Managing Reputational and Regulatory Nth-Party Risks

October 18th, 2024 Michael Volkov Reading Time: 5 minutes

Managing Nth-party relationships is one of the biggest issues that I discuss with my clients. Clients are asking how they can influence Nth Party risks when they are not in direct privity? What leverage do they have and how should they exercise it?

What do you recommend that we do in our supply chain or in our distribution chain? How do we reach down into each chain and exercise ethics and compliance controls?

As explored in Loren Johnson’s recent article on this topic, there are regulatory risks, but I feel strongly that the reputational risk is really the driver here. And we are seeing more and more demand from the public for regulators to take a more aggressive stance in this area. So, that’s why we get the Corporate Sustainability Reporting Directive (CSRD), which is still in the throes at the EU.  No matter what, however, companies can expect increasing regulatory and stakeholder expectations in this area. 

Enforcement Actions for Managing Nth-Party Risks

As fourth—and Nth-party risks rise in frequency and overall awareness, stakeholders demand that organizations address these risks — they can no longer be ignored. 

Aside from stakeholder expectations, the Justice Department is primed to send a message in this area — a sanctions enforcement storm, focusing supply chains and distribution chains is about to occur. DOJ and OFAC know how to focus on these issues and already have expressed concerns that a limited sense of responsibility and perspective is untenable.   

Recently, there was just a $300 million enforcement action by the BIS from the Department of Commerce against Seagate. We’re going to see an increased ramp-up against financial institutions as part of this. And so, we have the national security focus on this. So, this is something that’s coming, but how do we manage these risks if they’re buried within our supply chains?

The Importance of Supply Chain Audits

In the aftermath of ESG and sustainability concerns, legal liability standards are fast expanding to “encourage” companies to manage and mitigate their supply chain risks.  Everyone claims they know how to conduct a supply chain audit (or won’t admit they do not know), but there is a skill and an art to tackling such a complex assignment. As always, it is important to understand/classify your risks, stratify/prioritize and identify available information. 

How do we get Nth parties to do something when we’re not in contact with these people? This is a really challenging issue because they could be layers down your supply chain. My first answer is to use supply chain audits to look at what leverage you have if you are a person; if you’re at a company where they need your business, that gives you leverage.

On the other hand, if you need them more than they need you, you will not have as much leverage to push requirements through your contractual certifications, through your supplier code of conduct, and all of these things that you are going to have them attest to and assure you of.

Hidden Geographic Risks

With supply chain audits, you can also start to focus on geographic risks, and geography is really critical. For example, if you’re dealing with a Chinese supplier who happens to be a hundred miles from the North Korean border, that’s going to be a higher-risk candidate. Or, if you’re worried they’re going to source something from close proximity to Iran or Dubai where there are so many trading companies based there. These are red flags to me.

Not performing supply chain audits have real-life consequences. An example of this is E.l.f. Cosmetics, which was importing false eyelashes, had over 150 shipments from two suppliers in China, where almost 100% of the false eyelash kits came from North Korea. E.l.f. told the government they had no idea these were being sourced from this region. But when asked how many supply chain audits they’ve performed – not really any.

Other companies have had this dilemma: Their heads may have been in the sand, and they’re being held liable for their supply chain. In the case of E.l.f. Cosmetics, they ended up paying a million dollars to the U.S. Department of Treasury’s Office of Foreign Assets Control.

Whenever I present this case, there are always people who say to me, Mike, that’s just so unfair. I can’t believe it. But the question is, if you put your head in the sand, then you’ve got to worry about it. And so this is a good example of why staying aware of your supply chain is so important. We did it before with conflict minerals and now we’re going to have to do this again, particularly with regard to sanctions and export control.

Enforcement Example: Forced Labor Prevention Act

Another issue bubbling up this year in particular is enforcement around the Uyghur Forced Labor Prevention Act. And here’s the thing: In the first year, it was mostly educational. While there is guidance and target industries, there is still a lot of gray area.

An example of how uncertainty can lead to real consequences is if you show up at the Los Angeles Harbor and you’ve got a boat full of items that Customs seizes and says, we think this came from the Uyghur area from forced labor, and it’s a presumption.

Then, you have to go in and prove that it didn’t come from that area. And so now you’ve got to bring in all your documentation, and we all know how hard it is to document occurrences in which it is not easy to obtain things in certain regions. And so, it gets really difficult.

We have one client who has not received their shipment for six months and is still trying to get it through. So, this is something to be really careful about, and as the government is being pressured to enforce this even further, I think there’s going to be more and more pressure. So, what are you to do? Overall, if you follow the guidance closely, you’re going to be in pretty good shape if something happens.

Reputational Risks: The German Supply Chain Due Diligence Act

Last year when it went into effect, the hot topic was the German Supply Chain Due Diligence Act. People initially looked at the 3,000 employees in Germany number and thought, we’re not subject to that.

Yet, while many were not directly affected by the LkSG Act, its content actually covers things that you should be doing anyway, even if the Act, in particular, was Germany-focused.

You need to be careful regarding government enforcement or audits. When you look at human rights and environmental impact due diligence on your supply chain, these are issues, especially if potential infringements could be happening within your Nth parties. If you’re a global company, you’re going to be looking at these things anyway, but you have to take the time to make sure you have a compliance protocol in place for the supply chain due diligence access documents.

And you’ll see there’s been lots of remediation around this. Eliminating human trafficking and modern slavery are on stakeholders’ minds. And you’ll see in annual proxy inquiries there’ll always be an inquiry related to this.

And as Loren mentioned in his blog post, the last hit you want to take is reputational damage. While companies may have six degrees of separation away from forced labor in their supply chains, stakeholders will still hold them accountable.

Best Practices for Managing Nth-Party Risks in Compliance Programs

So, what do we do? I’m going to share one thing I repeat all the time: If you don’t have an automated tool for identifying and managing your Nth-Party risks, you’re not in the game. And no regulator these days is going to allow you to say, “Hey, we don’t have enough money to get an automated tool.” It’s not an acceptable answer.

Another best practice is tofocus on your high risks. When you see red flags, you’ve got to resolve them and document what you do. Make sure you have geo-blocking to ensure you’re not selling products or getting products from Cuba or Iran or dealing with nefarious actors. Put third-party scrutiny in the high-risk areas and prioritize. Let’s start with the high risks and then let’s work our way down.

To learn more about managing Nth-Party Risks through automated solutions, contact Aravo today.

Michael Volkov

Michael Volkov is a recognized expert in corporate governance and compliance, internal investigations and white-collar defense.

Michael Volkov is the Chief Executive Officer of The Volkov Law Group. He has over 40 years’ experience in practicing law. The Volkov Law Group brings over 40+ years of combined experience in government, big-law firm, federal prosecution, corporate monitoring and ethics and compliance legal services.

Mr. Volkov has represented companies and individuals in high-profile, high-stakes litigation and investigations. He is a regular speaker at popular legal and compliance conferences around the globe. The Volkov Law Group maintains a popular legal blog and a regular podcast: Corruption, Crime & Compliance.

Mr. Volkov is frequently cited in the media for his knowledge on white collar enforcement issues, internal investigations, corporate governance, and ethics and compliance issues.

Michael Volkov is the Chief Executive Officer of The Volkov Law Group. He has over 40 years’ experience in practicing law. The Volkov Law Group brings over 40+ years of combined experience in government, big-law firm, federal prosecution, corporate monitoring and ethics and compliance legal services.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management