On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain risks—both inside and outside of the organization. The discussion, which took place at The Harvard Club in New York, involved more than 20 compliance and legal professionals, who provided insights into today’s largest supply chain risks (think peanut butter) and offered up some tips for prevention. This one-of-a-kind roundtable was moderated by Editor-in-Chief Matt Kelly, and featured Integrity Interactive Chief Executive Officer Dave Curran, and SVP, Business & Legal Affairs Richard Cellini. The following article provides readers with an in-depth look at this discussion.
THE PANELISTS
The following executives participated in the Jan. 27 roundtable on supply chain compliance sponsored by Compliance Week and Integrity Interactive.
Harvey Ashman,
VP External Affairs & Associate General Counsel,
IMS Health, Inc.
Richard Breunig,
Global Compliance Leader,
General Electric
Thomas Buchberger,
Chief Privacy and Security Officer,
Aetna
Doug Cornelius,
Chief Compliance Officer,
Beacon Capital Partners
Kathleen Dimmick,
VP Risk Control & Compliance,
Liz Claiborne
Dorothea Duffy,
Senior Director Audit & Control,
Marsh & McClennan
Barbara Halpern Furey,
SVP, Deputy General Counsel,
Unum Corp.
Nancy Gilroy,
Former VP,
American Express
Mark Gordon,
Founder and Director,
Vantage Partners
Louay Khatib,
Chief Compliance Officer,
Aramark Corp.
Scott McLester,
EVP, General Counsel, CCO,
Wyndham Worldwide
James Sanislow,
Asst. General Counsel—Compliance,
Chemtura
Lillian Servino,
Senior Director Audit & Control,
Marsh & McClennan
Steven Sheinfeld,
VP Administration & Controls,
RiteAid
John Soriano,
VP Compliance & Deputy GC,
Ingersoll-Rand
Matt Tanzer,
Vice President & Chief Compliance Counsel,
Tyco International
Daniel Walden,
SVP—Compliance & Chief Privacy Officer,
Medco Health Solutions
Richard Cellini,
SVP, Business & Legal Affairs,
Integrity Interactive
David Curran,
Chief Executive Officer,
Integrity Interactive
These days, compliance executives may be fretting about the risks posed by the people outside of their organization just as much as (or more than) the potential dangers from their own employees. With news like the recent peanut salmonella outbreak grabbing headlines, it seems those fears are well founded.
Little wonder then, that executives at a recent editorial roundtable on supply chain compliance sponsored by Compliance Week and Integrity Interactive said their companies are struggling to get their arms around the risks their suppliers may pose to their organizations.
Supply chain risks can be “anything that’s outside the four walls of your organization, anything that can bring your brand into ill-repute,” Integrity Interactive CEO David Curran told attendees at the Jan. 27 event in New York. That encompasses temp workers, distributors, brokers, joint venture partners, “anybody who can implicate you in something, particularly in ethics and compliance,” he said.
Companies face heightened regulatory and legislative pressures these days, not to mention serious reputational risks from the third parties with whom they do business. New amendments to the Federal Acquisition Rules that take effect March 12, for example, impose new far-reaching ethics and compliance requirements for virtually anyone who does business with any agency of the federal government.
For that reason, Curran said, “It will become ordinary course for organizations to have [supply chain risk] as part of the repertoire of risks they need to address and mitigate.” For some multinational corporations that outsource major functions or that have workforces comprised mostly of non-employees, he warns that the supply chain could be a potential powder keg of risks.
The FAR amendments explicitly push requirements for ongoing compliance programs and internal controls out into the supply chain to prime and sub-contractors, noted Richard Cellini, Integrity Interactive’s senior vice president of business and legal affairs. But Barbara Furey, chief compliance officer and deputy general counsel for Unum, summed up the problem simply: “It is impossible to know whether all of our third parties are always doing what they’re supposed to be doing.”
For companies in the healthcare and financial sectors, privacy regulations pose a huge hazard. Furey and others said preventing privacy breaches that arise just from simple human error, let alone nefarious activity, is a major challenge. Even when companies use all available methods to ensure third-party compliance—careful selection, contract provisions, training, monitoring, surveys, research, auditing, and certification—“You can’t reach and control everyone all the time, so you have to try to focus on the highest risks,” she said.
Identifying and properly vetting all of their various suppliers emerged as a major concern for the compliance and internal audit executives gathered for the event. Matthew Tanzer, chief compliance counsel for Tyco International, noted that his company has tens of thousands of suppliers. “We’re working to cull that list to identify the really risky ones,” he said.
Like many organizations, Tyco has undertaken huge global projects to evaluate all of the third parties it does business with around the world—primarily agents, distributors, and resellers. Tanzer described the goal as “to know who they are; to make sure we have contracts in place with them containing FCPA certifications and other protective language; and to make sure they have passed our diligence screening process.”
The company is devoting “substantial resources” to the effort, Tanzer said. One of the biggest challenges, he added, is simply getting the information from the company’s numerous data systems around the globe.
Third-party dealers and distributors are also a crucial market strategy for GE Sensing & Inspections. Richard Breunig, global compliance leader for the GE division, says his team has had a project underway for more than two years to rationalize and prioritize the risks from those third parties. The company only uses distributors who’ve been approved through a third-party approval process that includes due diligence, compliance training, annual acknowledgement of its code of ethics, and written executed contracts. “This is a high-risk area for us from a compliance standpoint,” he said.
Few Global Standards
A number of executives participating in the roundtable lamented a lack of global standards for vetting third-party suppliers. Steven Sheinfeld, vice president of administration and controls for Rite Aid, wished that some independent authority—an industry association or external auditing firm, for example—could review suppliers for potential risks and somehow certify the reliable ones, so retailers could avoid the chore of hiring auditors themselves for every supplier they use.
Tanzer likewise said he wants to see an independent body like the International Standards Organization devise a “‘Good Housekeeping’ seal of approval for third parties.”
The problem most companies face is that “the supplier who’s truly risky is almost never the supplier you thought was risky,” Cellini said. Companies often assume that their biggest suppliers pose the biggest risks, so compliance teams devote their resources to that group, he said. But in reality, “It’s actually probably the opposite” case.
Then there’s the issue of getting the right information about your supplier, to make an informed decision about risk. “We find that 60 to 80 percent of that data [that companies gather on their suppliers] is actually wrong,” Cellini said. “Getting your hands on the right data isn’t a simple IT task.”
Some corporations offset the cost by imposing user fees on their suppliers in exchange for participating in the corporation’s supply chain, he added. “You don’t have to make the budget argument to your CFO if you charge a nominal annual fee to each supplier.”
Dan Walden, left, of Medco Solutions, and Louay Khatib of Aramark, center, consider a statement from Thomas Buchberger of Aetna.
James Sanislow of Chemtura and Barbara Furey of Unum listen to the discussion.
Curran noted that many companies try to mitigate supply chain risk by including language in their written contracts that requires suppliers to adhere to the company’s code of conduct. That’s a good idea, he said, except that many companies require adherence to a code of conduct that “either doesn’t exist, or that the folks in the compliance department have not seen.”
He recommended that all companies have a separate code of conduct that applies to their suppliers. “Put it in their language, and keep it short,” he advised.
Nancy Gilroy, an independent compliance consultant and formerly a vice president at American Express, said the whole process of identifying, assessing and managing third party risks “has to be a business imperative.”
“It has to have business sponsorship,” she said. Management support is crucial, because business units won’t want to spend a lot of money to assess and manage minimal risks.
No comments yet