Balancing Responsibility and Cost – A Call for New Ways of Thinking and Funding
As the broader business environment moves toward higher levels of responsibility, many enterprises are changing how they manage third party risk. The range of risks that organizations face has expanded over time, and as a result may require new ways of thinking and funding. Additionally, enterprises are under ever-increasing pressure from customers, investors and other stakeholders demanding responsible practices throughout the organization, including its third parties, further driving the need for change.
These forces are accelerating shifts in thinking on how enterprises can enforce responsible business practices across the supply chain, even if it is more costly to do so. This will require a deeper exploration into the forces driving enterprises, in order to redefine how they adopt responsible business strategies and practices, and why more funding is needed to support this movement.
Stakeholders Expectations Shift
As mentioned earlier, a variety of stakeholders are pressuring enterprises to adopt responsible business practices. Investors want to invest in responsible businesses whose reputations will remain strong. An increasing number of customers want to buy only from responsible businesses. These customers expect enterprises to be proactive and be able to demonstrate their ethical practices, not just internally but across the entire supply chain.
Another motivating factor is reputation protection – if a supply chain partner does something irresponsible, it is highly likely to get into the press or onto social media and have a negative effect on the “parent company’s” share price. For example, a UK clothing provider saw its shares decline recently after being accused of using a factory that both underpaid workers and did not offer them protection from the coronavirus.
This situation is not unique to this retailer- according to the Deloitte Extended Enterprise Risk Management Survey 2020, 30 percent of respondents from publicly traded companies indicated their stock price would drop by 10 percent or more in the event of a third-party incident. The survey also found that almost half of organizations surveyed (46 percent) believe the financial impact of a failure by a third-party has at least doubled over the last five years, with one-in-five respondents saying it has been a tenfold increase. That financial impact could include fines, direct compensation costs or lost revenue.
Given these factors, a shift in mindset is underway from “Can our enterprise afford to be more responsible?” to “How can it afford not to be more responsible?”
Changing Views on Responsibility and Cost
Organizations tend to follow a three-phase course to responsible business:
· Phase one – protect the supply chain. In this phase, organizations focus on business continuity, protecting revenue streams and the supply chain. The overarching driving factor is preserving financial results.
· Phase two – comply with regulations. In this phase, enterprises focus on “avoiding pain,” such as fines and potential reputation damage resulting from regulatory violations. For example, violating anti-corruption regulations or data privacy regulations can both cause fines and tend to be interesting stories for the media, particularly if the violations cause stock price declines. In this phase, enterprises are willing to pay for the cost of compliance because the potential pain caused by violations is far worse.
· Phase three – becoming a responsible business. This is the emerging phase occurring today. Enterprises are seeking to implement responsible business practices both internally on themselves, and externally across the extended enterprise ecosystem. In accomplishing the latter objective, they may need to invest money into a supplier to help them achieve responsible business objectives.
Lack of Funding for Responsible Business Efforts
While the business drivers for implementing responsible third-party business practices are clear, the Deloitte EERM survey indicates proper funding levels do not exist to accomplish this goal. Responding companies indicated they are not investing sufficiently to implement responsible practices in certain third-party risk domains. For example:
· 45% are not investing in anti-bribery and corruption
· 40% are not investing in data privacy
· 54% are not investing in labor and slavery risk
· 74% are not investing in climate risk
The survey indicates that if enterprises hope to achieve their responsible business objectives, more funding will be required to properly manage the various risk domains across the extended enterprise.
It might seem like the easiest approach to implementing responsible business practices among suppliers is to simply replace suppliers that cannot conform to requirements. However, this may compromise the objectives of responsible business. For example, what if the supplier has to terminate employees due to the loss of a contract? What will that do to the local area where that supplier is located?
Rather than replacement, an organization can seek to better understand its suppliers, why they might not be able to conform to responsible business guidelines, and then work collaboratively with them to solve the problem. This could include providing management and process advice, or even financial assistance so suppliers have the right infrastructure to operate in a responsible fashion. This “win-win” approach will likely involve an investment of time and resources, but can promote stronger relationships and performance over the long term. Not all suppliers will warrant this kind of investment -- enterprises will need to evaluate them on a case-by-case basis.
The first two phases of becoming a responsible business were defensive in nature – to avoid bad things from happening. The third phase is different – it’s focused on making good things happen. Yes, responsible business practices will help enterprises avoid fines and reputation damage; but they also can create stronger relationships across the extended enterprise ecosystem, not to mention customers, employees, investors and other stakeholders.
Mark Bethell is a partner in the UK EERM practice. Mark rejoined Deloitte in 2015 after spending four years at a global FTSE 5 company. Whilst working there Mark led the design and implementation of a global third party risk management framework. Mark’s other roles whilst there included membership of the internal audit leadership team with accountability for all internal audit work performed in relation to the extended enterprise (contractors, suppliers and joint ventures). Since returning to Deloitte, Mark has led a number of projects to help clients across many industries manage the risks associated with the extended enterprise. He has helped his clients to design, build, and implement third party risk management frameworks and design and operate large-scale, global programs of third party audits covering a variety of risk types. Mark specializes particularly in the implementation of EERM managed services for his clients, and in the ongoing development of technologies to support automated risk screening and monitoring.