A supply chain is only as strong as its weakest link. In 2020, Morgan Stanley Bank forgot this, put bank customer data at risk due to inadequate due diligence in vendor selection, and paid a $60 million fine to the U.S. Treasury.
To prevent goof-ups like that, companies need a water-tight vendor compliance program. In this article, get an overview of vendor compliance, learn the risks that come in its scope, understand best practices to mitigate them, and see how Certa's platform can help you achieve perpetual vendor compliance.
What Is Vendor Compliance?
Vendor compliance is when your vendors comply with all of the following:
- Your company policies: Your vendors are in sync with the overarching policies that support your business goals on aspects like innovation, customer satisfaction, and financial conduct.
- Your contractual terms: These are the legal terms that guide your business relationship with a vendor on a specific project.
- Local and international laws and regulations: Your vendors must follow all the laws and regulations of their legal jurisdictions and help you do the same in yours.
- Industry-specific standards and norms: The industry you're in will have standards, maturity models, and business norms to create a good business environment and sustain the collective reputation.
- Societal norms: Norms like environmental sustainability, health concerns, or non-discrimination are not legally mandated everywhere, but a vendor breaking them can invite reputational damage and customer backlash against you too.
Vendor compliance is often misunderstood as a one-time checklist during onboarding, but it must become an ongoing part of your business relationships. You should manage it through an effective vendor compliance program set up under a broader third-party risk management strategy.
Vendor Compliance Risks
What risks are we talking about, and why do they matter? The number of vendors and suppliers behind companies can easily be in the thousands to hundreds of thousands. For example, TotalEnergies' third-party supply chain has more than 100,000.
For such large networks, prioritization based on risk impacts is essential. Vendor compliance is not mere handwaving of some principles and hoping your vendors follow them in good faith. Instead, framing it in terms of risks and risk management allows objective techniques like qualitative and quantitative risk assessments to prioritize and enforce your compliance measures.
The nuances between vendors and suppliers also matter here. Whether as last-mile goods sellers or service providers, vendor relationships tend to be more short-term and transactional than those with your suppliers. That means vendors have fewer incentives to comply wholeheartedly, and you have less control over them.
But at the same time, society and governments may not bother with these nuances when holding you responsible. These ground realities add to your overall risk. Here are some vendor risks that your risk management strategy must prepare for:
- Misconduct risks: Misconduct, like financial fraud at a vendor, can reflect poorly on your business practices if it comes out in the media.
- Regulatory risks: Certain types of vendor misconduct like bribery, sanctions avoidance, businesses with politically exposed persons, labor exploitation, or failure to protect healthcare data fall foul of government regulations and invite government audits and fines on your business.
- Supply chain risks: Vendor issues like labor shortages and late deliveries can result in backorders, hit your bottom line, and lower your customer trust.
- Operational risks: These cover a wide swathe of risks to your business operations, like bankruptcies, vendor concentration, unpredictable freight costs, cybersecurity issues, poor quality of product packaging, data loss, and similar.
- Environmental risks: Environmental pollution by vendors, unsustainable practices, and long-term impacts of climate change on the vendor's location are all risks you must consider.
- Governance risks: These are risks arising from poor corporate governance practices of vendors.
- Economic risks: Your procurement and transportation costs may explode due to global economic factors like inflation, recessions, or foreign exchange volatility.
- Geopolitical risks: Political upheavals or armed conflicts in a vendor's country can impact their ability to deliver goods and services to you.
- Reputational risks: Reputational damage can accompany many of the above risks.
Identifying fine-grained risks in each of these categories will make your risk assessment, vendor management, and controls more effective and reduce the costs of non-compliance. We look at some best practices for vendor compliance next.
Best Practices for Your Vendor Compliance Program
How can you improve your vendor compliance policies? We'll explore some best practices below.
1. Set Up a Solid Vendor Risk Management Program
Vendor risk management comprises all the policies, processes, and tools to identify and mitigate your vendor risks:
- Tools like the vendor risk management maturity model help you plan your vendor management roadmap for the long term.
- Vendor risk assessments identify risk scenarios, describe risk impacts and their likelihood qualitatively and quantitatively, prepare vendor risk scorecards, and provide mitigation steps. They're essential for prioritizing your vendor risks by potential impacts.
- Derisking is a valuable outcome of risk assessments. If a vendor is too risky, you can mitigate a bunch of risks in one go by simply excluding the vendor.
- Have you awarded a contract to a vendor instead of a supplier or treated a quasi-supplier like a vendor? The vendor risk management tools above help you identify these mistakes. You can then negotiate new contracts or acquire a vendor as a supplier for better control.
- A vendor code of conduct enables your vendors to see from your perspective and modify their business practices to be compatible.
2. Strengthen Your Vendor Selection
A business stitch in time saves 9 million, perhaps. As in many other things, prevention is better than any cure when it comes to selecting your vendors:
- Vet your vendors through due diligence, background checks, financial analyses, and other risk intelligence. These are all part of vendor risk mitigation anyway but are worth emphasizing during the initial selection process itself.
- Diversify your vendors to mitigate vendor concentration risks.
- Set up all these processes systematically through automated onboarding workflows.
- Look for industry-standard certifications of your vendors. A vendor whose business has been certified by reputed standards bodies and external auditors is less risky.
- If you decide to end a vendor relationship, don't neglect your offboarding workflows. A dropped vendor increases your financial risk of getting a new competitor with insider knowledge and your legal risk of litigation. These must be avoided and pre-empted carefully.
3. Implement Risk Controls
Mitigate your operational and other risks by implementing a variety of risk controls. Here are some important ones:
- Make your vendor contracts water-tight by addressing every risk. Use contract lifecycle management tools to track the legal obligations of your vendors.
- Buy vendor insurance policies to protect your business from vendor risks.
- Include indemnification clauses in your contracts to protect your business from legal risks that your vendors may face.
- Implement resilient supply chain management practices.
- Include vendor chargebacks in your contracts to financially penalize them for breaching contract terms.
- Impose quality of service standards, vendor performance conditions, warranties, and on-time delivery criteria on your vendors.
- If you're into goods and parts, enforce inventory control best practices and product substitution policies on your vendors.
- For financial accountability and fraud prevention, set up automated workflows for purchase order (PO) cross-verification and three-way invoice matching based on PO numbers and relevant vendor invoices.
4. Ensure Regulatory Compliance by Vendors
Enforcing regulatory compliance requirements on your vendors is a critical but difficult responsibility. In some cases, their non-compliance may result in fines or other penalties on you. For example, under the Uyghur Forced Labor Prevention Act, you are responsible for keeping your entire supply chain free of any entities accused of using Uyghur forced labor.
But ensuring that your vendors are genuinely compliant can be extremely difficult. Some best practices follow:
- Derisking at vendor selection time may be better than trying to cure their practices.
- Use real-time risk intelligence services to check beneficial ownership, sanctioned entities, and politically exposed persons.
- Some regulations, like the example above, may require not just third-party but even fourth-party risk management — managing the risks from your vendors' vendors.
- Provide regulatory training to your vendor partners and their employees, and enforce your expectations on them through your contracts.
5. Set Up Vendor Compliance Monitoring and Verification
As stated already, vendor compliance is more of a journey than a destination. It must be ongoing and constantly improving, and the way to do that is to set up monitoring:
- Vendor lifecycle management tools help you monitor all your vendor relationships from centralized dashboards.
- The dashboards enable you to track key vendor compliance metrics and alert compliance officers when something goes wrong.
- Implement on-ground inspections and audits of your vendor facilities. Include them in your contracts.
- Set up workflows to automatically check vendor metrics against contractual commitment thresholds and to alert you if the metrics are found wanting.