cancel culture and supplier compliance plays a huge role in that. Think I’m exaggerating? Think again. Research shows that 25% of consumers have a “zero tolerance policy” for companies involved in unethical practices. On top of that, 83% of consumers would be willing to pay more for a product if they could be sure that it was ethically sourced. In other words, the price of poor supplier compliance can be high.
Mistake 6: Having a reactive supplier compliance strategy
Our research shows that 20% of businesses use 5,000 to 10,000 international suppliers. That's a lot of suppliers to keep track of.
What happens if your team has conducted several audits of a supplier and that supplier is employing children and isn’t paying employees the local minimum wage. If you’ve given them multiple chances to address those issues but they’re still in violation, you may need to terminate your relationship with them. That means you’ll have to find replacement suppliers to complete those orders – and they’ll need to do it quickly to meet your customers’ needs.
This is just one example of why it’s so important to have a reactive supplier compliance strategy that anticipates these issues and puts plans in place to minimize risks to your business. By being proactive, you’ll not only be able to protect your company from legal and compliance risks, but you’ll be able to optimize your supply chain operations so you can fulfill your customer orders and hit the revenue targets you set out at the start of the year. And part of being reactive is having compliance monitoring software in place that your team can use to check suppliers against sanctions lists, Politically Exposed Persons lists, adverse media and more.
Mistake 7: Not maintaining documented processes
You’ve done everything right – you've verified a supplier’s identity, checked to see if they’re on sanction lists, checked they aren’t sourcing materials from businesses in sanctioned countries and continued to monitor their actions to make sure they don’t pose a risk to your company. But can you prove it?
But if you don’t have a verified audit trail, you won’t be able to prove to regulatory authorities that you’ve done the necessary due diligence to minimize those risks.
When we surveyed manufacturing companies, 22% said they have no supplier compliance policies and procedures in place. That means that, if they’re found to be working with non-compliant suppliers, they won’t have a plan to fix the issue. So, they could be hit with fines and have to start from scratch to try and figure out how to stop it from happening again.
Instead of crossing your fingers and hoping things work out, do yourself a favor and document your supplier compliance processes. Since multiple teams are working together to create a strong compliance system, you need a documented process they can all follow. If your teams aren’t working together, or are working from different data sources, compliance issues can slip through the cracks.
Nileema Ali has more than 16 years of experience in senior compliance and risk management roles within the legal and banking industries. As a consultant for JP Morgant, Deutsche Bank and Wells Fargo, Nileema applies her compliance and risk management knowledge to help businesses make informed business decisions.