ComplianceKeys#34. Compliance and supplier management: the importance of due diligence.
As has been noted for years in the field of compliance, a significant portion of the legal and reputational risks faced by organizations do not arise solely from their internal structure, but rather from the third parties with whom they interact. Among these, suppliers occupy a particularly sensitive position.
In this context, supplier management has ceased to be a purely operational or procurement issue and has become a matter fully integrated into compliance systems. This statement does not reflect a maximalist view of the compliance function, but rather a factual observation, as we will see below.
Hence the need to carefully analyze (i) why suppliers constitute a unique source of risk, (ii) what are the common risks typically concentrated in this area, and (iii) due diligence as the appropriate response that organizations must follow.
(i) Suppliers as a unique source of risk.
Unlike other risk areas that are more internal or limited in scope, the supplier base is typically broad, diverse, dynamic and, in many cases, difficult to control in its entirety. A single category can encompass everything from logistics and technology providers to consultants, manufacturers, distributors, purchasing agents, subcontractors and suppliers of essential raw materials. Each presents different risk profiles and therefore requires distinct control approaches.
Added to this is the fact that the supplier does not always operate at a peripheral level. In numerous sectors or companies, certain suppliers play a decisive role in critical business processes, directly influence the quality or legality of the final product or service, have access to sensitive information, interact with authorities on behalf of or for the account of their client, or carry out actions that the organisation does not execute itself. In such cases, the line between the organisation’s own risk and third-party risk becomes particularly blurred. The supplier is no longer a mere external contractor but may become a functional extension of certain risk areas within the organisation.
Precisely for this reason, one of the most common mistakes is to approach the relationship with suppliers from a purely commercial perspective, focusing on price, delivery times or supply capacity, whilst relegating the assessment of the legal and ethical risks inherent in such a relationship to a secondary consideration. However, the selection and approval of suppliers should also be based on criteria of integrity, financial soundness, transparency and the ability to align with the organisation’s internal standards. When this does not happen, the supplier can become a conduit for risks that the compliance system fails to detect in time or is unable to contain effectively.
(ii) Common risks associated with suppliers.
Among the risks most frequently encountered in the supplier sphere, those linked to corruption stand out first and foremost. A supplier may facilitate improper payments, commissions, unjustified benefits, inappropriate gifts or covert favours. Given the growing trend towards regulated self-regulation, technical standards play a crucial role in setting the way forward. Specifically, with regard to bribery, ISO 37001 is particularly noteworthy.
Alongside this, conflicts of interest constitute another common risk that is often insufficiently addressed. They do not always manifest in a blatant or obvious manner: at times they take more subtle forms, such as the design of biased procurement processes.
Risks linked to money laundering also deserve special attention (discussed in detail in ComplianceKeys#30). Not being an obliged entity under the Anti-Money Laundering and Counter-Terrorist Financing (AML-CTF) framework pursuant to Spanish Law 10/2010 does not eliminate the risk of exposure to transactions with third parties whose structure, financial flows or business justification present anomalous elements. We are referring to suppliers with no real operational substance, shell companies, the use of opaque jurisdictions or a refusal to properly identify beneficial owners – all of which are red flags that should set off alarm bells.
Another category of common risks comprises regulatory or sanction-related breaches, such as failures to meet sustainability, environmental or product safety obligations, or being subject to national or international restrictions or sanctions. In this regard, the draft Organic Law aimed at incorporating into the Criminal Code the criminalisation of offences linked to EU international sanctions is particularly illustrative.
Finally, no less important is reputational risk. In today’s environment, organisations are not judged solely on their direct actions. Thus, a supplier involved in corrupt practices or causing serious environmental impacts can cast a very long and difficult-to-dispel shadow over the contracting organisation’s reputation. Public opinion, customers, business partners and, increasingly, the authorities themselves expect companies to exercise reasonable due diligence regarding whom they contract with and to take proportionate measures to prevent business relationships that are manifestly at odds with their ethical and regulatory commitments.
(iii) The response of the compliance system: due diligence.
The role of compliance systems is not to completely eliminate the risk associated with suppliers –situations involving zero risk are rare– but rather to establish reasonable, proportionate and effective mechanisms to identify, assess, mitigate and monitor that risk: due diligence processes.
The starting point must, in our view, be a fundamental yet decisive principle: not all suppliers require the same level of due diligence. From this perspective, proper supplier management requires, first and foremost, the definition of clear risk classification criteria. Factors such as the financial value of the relationship, the jurisdiction, the degree of interaction with the public sector or the history of sanctions must be considered objectively.
Secondly, it is essential that the organisation has procedures in place to assess risk and gather information. As appropriate, these may range from questionnaires to audits, including screenings and a host of other methods, as there is no such thing as a fixed list.
Thirdly, the relationship with suppliers must be properly reflected in contractual and oversight arrangements. Compliance clauses, integrity commitments, restrictions on unauthorised subcontracting, supplier audits and dispute resolution mechanisms in the event of non-compliance are all tools for conducting due diligence on third parties.
Finally, the organisation must recognise that, once a third party has been approved, risk management does not end per se. An approved supplier is not necessarily a risk-free supplier: it is simply a third party in respect of whom the organisation has, at a given time, considered the risk to be acceptable under certain conditions. When those conditions change, the analysis must be reopened. This is why continuous monitoring is so important.
In short, suppliers should not be viewed as a peripheral element of compliance. If handled poorly, the relationship with them can make the organisation hostage to third-party risks that, in reality, were never entirely external. Precisely for this reason, the maturity of a compliance system is measured not only by how it controls what happens strictly within the company, but also by how it governs, with judgement and proportionality, the relationship with third parties.