This week on the Innovation in Compliance podcast on the Compliance Podcast Network, I am running a special five part podcast series with James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc., the sponsor of the podcast series, on managing Supply Chain risk. In it we looked at Supply Chain financial health and how it impacts Supply Chain risk management, the compliance function and overall businesses health.

Why is managing your supply chain risk is so critical in today’s business environment? Supply chain risk management as a discipline that has been evolving significantly but still has a long way to go. Supply chain risk really means all third-party risk. These risks are getting more diverse from a geographic perspective as well as from a technology perspective. It can come from more aggressive mergers and acquisitions (M&A) activity, organic company expansion or an organization simply getting more creative with outsourcing and working with different kinds of companies for different solution sets. It also means that this group of third parties have the ability to impact businesses, both positively and negatively.

Too many suppliers can certainly be inefficient. This means that many companies are trying to trim down the numbers of third-parties with which they are working. This could be through  adjusting time or implementing lean types of philosophies around supply chain. This makes  each third-party partner more important and criticality is something that can be measured in lots of different ways. You should ask such questions as: “How much money you spend on a company? How much access will your third parties have access to company information? How much access will they have to your IT systems? All of these things have led to the evolution of a much more complex supply chain that people have to manage and they contain more risks.”

How about managing the risk and supply chain is different than managing on the sales side? Gellert began by noting that there is definitely overlap when looking at third parties” Yet the more sophisticated method is a 360-degree approach which means to look all aspects of the relationship. In the anti-corruption world, the focus has typically been on the sales side. But it can also “mean suppliers all the way through to customers and intercompany affiliates and so forth.”

Another approach from the compliance perspective has been upon knowing your customer (KYC). It is also important to recall that  customer risk is inherently more transactional than supply chain risk, in part because of who is buying and who is selling. When you are selling to someone, you are evaluating their ability to pay you. In this situation an organization needs to make sure that the company is one you want to do business with, that is going to be able to pay you on time and in the terms that determined are economical for you. Conversely, when you are looking at suppliers, you are buying from them, whether it is a supplier of a product or a vendor of a service. You may have a five-year product cycle, a 10-year product cycle. If the suppliers your company is embedding into that portion of your business are not strong for the long-term or are not resilient, then you have problems that you are baking into the ecosystem of companies with which you are working.

One of the frustrations for compliance professionals is that they do not know how far down the third party or supply chain they should go to either evaluate or manage the risk. They may understand who to go to for a direct counter-party, their immediate counter party, their first party supplier or their first party sales agent, they may certainly understand managing that risk. The issue of how about much farther down the chain a compliance practitioner should begin to look can be quite complicated but that is where a technological solution can help.

The reason is that it is not just first tier, second tier, third tier supplier in your supply chain may affect you. One of the reasons it is so difficult for the compliance professional is there are so many areas you must consider, which can include, fraud detection, anti-money laundering, anti-corruption considerations and making sure that that no one appears in a sanctions list. All of these things get more difficult exponentially as you go deeper into a supply chain and the people on supply chain risks sides who have been looking at delivery risk and logistics and other operational aspects including finance and newer elements like cybersecurity It gets really hard when you’ve got to go to your supplier’s supplier.

The bottom line is that there is not a really good answer for this except that collaboration between a company and its first-tier supplier is really essential to understand what the second and third tier supplier risks will be. Unfortunately, many times organizations do not even know who their second-tier supplier is for particular good or product or service because the tier one supplier has been delivering fine and there has been no need to find out how or where that tier one is getting the parts that they are bringing in. It really does start with collaboration and an understanding between the company and its tier one suppliers that understanding the risk deeper than that is going to be important and beneficial to everybody involved in that chain.”

What is ‘criticality’ in the supply chain and third-party risk management? Gellert began by relating that the word “criticality” is used quite a bit in supply chain and broadly on third-party risk. He defined it, “as a means of defining for a company which suppliers are most important.” Yet he also noted it can be defined in different ways at different times. Historically, criticality was more about how much money was spent with suppliers. In practice, this meant the top spend suppliers would be the ones that were most critical. Conversely, suppliers where you were spending a small amount of money were seen as less important. However, Gellert cautioned that while such an approach is still an important part of defining risk management programs “it’s not the end of the story.”

He explained, “Criticality now really stretches out into a whole bunch of other topics, such as which third-parties, irrespective of how much money you spend with them, have the ability to disrupt your business if they are not performing for one reason or another.” Put another way, “Do they have the ability to sidetrack your business? Does it cause you a disruption that not only has a revenue impact on your organization, but may have a reputational impact on you? What about companies that may have access to your internal IT infrastructure and therefore pose security risks? They may not be a big spend, but they may have the ability to cause a cyber problem for you.” This means that cyber risk is one of the newest and most important risks that companies are focused on. Obviously, this means if a company uses, tracks and maintains private information of its customers or others, any supplier that has access to that information has a another set of critical elements to it.

All of this means that supply chain risk is really about an enterprise-wide risk. It includes, the sourcing, identifying what companies to work with, perhaps many possible ones and then narrowing it down to the one you want to work with and move forward with the due diligence. The next step is ongoing, continuous monitoring to ascertain that the suppliers that can grow with the business. It is important that with the ups and downs of business cycles it can withstand the shock, coupled with the flexibility an organization needs to make the investments; that the supply chain partner continues to be a good business partner. All of those are really important as companies align with the best possible partners. Risk management is really valuable for the compliance professional to know it is a part of a long continuous process over the lifecycle of working with a company. Gellert stated, “It’s not just about doing something that’s a part of an onboarding process for really, there’s a lot more longevity and value that can be created when looking at suppliers and applying supply chain risk management best practices.”

One of the key reasons for the innovation of this approach is that, in the past, companies have tended to use payments scores and payment data from companies to understand whether they are good risks or bad. However, this can be seen as an “antiquated way now of understanding the health of a company. It is the first opportunity to be able to give people comprehensive coverage of really all of the suppliers that they work with or customers that they work with in a very quick, fast and very precise way.” A financial health review helps to make the risk management process more efficient in a workflow process. It does so in a manner at scale for companies around the world, in a very analytically way. This adds tremendous value to the entire process.

Check out the 5-part podcast series each day on the Compliance Podcast Network. If you are interested in downloading them all for binge listening, they are available on iTunes here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2019