These days, it’s not just the FCPA, theft, fraud and money laundering that one must worry about when operating in unfamiliar markets. New developments such as ESG failures, forced labour, cyber-attacks and political risk are rapidly emerging as causes of concern and are more likely to indirectly impact large multinationals through their overseas supply chains or business partners. Whilst the risks of foreign corruption and embezzlement remain, the costs of getting caught up in issues that may be seemingly beyond your control are mounting.
Today we are talking with Michael Short, a 25–year veteran of the risk information business, he is a subject matter expert on international enhanced due diligence, supply chain risk management and the design of screening and partner engagement programmes for multi-national corporations and financial institutions.
Michael is the co-Founder of the highly innovative sustainability and resiliency solutions provider ethiXbase, where he now focuses on promoting supply chain resiliency. Michael will be giving his thoughts as to how the market is changing, the reasons for such and sharing insight into where the market for supply chain risk management may be heading.
How did you get into the business and why does it excite you?
“I joined the then Royal Hong Kong Police in 1988 pretty much straight from school, so I didn’t really have a profession to fall back upon when I left the police in 1997 when Hong Kong was returned to China. For most of my service I worked as a detective, focusing on criminal intelligence; thus the three things I knew how to do best were to ask the right questions, talk to the people ‘in the know’ and write a good report.
“These skills are the foundation of good due diligence and risk analysis and have since proved invaluable to me. Since leaving the police, I have co-founded and exited three risk information companies, these were Quest Research which was sold to a NASDAQ listed entity in 2004, IntegraScreen/World-Check which is now Refinitiv and DataFlow which was acquired by a large PE firm in 2015.
“The risk information business is exciting and incredibly vibrant, as it is constantly evolving and always needs to be cognizant of new developments and technology. So, after 25 years, I am still here, still engaged and most importantly still loving it!”
How has the market changed over the years?
“When I started out, the focus really was on AML, the banks were waking up to the fact that criminals were using them to launder the proceeds of crime. They had also caught the eye of regulators, who were now actively seeking to hold financial institutions to account. The term KYC was coined, and we helped some of the largest Global banks to understand who they were banking and the origins of their clients’ cash. This market really took off in the wake of 9-11 and was driven by the implementation of legislation such as the US Patriot Act.
“A few years later, the risk information market woke up to the opportunities provided by the DOJ’s renewed interest in prosecuting failures of the FCPA. The FCPA had been on the books since the 1970’s but it was only in the mid-2000’s that they had started to launch large scale enforcement actions of its anti-foreign bribery provisions.
“Enforcement action against companies such as Titan, Monsanto and ABB in 2004 really fired the starting pistol and demonstrated that failing foul of the FCPA would prove very costly. The DOJ recommended that enhanced due diligence should be applied to all foreign business partners, suppliers and agents thus a new market was born – ‘Know your Vendor’.
“The FCPA is still a large driver of the risk information and screening industry. Enforcement actions continue and the fines only seem to get larger, as evidenced by last year’s actions against Goldman Sachs and Airbus, which at US$ 3.36 billion and US$ 2.09 billion are the largest fines to date.
“The market drivers behind why clients use our services have changed over the years. The compliance risks posed by AML and foreign corruption are still very much with us but we are also now seeing the emergence of new risks that have to be managed. Due to this, the risk environment within supply chains and business partners are ever evolving.”
So what are you seeing within the industry and how are the risks evolving?
“That is a huge question, but essentially emerging supply chain risks include cybercrime and data security, Environmental, Social and Governance (ESG) issues and political risks. Let’s look at each one in turn:
“Data security is key to maintaining resiliency in management systems – but bad actors are always looking for vulnerabilities in systems and the supply chain is often seen as a convenient ‘back door’. Global supply chains are often seen as ‘insiders’ and are often granted access to critical systems, but they may not have the same cyber security protocols in place. This may cause harm as they unwittingly facilitate access to information that is not their own. A recent survey by a New York based cyber security firm found that 80% of respondents had reported suffering a third-party data breach in the previous 12 months, an astonishingly high figure. So, conducting a thorough cyber risk audit of supplies is now a vital component of any supply chain resiliency programme.
“ESG is emerging as the biggest story within the industry. Financial institutions and to a lesser degree large multinationals, are becoming increasingly aware of the need for supply chain sustainability and to identify, manage and ameliorate ESG risks. The dispersed and ‘just in time’ nature of global supply chains tends to render them opaque, multi-tiered and focused on cost efficiencies, thereby potentially hiding practices such as forced labour, pollution, wasteful use of resources and poor corporate governance.
“The online ‘ultra-fast fashion’ retailer Boohoo found this to its cost in 2020, when the identification of below minimum wage workers at suppliers in the UK went viral on social media, resulting in a US$ 1.89 billion loss of market value in 2 days. Rival online retail fashion giant, ASOS, revealed they had already dropped some suppliers 2 years beforehand, thus proactively protecting themselves through effective supply chain risk management. Fully identifying supply chain partners, ascertaining their present ESG compliance status, communicating ESG requirements, recognizing the gaps and, most importantly, engaging with the supply chain to drive improvements in ESG will emerge as a key risk theme.
“Political Risks within the supply chain are also more pronounced now than in recent years. For example, given the current shifting sands regarding the political relationship between China and the US, is it time to consider diversifying supply chain options away from China? Apple have been moving into Vietnam with some of its key partners such as FoxConn, Inventec and Pegatron; the latter having just invested US$ 1 Billion in a plant in Haiphong. Additionally, half of all Samsung’s smart phones are now produced in Vietnam.
“This throws up some interesting questions, given the comparative strengths and weaknesses of other Asian countries. Where would you relocate to and who would you choose as your new suppliers? Where would you place your new facilities? Governmental considerations such as land grants and permits, together with issues with construction contractors and local partners all provide a compliance headache. It again comes back to knowing your supply chain and understanding the risks involved.”
What information is required to appropriately screen entities now and how has this evolved?
“The information that is required for a proper risk analysis on a third party has really evolved in line with the market needs. When we were primarily looking into the identification of clients and the source of their wealth, we really focused on the individual, their business activity, track record and associates.
“As the market became more sophisticated, as we added FCPA and fraud risk management compliance into the equation there was also a requirement to screen companies. We then were required to answer questions such as ‘who are the connected individuals and how are they associated?’, ‘are any of them politically exposed’, ‘is the company, it’s owners and it’s management on any deny or SDN lists?’, ‘is the company capable of performing the contracted services or is it a shell?’, ‘does it have the correct policies in place regarding gifts etc?
“Recently, more in-depth questions have become the norm, such as ‘who are the company’s ultimate beneficiary owners, are they registered in a “secrecy jurisdiction” and what does that actually mean?
“But perhaps the biggest change to date has been heralded by the emergence of ESG as a primary driver within the industry. We now prefer to ‘engage’ with third parties rather than just ‘screen’ them. This is because screening is just one process and we still need to ensure that a third–party shares the same ethical views as our client, but is no longer the only issue we need to consider. The need for us to be an agent of change is more pressing, so providing the information that supply chains need to enable ESG standards to improve is key.
“By taking a more holistic view of the ESG risks facing third parties in a supply chain we need identify a complete spectrum of risks. These will include issues such as forced labour, pollution, waste of resources, diversity, executive compensation, community initiatives and personal advancement. A much wider lens is needed now than was before, when one was primarily concentrated on AML, anti-corruption and fraud risks. Once the risks are understood, we now also need to perform a gap analysis, identify the areas for improvements and work to elevate ESG standards in the third–party. We can then benchmark ESG standards across a supply chain as a whole, as this will drive and deliver improvements in ESG that can be monitored in real time. This really does create value to all actors in the supply chain as it promotes resiliency, transparency and competition.”
So what will the future hold for the industry?
“That is a great question, the market for risk data solutions for supply chains will continue to expand, as the opportunity for the market to provide ESG focused information to multinationals is huge. At present just 4% of the global spend on ESG data is made by MNC’s and that figure will reportedly increase 20% year on year. As the risks posed to them by their supply chains evolve, the amount they spend on compliance will increase dramatically. This is a market that is here to stay.
“Technology will prove invaluable in identifying the multitude of supply chain risks. Back in the day, when we were writing paper reports for banks to know their clients, the issue was track record and risk avoidance. All the information and analysis we reported was in the rear-view mirror and was frankly out of date the moment it was penned.
“Now, we are in the business of engagement, communication and monitoring of third parties to identify and manage risk in the supply chain – we have to use predictive risk indicators, real time interrogation of unstructured information and innovative third-party risk management platforms to convey up to date risk information to our clients. This is absolutely crucial if we are to successfully elevate ESG standards, compliance and risk mitigation throughout the supply chain.
“I can also foresee that driving greater adoption of ESG within the supply chain will move compliance from being a ‘cost to the business’. It will instead be a driver of value, increased productivity and improvement in the lives of individuals within the supply chain itself. I think that this is more than a noble aspiration. A sustainable and resilient supply chain is imperative for every MNC and if we provide the tools to enable this then we can create value for all.”
Should you want to continue the conversation with Mike Short about Supply Chain Resiliency, ESG or emerging risks – reach out to us at firstname.lastname@example.org. We would be delighted to hear from you and also to introduce you to some of ethiXbase’s innovative solutions to managing risk in your supply chain.