Why there is a silver lining in BEPS 2.0 for Singapore

Consumer products and retail (CPR) organizations must manage third-party risks to strengthen supply chain integrity.

In brief

• CPR organizations are under great pressure to manage growing third-party risks threatening their supply chain integrity.
• With growing environmental, social and governance awareness, exposure to modern slavery risks can lead to significant financial and reputational damage.
• Technology-enabled frameworks and robust policies and procedures can help CPR organizations to manage supply chain integrity risks effectively.

More than a year since the outbreak of the COVID-19 pandemic, supply chains in Asia continue to experience significant disruptions. Lockdowns, remote working and severe restrictions on trade and movement have made it more challenging for organizations to address third-party risk management (TPRM) associated with supply chain integrity. Business issues related to supply chain integrity are multifaceted, ranging from fraud, bribery and corruption to brand counterfeiting, sanction risks and modern slavery. Given these complexities, it doesn’t come as a surprise that nearly two-thirds of respondents in the EY Global Integrity Report: emerging markets perspective said it is difficult for organizations to maintain integrity standards during periods of rapid change or difficult market conditions.

Companies in the consumer products and retail (CPR) sector are experiencing these challenges acutely. On the one hand, CPR organizations and their supply chain business partners have found themselves under immense pressure to meet stakeholder expectations during the pandemic. As a result, some might be tempted to take unethical shortcuts, such as third-party fraud, bribery and corruption, or commit breaches of ethical standards, including slavery, human trafficking and other related human rights issues. On the other, like many other sectors, they face increased regulatory scrutiny and a rapidly changing fraud, bribery and corruption environment.

This increased regulatory scrutiny is mainly driven by heightened global enforcement as well as Southeast Asian-specific regulations. In 2020, enforcement actions under the US Foreign Corrupt Practices Act of 1977 (FCPA) amounted to almost US$6.4b globally, a record high since the FCPA’s enactment, half of which involved companies in Asia. Historically, the CPR industry has always been among the top six industries subject to FCPA enforcement activities.

As CPR organizations seek to accelerate recovery and growth, integrity must remain central. Past examples have shown the financial and reputational price paid when ethics are sidelined in the aggressive pursuit of growth and profitability. These companies need to urgently address the mounting third-party risks that threaten supply chain integrity. The management needs to consider how it can better manage current and emerging risks within supply chains to do what is right and avoid reputational and financial damage.

The growing challenge of TPRM

As third-party networks in CPR organizations grow in both size and complexity, many third-party due diligence systems, including whistle-blower and other reporting mechanisms, are struggling to keep pace. COVID-19 lockdowns and remote working arrangements have exacerbated this problem, restricting organizations’ oversight over third parties and hampering their ability to conduct appropriate due diligence assessments. Supply chain disruption during the pandemic has therefore resulted in significant ethical risks arising from the conduct of business partners, including employment practices and corruption. With increasing digitalization, defenses in the CPR sector have been struggling to stay ahead of cyber incidents and data privacy risks.

CPR organizations need to implement robust TPRM programs or risk serious disruptions in the supply chain that may put them out of business. Their TPRM framework should be holistic, technology-driven and designed to address the organization’s unique third-party risks, especially in disruptive times.

Increased regulations in Southeast Asia

Governments across Southeast Asia are increasingly holding companies and their management responsible for third-party fraud, bribery, corruption and modern slavery breaches. The Prevention of Corruption Act (PCA), Penal Code and Companies Act in Singapore and Section 17A of the Malaysian Anti-Corruption Commission (MACC) Act 2009 in Malaysia are some key legislations that prosecute fraud, bribery and corruption with severe penalties, including imprisonment. Other Southeast Asian countries, including Indonesia, the Philippines, Vietnam, Sri Lanka and Thailand, have similar legislations governing bribery and corruption.

Most countries in the region also have strict laws and regulations governing modern slavery and forced labor issues, such as Singapore’s Prevention of Human Trafficking Act 2014. These legislations require companies to implement a comprehensive compliance framework with continuous monitoring and often entail extensive due diligence on the companies’ third parties. The table below provides an overview of these key regulations in Southeast Asian countries.

In addition to local regulations, CPR organizations may also be subject to extraterritorial legislations, such as the FCPA and MSA. The MSA, for example, applies to companies with a global annual turnover of at least GB£36m and business connections to the UK, which can include any supply chain relationships, such as vendors, customers, consultants or other intermediaries.

Technology-enabled supply chain integrity management

Currently, many CPR organizations are managing their supply chain integrity risks manually and in a fragmented manner. For example, the status quo for many organizations is that the business unit or compliance function sends questionnaires to third parties. Different teams may use inconsistent processes and criteria to assess different risks in silos across ESG metrics (including modern slavery risks), bribery and corruption, cybersecurity and data protection. After the questionnaire has been completed, the business unit or compliance function decides whether further reviews and approvals are required prior to proceeding (or not). This process is inefficient, costly and often ineffective, especially when the CPR organization is dealing with many third parties spread across various countries.

Leading CPR organizations that successfully manage their supply chain integrity risks, including modern slavery, have developed technology-enabled frameworks. Such frameworks embed third-party screening tools based on workflow approvals. Such tools are deployed as part of the organization’s onboarding procedures and used for continuous monitoring. The frameworks also increasingly incorporate the latest digital technologies, such as artificial intelligence to identify and analyze risks as well as blockchain to evaluate historical transactions connected to a specific third party.

Further, CPR organizations that excel in managing supply chain integrity risks have strong policies and procedures in place, such as a code of conduct that extends to third parties and includes references to modern slavery. Such policies and procedures are regularly reviewed and updated based on periodic risk assessments.

These organizations also often require their suppliers to provide certifications to confirm that materials and services associated with products comply with local and international laws governing fraud, bribery, corruption and modern slavery. Compliance with the CPR organization’s integrity polices and certifications is often tested through the execution of third-party audits.

As CPR organizations work on reinforcing supply chain integrity for a post-pandemic world, their management should consider the following questions:

• Does the management have real-time insights into all third parties involved in their supply chains and the potential risks that they pose to the organization?
• Does the organization’s policies on third parties address key risk areas, including modern slavery, anti-bribery, anti-corruption, cybersecurity and data protection?
• Does the organization conduct ongoing monitoring of its third parties’ compliance with different relevant global and local regulations as well as internal policies in a consistent and holistic manner?
• Are whistle-blower or speak-up programs effective in allowing the organization’s employees and third parties to raise concerns if they have witnessed or been exposed to unethical conduct?
• In the event of a regulatory investigation, is the organization able to provide documented evidence of adequate procedures in its third-party due diligence and ongoing monitoring program?

This article was authored by Ramesh Moosa, EY Asean and Singapore Forensic & Integrity Services Leader, with contributions from Associate Partner Saket Bhartia and Manager Philipp Kloeber of Forensic & Integrity Services at Ernst & Young Advisory Pte. Ltd.