In the first article, we provided you with the most relevant information that procurement departments and other stakeholder need to be aware of when it comes to new regulation.
In this article, we will go a step further and discuss one of the most important due diligence obligations of the Act - Section 5 “The Risk Analysis” - and its relevance for indirect procurement.
Risk Analysis obligation: How does it apply to you?
Let's start with clarifying the difference between direct and indirect spend:
- Strategic or Direct Spend: The spend that is directly associated with the product a customer is selling to their end customer. For example, a car manufacturer’s strategic spend would include the material costs incurred in building a car.
- Non-strategic or Indirect Spend: Non-strategic spend or indirect spend includes any purchase that supports the business without contributing to the manufacturing of the product itself. This includes HR costs, facility management, transportation costs, etc.
An ambiguity that often arises in connection with the risk analysis obligation is the distinction between strategic and non-strategic suppliers.
Do non-strategic suppliers need the same extent of diligence as strategic suppliers?
One might think that it would be sufficient to focus only on important strategic suppliers with high spend volume. However, the Act makes no distinction in terms of applicability between strategic and non-strategic purchasing. It states:
"All goods that an enterprise purchases to manufacture its products or provide its services are part of the supply chain and are therefore part of the risk analysis. This also applies to goods that enterprises purchase to ensure they continue to exist, but which are not directly incorporated into the final product.”
This implies that goods and service that are not intended for resale, such as office supplies or software systems, are also covered by the law.
So does this mean, that every non-strategic supplier has to be analysed in detail? For some companies, that would mean investigating tens of thousands of suppliers.
The key word is "Prioritisation"
When it comes to the risk analyses obligation, enterprises do not have to consider all risks in equal detail.
They should focus on the most important ones, i.e. prioritise them.
Whether risks need to be prioritised by the enterprise depends on the criteria of appropriateness, in particular on how serious the risks are seen to be and what the enterprise’s potential influence is on effectively countering these risks.
The goal of the whole process should be to sort out non-substantial suppliers where no significant risk could be identified and focus on the higher risk suppliers.
Thus, indirect purchases still have to be considered when performing risk analyses, but they can be analysed - under certain circumstances - with less effort.
Psst... do you want to stay up-to-date on all the latest procurement news and upcoming trends?
Understanding the Risk Analysis process
In practice, the Risk Analysis process could look something like this:
- Starting with a list of all active suppliers, non-substantial (i.e. low risk) suppliers should be excluded based on the nature and extent of the enterprise business activities.
For instance, suppliers with no risks related to countries of origin, commodities or their business fields can be sorted out and no further analysis is required.
- The substantial (i.e. high risk) suppliers must then be classified by their risks based on several conditions, including the severity and probability of violations and the degree of influence the company has over its suppliers.
- In the absence of a comprehensive list of risk criteria, the question may arise whether suppliers below a certain annual spend level can be ignored.
- The regulation prescribes that the analysis has to consider the risks for the affected people and not the risks for your company. For example, a small volume supplier may indicate low financial risks for your company, but can still have a significant risk of negatively impacting people and the environment.
Therefore, the risk analysis should not be based on expenditure volume as the only criterion, but should include several relevant risk indicators.
Complying to the Supply Chain Act: Best Practices
To summarise, implementing the corporate due diligence obligations is an individual, ongoing process that must be regularly reviewed and improved. Most effort and focus will be on the risk assessment of important strategic suppliers. Nevertheless, non-strategic suppliers must at least briefly be evaluated in order to sort out non-substantial suppliers or identify potential at-risk suppliers where further assessment is required.
Apart from the in-house risk analyses, enterprise can also use other external risk data, but should keep a few things in mind. For instance, a self-disclosure statement such as a written assurance signed by a supplier is not sufficient to fulfil the due diligence obligation with regard to that supplier. External sustainability ratings, on the other hand, can serve as evidence within the framework and can be used as important indications of the fulfilment of the due diligence obligations.
Hence, an appropriate risk analysis and scoring should be a multistage process and include a variety of risk assessment data such as:
- Internal supplier data,
- External supplier sustainability ratings, and
- Supplier self-assessments.
Lhotse makes your existing regulatory data useable
The non-strategic supplier base comprises around 80% of all suppliers within most companies, and it is therefore often unmanaged and not transparent.
Lhotse leverages your existing internal and external risk data and intelligently integrates it into a seamless sourcing processes. The exclusion of unwanted suppliers and a risk-based supplier selection approach ensures the compliance with the Supply Chain Act and other company-relevant procurement policies.
In short, Lhotse offers a solution to bring 100% of your tactical spend under management.