The Scale of the Modern Slavery Issue and Procurement’s Role in Tackling It

“Modern slavery exists in all of our supply chains and anybody who says: ‘There is absolutely no modern slavery in my supply chain, full stop’, is lying.” claims Chris Harrop, Group Sustainability and Marketing Director at Marshalls plc. Harrop has spent fifteen years combatting modern slavery at the FTSE 250 Manufacturing company and was also a fellow speaker at the CIPS UK Conference 2019, alongside Crossword’s own Jake Holloway.

Harrop’s comments outline the sheer scale of the problem. The proliferation of complex global supply chains combined with limited visibility of these, has helped modern slavery to thrive. Worldwide, there are an estimated 40.3 million people living in modern slavery according to the Global Slavery Index. Modern slavery is often regarded as an issue limited to developing countries. However, forced labour reportedly exists in every country of the world and exploitation in the developing world often flows into supply chains that wind up in the West. The allegations by Oxfam of abuse in UK supermarket supply chains last month is a prime example of this.

The UK Modern Slavery Act introduced in 2015, has gone some way to tackling this issue. Section 54 requires large businesses to publish an annual statement outlining the actions and due diligence that they have undertaken to ensure that slavery does not occur within their own organisation or anywhere in their supply chain. The act applies to every British or foreign organisation that conducts business in the UK and has an annual turnover exceeding £36 million. Critics of the act argue that it is too lax, since the content of these statements are not mandated, and it is possible for companies to release a statement claiming they have undertaken no action to reduce slavery.

Despite these minimal reporting requirements, alarmingly the Modern Slavery Register found that only 23% of 7,500 eligible UK companies were legally compliant with the Modern Slavery Act. Chris Harrop insists on a call to action for fellow Procurement professionals to address this. He pushes for companies to not only comply to the Modern Slavery Act, but also exceed its minimum requirements. His own organisation, Marshalls plc, has gone the extra mile to eradicate Modern Slavery in its supply chain, by replacing traditional auditors with undercover workers in India and China (areas where modern slavery is especially prevalent) in order to unearth issues that may not be apparent when suppliers are given forewarning of audits.

Procurement professionals have a vital role to play in sourcing in a manner that permits and rewards suppliers for ethical employment practices, rather than purchasing in a way which exacerbates the practice of modern slavery. Procurement professionals have visibility of and critical influence over supply chain decision-making; especially how suppliers and tenders are evaluated, the level of due diligence carried out, and in implementing risk management systems.

With great power comes great responsibility. Procurement professionals have a duty to establish policies that will prevent, detect and eradicate modern slavery within their supply chains. Supply chain mapping should be undertaken and modern slavery assessments sent to all suppliers to identify where potential vulnerabilities may lie. Modern slavery audits should be conducted for key suppliers and they should be continuously monitored. Contractual requirements of new and existing suppliers should be introduced which align to the company’s own modern slavery checklists, and whistleblowing should be encouraged for non-compliant suppliers. Where corrective action is needed, if suppliers are unable to carry out remedial action to eliminate modern slavery, relationships should be terminated and alternative suppliers sourced.

If not, organisations found to be sourcing from suppliers that take advantage of exploitive labour are at risk of reputational damage, legal sanctions, customer attrition and loss of market share. Conversely, ethical procurement activity encourages investment and improves company morale. Working closely with suppliers also enables improvements in quality, productivity and engagement.

As a platform for managing supplier risk, Rizikon Assurance can help you to gain visibility of modern slavery issues that exist in your own supply chain. If you would like to take the first step in eradicating modern slavery in your supply chain then contact us here.

Rizikon Assurance at CIPS UK Conference 2019

Rizikon Assurance is proud to announce that it will sponsor the CIPS UK Conference 2019. Additionally, Jake Holloway, Chief Product Officer for Rizikon Assurance, will be speaking on the second day of the event.

Rizikon Assurance helps companies to gain visibility on the risks posed by third-party suppliers. Jake will be introducing Rizikon Assurance 2.0 which combines intelligent questionnaires, dynamic supplier scorecards, and the new criticality dashboard which makes supplier assurance far quicker and simpler than other methods.

Over 100 procurement senior managers are currently evaluating Rizikon Assurance for use in their enterprise, and a growing list of Rizikon Assurance users are quickly realising the benefits of a centralised approach to third-party risk. The assessments range from GDPR, Modern Slavery, Anti-bribery and Corruption, to ISO 27001 standards and Cyber Security risks.

The CIPS Conference is the leading procurement conference in the UK, and last year’s event boasted 40+ expert procurement speakers across a wide range of topics. This year’s conference is expected to be bigger and better, with even more high-quality talks and exhibitors promised.

The conference will be held on the 31st October – 1st November 2019 at the Queen Elizabeth II Centre, London. If you are interested in reducing your supply chain risk then feel free to speak with our friendly team at our stand, and listen to Jake’s talk on Day 2, Stream 3 at 12:00pm.

For more information on Rizikon Assurance, visit: www.rizikon.io and www.crosswordcybersecurity.com.


Improving the Efficiency of Supplier Assurance

Suppliers are now one of the most likely cause of significant business problems. Whether or not it's your web providers allowing dangerous credit card-skimming plug-ins on your e-commerce site, or your suppliers using child labour to make fashionable clothing and accessories, your supply chain is a massive source of risk. However, outside of a couple of highly Risk-averse sectors (such as Nuclear or Weapons), most organisations simply do not do as much Supplier Assurance as they would like to.

Current standard practise is very much as follows;

  • Suppliers are risk-assessed at the point of on-boarding, with only a few continuously re-assessed as circumstances change

  • Supplier impact assessment (evaluating how critical any supplier is to the customer and therefore what assurance approach they should receive) is done on the basis of spend, and not on the potential for causing data breaches, or corporate embarrassment

  • Where there is easy-to-look-up pre-verified data, as there is in terms of financial data from Creditsafe or D&B, then that is used - and often forms the only material basis of the evaluation - which is at odds with the actual areas of risk likely to cause an issue

  • Questionnaires are sent out by email, making completion hard both to complete by Suppliers, and then to Assess and review the data received

  • Questionnaire responses tend to be kept in their respective silos (the IT team look at cyber, the DPO at GDPR, etc.) with no-one pulling together a 360-view of ALL RISKS

Overall it is a very manual, ad hoc process with little automation and never quite enough standardisation.

The reason, of course, is cost. It is potentially expensive to risk-assess the entire supplier base regularly, particularly if you are doing everything manually. Even if you triage the risk and concentrate resources on the most critical suppliers, most organisations cannot tell their Risk Committees, Regulators or Shareholders a particularly convincing story when it all goes wrong.

To improve both the effectiveness and efficiency of supplier assurance requires new thinking, some automation and clarity around roles & responsibilities.

The first bit of new thinking around Supplier Assurance is about professionalising what is often an ad hoc, disjointed process - with little exposure at Board level.

  • Define what Supplier risk means to your business. What are it's dimensions? e.g. Credit risk, Modern Slavery, ABC, Cyber Security, Product Quality, Materials Delivery, etc.

  • Supplier risk can kill a business, so the Board need visibility of the current Risk status of each Supplier

  • Have Supplier Assurance objectives and KPIs that you report on

  • Have an agreed 100% implemented Supplier Impact Triage process in place - so that you know which the worst-case Suppliers are (we like 5-levels, Very Low to Very High)

  • Agree a fixed, non-negotiable Assurance approach for each level of Impact

Secondly, invest a little in automation and an online portal. Sending out long "fire-and-forget" questionnaires in Word or Excel may be the "way we do things" but it doesn't allow you to know which suppliers have started, which are ignoring you, and what the scores are in real-time. Create a Supplier Assurance portal, for example using Rizikon Assurance, that;

  • Allows complete standardisation of questions and gives you one place to update questionnaires with new standards and regulations

  • Has automated reporting, scoring and supplier chasing

  • Supports re-assessment on a regular period (the supplier just updates what's changed)

  • Allows suppliers to share questions internally (no one person ever knows everything)

  • Has 'smart' assessments that ask the minimum number of questions, not "War and Peace"

  • Pulls in data from places like Companies House and Credit-scoring platforms like Creditsafe

  • Displays all Risks in a single view for the Board to understand

Improving Supplier Assurance productivity doesn't need to cost the earth. Check out Rizikon Assurance for some new thinking and take control of Third-party Risk.

Three Third-party Cyber Security Audit Mistakes to Avoid

Most organisations have some sort of programme for assuring themselves about the cyber security defences of their Third parties - typically Suppliers, Vendors or Partners.

As a Cyber Security vendor and third-party risk management tool and services provider, we have seen a number of these programmes in action. These are some of the mistakes we see repeated and some suggestions on what to do about them.

Mistake #1 - make up your own cyber security checklist

The International Standards Organisation and the UK's National Cyber Security Centre to name just two bodies have spent a lot of time and money devising perfectly decent standards which are readily tested and assured against by a whole eco-system of third parties. So why do so many organisations make up their own checklists for cyber security?

Even if there is a special emphasis to be made on one particular control, surely it makes perfect sense to adopt some commonly available standards as your starting point. There are so many benefits;

  • The check-list will be kept up-to-date at someone else's expense

  • The checklist has several guides, books and training courses about it

  • There are many specialists to help the third parties if they need it

  • You can get other people to independently assess the third party

  • And the third party will probably pay them to be assessed

  • You can check if they already have a certificate with a single question and save a LOT of effort

  • And, last but by no means least, the third party actually receives something of value if they complete it (the standard or certificate)

Our advice is, base your third party assurance around commonly used standards and supplement with further questions if you absolutely have to. We would suggest (in the UK); Cyber Essentials, IASME Governance, & ISO27001.

Mistake #2 - make everyone complete the same assessment

Even more surprising than mistake #1, is the determination of some cyber security assessors to enforce adherence to a draconian high-level cyber security checklist on every single third party or supply regardless of context.

We have seen one-person businesses who have zero chance of inducing a meaningful breach sent 150+ question ISO27001-based checklists with not a word in the way of explanation or help. ISO 27001 is for large organisations not for people who’s IT infrastructure consists of a laptop and a mobile phone.

Naturally enough, when the small supplier simply refuses to comply out of frustration, they're typically nodded through with no assessment at all - leaving the buying side in ignorance as well!

Our advice is, undertake a short but systematic third-party impact assessment before deciding which approach to take for each third-party. Establish what the potential or inherent risk is and then assess accordingly. You can also undertake an assessment for the potential for data privacy issues and GDPR by carrying out a simple data privacy assessment at the same time. Develop a simple table along these lines;

Impact > Assessment approach

  • Very Low (e.g. paper clip provider) > None

  • Low > Cyber Essentials

  • Medium > Cyber Essentials Plus

  • High > IASME Governance

  • Very High (e.g. vendor of HR system) > ISO 27001

But you can of course develop a table of your own. The main thing is to have one.

Mistake #3 - leave it to your in-house cyber security team

In-house Cyber Security teams are busy protecting your organisation. They have a set of responsibilities that never end - there is always more you can do to protect the organisation. So when you drop the name of a third party on them for an assessment it will rarely be the most important thing on their plate. For this reason the cyber checks often take a long time to complete. What's more, the cyber security team don't have the time or necessarily understand how best to communicate the findings (which are never binary) to either the internal stakeholders or to the third-parties themselves.

Our advice is to get help, and also to take a risk-assessed approach. For example;

Impact > Assessment approach

  • Very Low > None

  • Low > Cyber Essentials - self-assessed approach, share the question set with the third party

  • Medium > Cyber Essentials Plus - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming

  • High > IASME Governance - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming

  • Very High > ISO 27001 - outsource assessment to a specialist Third party cyber assessment provider

The overall approach should of course be agreed in advance with your cyber team, but set it up in such a way as to keep their involvement to the minimum except here they absolutely have to be involved.

Crossword can help in many ways with Third party assurance and especially in the area of Cyber Security. Our Rizikon Assurance tool is an excellent platform for all types of third party risk assurance.

Getting started with Modern Slavery Risk Management

All UK companies with a turnover above £65M need to explain how they assure against the risk of having modern slavery in their supply chain. However it is no secret that many companies are falling a long way behind with respect to their legal obligations in this regard.

Some feel that it is too big a problem to make any start with. Others assume that they are immune. Many do not invest enough. It all adds up to a fairly unimpressive 2% of UK companies who have been deemed to completely and fully meeting their obligations.

Modern Slavery risk assessment is a process not a project. It should be a part of business as usual. So start by doing something and build on that. Here’s a simple set of recommendations about making a start.

MAP YOUR MATERIALS AND SOURCE COUNTRIES

Mapping every supplier in an entire supply chain is daunting, so start with the core materials and components that make up your products and services, and start to document which countries they come from.

Where you procure assembled components, ready-made goods or out-source services, document what you understand about their potential provenance.

USE OPEN SOURCES TO MAKE A FIRST PASS

Then you can start to flag up potential risks. For example if you buy a food product that contains palm oil, or machinery that contains manganese, then by looking up these materials in openly available databases you can start to understand if there are high-risk source countries providing those products.

For example, the ILAB Agency (part of the US Department of Labor) maintains a list of high-risk goods from specific countries. See the latest here.

ASK MAIN SUPPLIERS ABOUT WORKING PRACTISES & CODES OF CONDUCT

There are a number of excellent International standards and codes of conduct regarding Modern Slavery practises. Adopt one and ask your key Suppliers whether or not they comply. Most of them should have a modern slavery checklist of sorts.

Better still, investigate practices that directly relate to the goods you procure and ask if these are specifically checked for and how.

However and wherever you start, it’s important to make a start. Modern Slavery covers a host of practices that would be abhorrent to your customers, shareholders and staff and have no place in a modern business.

Rizikon Assurance is a platform for sending out Modern Slavery assessments, GDPR data processor assessments, Cyber Security assessments and in fact assessments of any type, including those specific to your organisation. You might be interested in having a demo of our Modern Slavery assessment.