The Value of Supplier Information Management for Compliance
While there are many ways to look at it, the value of supplier information management for supplier compliance management, is not specific to a role, but has shared value across several different functions.
Compliance requirements are pervasive and most often dictated at very specific points in a supplier workflow process such as onboarding, performance and risk management. To be successful at supplier compliance management, organizations must follow a “consistent” process for ensuring that requirements are actively monitored or executed under specific guidelines across all the various business units. Moreover, sharing the compliance responsibility requires visibility across various functions from internal stakeholders such as sourcing, procurement and supply chain, to suppliers, and even to auditors and other outside parties. As a result, businesses today need the ability to quickly adapt their compliance approaches. But compliance oversight and reporting cannot succeed without an ability to quickly overcome the time-consuming task of navigating the compliance landscape without being able to –
- Involve internal, external, and third parties within a compliance initiative
- Ensure that all proper processes and approvals are adhered to
- Receive timely updates on program compliance
- Quickly report on all compliance aspects, whether information gathered, scoring metrics, program success, or audit control.
- Support compliance programs post shifts in corporate activity (merger, divestiture)
However, today most organizations continue to use traditional, yet inadequate approaches for managing supplier information. For instance, business processes such as regulatory reporting, order entry, accounting, production, stores and point-of-sale (POS), inventory, and purchasing are all traditionally managed by several software systems. Furthermore, one of the fundamental IT challenges is that ERP and related systems were simply just not designed to be flexible – and by some estimates cost mid-to-large companies as much as $10 to $15 million per year in lost opportunities (source: IDC Group).
Due to the vast array of supplier information needs and rapid changes in information required for internal and external compliance efforts, organizations are unable to manage compliance efforts efficiently. Symptoms of inefficient compliance include duplicate data entry, data corruption, increased training, complicated supplier relations, greater IT support, and even software incompatibilities; moreover, the issues that result from ineffective supplier information collection translate to hard and soft dollar costs such as:
- Time it takes to roll out new compliance programs
- Time it takes to implement processes and surveys with new requirements
- Inability to monitor and report on compliance program effectiveness
- Ultimate costs related to penalties or fines resulting from noncompliance
The question then becomes, what is it truly costing your business to manage compliance initiatives and the value of adopting a supplier information management system to improve it? Again, perhaps the XYZ example can shed some light.
In continuing their evaluation of supplier information management, various members of the XYZ company looks at their own inefficiencies in their current compliance efforts and realize certain areas are misaligned.
- XYZ is looking for standard information Non-Disclosure Agreements as part of their supplier onboarding efforts. A standard requirement for onboarding suppliers, XYZ on average on-boards close to 1000 new suppliers a year. With 5 FTE resources from various departments involved in monitoring that NDAs are in place, and at an average cost of $75,000 fully burdened employee, it costs XYZ $37,500 annually in time spent on NDA collection.
- XYZ also has increased concerns over loss/theft of Confidential Information it is sharing with prospective or existing suppliers when they don’t have a NDA in place. Based on past experience and research, the cost of non-compliance and loss of proprietary information is estimated at $350,000 per incident, averaging four incidents in a year. XYZ estimates that with their current efforts, the probability of incident is 9%.
- XYZ is also frustrated in its ability to collect the necessary information related to its Corporate Social Responsibility (CSR) initiatives. CSR has become a more important part of their supplier management process, due to a combination of increased public scrutiny on the labor and sustainability concerns related to XYZ’s suppliers in developing regions. This and new legislation becoming a trend. With 5 FTE resources from various departments working on CSR documentation and collection efforts, at an average cost of $75,000 fully burdened employee, it costs XYZ $37,500 annually in time spent on CSR data collection.
- Furthermore, XYZ has struggled in keeping its suppliers fully aware of their social responsibility requirements and in their commitment they are asking suppliers in terms of training, audits etc., for upholding their CSR standards. Based on recent experience, a past CSR incident cost XYZ $5M. However, they estimate that with current efforts the probability of incident is .2%
- XYZ’s involvement in hazardous materials also requires them to be involved in RoHS / REECH compliance. Over the past several years, XYZ has experienced an acceleration in the number of suppliers that provide a full disclosure on material declaration data related to their components in their Bill of Materials (BOM) provided by the supplier. However, the time it takes for supply chain resources to collect this information from third party sources, pass it to product designers and then to QA is also tiresome without a common supplier platform. XYZ estimates that due to the effort across these different functions, it is costing them close to $90,000 annually to manage this compliance.
- Based on past experience and research, the cost of non-compliance for RoHS / REECH is estimated at $150,000, with an average of 60 incidents and an average cost of $2,500 per incident. They estimate that with current efforts the probability of incident is 5%.
- XYZ has also had increased concern over its ability to manage against FCPA compliance. Increased bribery exposure in developing countries where they are expanding has put more pressure on getting better compliance mechanisms in place for tracking activities and prohibited payments to foreign officials in these places. With 1 FTE resource from legal involved with monitoring FCPA compliance, at an average cost of $125,000 fully burdened employee, it costs XYZ $37,500 annually in time spent on FCPA management.
- Again based on past experience and research, the fines related to FCPA are estimated at $3.5M. While XYZ has not experienced and incident, others in their industry have had the misfortune of paying upwards of that amount as a result of ongoing fines from the SEC and DOJ. They estimate that with current efforts the probability of incident is 1%.
Supplier Information Management adding value
Now imagine in using a supplier information management solution, XYZ has a central repository of supplier information where it can leverage a complete supplier profile with data coming from its various ERP systems and external systems, and can now quickly find relevant information on both existing and potential suppliers in a centralized supplier dashboard that is shared across multiple stakeholders. Moreover, as it specifically relates to compliance, the workflows for reaching out to suppliers have been automated providing triggers based on expirations or other “data look ups” that may trigger an initiative in the system to reach out to a supplier based on a risk score or an event (e.g. financial results, supply chain disruption, etc.).
For instance, those involved with NDA collection can now quickly check on the status of a NDA and or expiration date. With the new system, upon nearing expiration, suppliers are prompted to execute a current version. XYZ estimates 70% reduction in time spent collecting NDAs translating to a savings of $26,250 annually.
In this same manner, for those involved in CSR initiatives, the new supplier information management systems provides triggers letting XYZ know when new data on suppliers should be collected from newly on-boarded suppliers, as well as those suppliers considered to be high risk. XYZ estimates time efficiencies of 80% due to the new system, translating to a savings of $30,000 annually.
The process for managing of RoHS / REECH is also expected to improve. Increased visibility into supplier BOMs through automated collection of Full Disclosure Material Declarations and the ability to more easily share this information with other stakeholder is expected to provide a 50% reduction in time spent on managing this process. This translates into a savings of $46,750 annually.
In the process for managing FCPA, more stakeholders will be able to provide assistance to the one resource managing it currently in Legal. In being able to share information centrally, increased visibility is expected to provide a 55% reduction in time spent on managing this process translating into a savings of $20,625.
Cost & Risk Avoidance
So with increased oversight and automation of the collection processes there is certainly increased efficiency, but there is also a Reduced Probability of Incidents occurring as a result. While it is difficult to put a number of a “risk avoidance” based on the probability of events, XYZ anticipates reduced probability of risk due to these efforts of between 30% – 60%. For instance, in a situation where all things go wrong and based on the typical incidents described, the potential savings from incidents in a worse case scenario could be close to $10,000,000+ in cost avoidance. But taking into account probability some of the following assumptions could be made –
- For NDAs, the probability of incident related to loss confidential information was 10% that translated into a cost of $140,000. With supplier information management XYZ expects a 60% reduction in probability which translates into a $84,000 savings
- For CSR, the probability of incident related to lack of compliance was .2% that translated into a cost of $10,000. With supplier information management XYZ expects a 60% reduction in probability which translates into a $6,000 savings
- For RoHS/REECH the probability of incident related to this exposure was 5% that translated into a cost of $7,500. With supplier information management XYZ expects a 30% reduction in probability which translates into a $2,250 savings
- For FCPA, the probability of incident was 1% that translated into a cost of $35,000. With supplier information management XYZ expects a 60% reduction in probability which translates into a $21,000 savings
Therefore in demonstrating a new means to reduce risk through supplier information management, XYZ is able to directly translate potential costs avoided through a combination of lower insurance premiums that must be paid on insuring these types of incidents to even legal fees for managing these processes, or payments that must be made as result of litigation or fines due to noncompliance.