Electronics OEMs are tackling a complex task in vendor management. They have to untangle a myriad of elements, from cost and delivery to compliance and risk management. They need to find suppliers to adhere to good practices around risk, human rights, sustainability, and more. Many have little visibility into the real risks that exist. That's why audits are a critical practice before placing a bet on a certain supplier.
Just over a year ago, Dan Viederman, CEO of Verite, a non-profit consulting organization that helps multinational companies identify and solve supply chain and human rights issues, talked about his company's two-year study of labor conditions in electronics manufacturing in Malaysia. Viederman recounted the story of a Nepali man who applied for a job with a Malaysian electronics company, but only after he paid a fee of $1,266, which was nearly double the average annual income in Nepal. When the man arrived for work in Malaysia, he was faced with additional fees and realized that he had been deceived about his salary.
"Workers are being lured to work in factories producing electronic goods but have to pay a fee to secure the job," said Viederman. "After that, they are in debt and have to work to pay it off, sometimes being forced to surrender travel documents."
It is not only human rights issues, but problems with quality, data and security breaches that plague global companies, as evidenced by a Metricstream survey where fifty percent of all companies surveyed acknowledged that they have faced challenges because of supplier non-compliance.
"What we find with companies that have many suppliers in their networks is that it can be difficult to complete all of these supplier audits with internal resources alone," said Tod Nybo, president of E3 Technology, an information technology and compliance audit firm. "In other cases, they lack the internal expertise to evaluate suppliers against compliance standards and to perform a thorough risk assessment."
Many companies can be helped if they obtain a better understanding of the risk assessment process when they evaluate suppliers, Nybo said.
"There is a tendency for companies to look at regulatory and other types of compliance as a one-time event," he said. In other words, you look at your company and at your suppliers, perform an audit, identify any gaps that need to be filled, correct these, and consider the book closed. "Unfortunately, this is a fundamental flaw in corporate risk assessment thinking because for companies to stay on top of their own and their suppliers' risks, they need to integrate compliance and risk assessments into everything they do," said Nybo.
A good example—and a difficult one for companies that are competing in aggressive markets like electronics to resist—is the drive to get a product to market quickly, and to leave the gaps in the process (like compliance and risk assessments) until later. "Actually, companies can save themselves both time and risk if they incorporate risk assessments into their product timelines from inception," said Nybo.
Another mindset in companies that's often missing is that it's virtually impossible to underestimate risk—especially when you are dealing with multiples of suppliers in multiples of geographies.
"In the post-9/11 environment, there is a great deal of regulatory activity and also significant advances in security and data protection technologies, but the reality is, if you or your suppliers are targeted, you are likely to get breached if there is enough incentive for someone to do so," said Nybo. "There are many different avenues of attack, and it is difficult for either a company or all of its suppliers throughout its supply chain to have security controls in place for all of them."
Nybo advocates a system where companies are already prepared with plans of mitigation and risk containment if a supply chain breach occurs.
"A combination of having good detective controls with a plan in place to deal with incidents so you can recover quickly is critical," he said. "It's also important to analyze your suppliers to see which are absolutely vital to your products, what levels of access they have to your information, and what their levels of compliance and security are....Some of the important areas to check are understanding how data flows back and forth between your company and a given supplier, what the terms of your business agreement are, whether the supplier has liability insurance, and if the supplier has had any security breaches."
So if companies lag in their supplier risk evaluations and it increases exposure to supplier risk and compliance problems, what can they do to stay on top of their suppliers and their supply chains?
Nyby councils on first steps:
First, they should determine what their appetite for risk is. Different companies have different risk tolerances. Once a company decides what its risk tolerance is, it should take steps to build risk assessment and mitigation into its business practices so supplier compliance check backlogs don't build up. Finally, companies should look internally. So many data breaches and points of entry into the enterprises occur because employees share passwords or open emails that they inherently trust or don't understand the gravity of what they are doing. The companies that are really good at this have accountability for risk management and company and supplier compliance at the highest levels in the organization. Employees are well trained in security and compliance procedures—and if a supplier is at risk or needs help, the company might also assist so as to secure that link in the supply chain.
How is your organization tackling this important topic? Let us know in the comments section below.