A resilient supply chain is defined by its ability to resist incidents and events at a micro or macro level. These risks can range from white swan events like the pandemic, war, national regulations, and technological advances to operational supply chain disturbances and even rapidly changing consumer behaviors. All investments to make supply chains resilient have gone into automating supply chain processes and gaining visibility. The focus thus has been to adapt supply chain processes to business needs and seamlessly connect workflows while gaining visibility with real-time insights on the data generated from these automated workflows. This data is used to do supply chain risk analysis.

This approach ignores one of the greatest dangers to supply chain resilience. Modern supply chains are complex entities spanning continents and multiple national borders and one of the biggest and most consistent risks that emerge in supply chains is with your supplier’s supplier or your supplier’s supplier’s supplier. This risk is real, and its repercussion to the business and brand are potent, however modern supply chains in most industries simply do not have the data to make risk assessments at such lower tiers. Compliance and risk owners simply are not oriented to look at this and their governance ignores this angle.

Even if risk and compliance owners at large multinationals and companies with supply chains across borders started to look at this risk vector they would run into serious headwinds. These suppliers can run into hundreds or thousands or even tens of thousands for large companies. A three-sixty-degree in-depth assessment of these suppliers would require amalgamating a lot of different data sets with varying levels of data integrity and access at a large scale.

All of this comes at a time when the US Government has become very aggressive on supplier risk. The US Department of the Treasury’s Office of Foreign Asset Control (OFAC) administers and enforces most economic and trade sanctions on supply chain related violations. What is critical to understand is that OFAC’s civil enforcement of US sanctions laws and regulations are enforced on a “strict liability” basis. Strict liability exists when a company is liable for committing an action, regardless of the company’s intent or ignorance of consequence when committing the action. This means that OFAC does not need to prove fault or intent to enter an enforcement action and issue a civil penalty. These penalties have increased manifold recently pushing past the billion-dollar mark in 2019. While this number has gone down due to Covid disruption there is little doubt a new more aggressive stance related to monetary penalties is now a standard baseline for OFAC and other agencies involved with sanctions.

Companies that are trying to address this vulnerability are struggling. How much do you do on your own? How much do you rely on a third party and tools that are not specifically made to address this issue? Which data can you use? Which secondary third data can you buy? Which third-party data can you overlay? How do you ensure the integrity of these? How do you ensure data governance, so you have the latest data on legal relationships of owners and companies, and that the family tree of companies and directors is fully up to date? There is a lot of uncertainty on how to proceed.

Companies that have found success in this area have a commonality of decisions and initiatives and companies looking to emulate them would do well to study these:

Multi-tier audit checklist: What do you need to know? What do you know about that? What don’t you know about that? These three questions are key to understanding your current risk profile, but if you do not do an exercise to identify these you will never get the checklist you need to pursue the right data.

Supplier collaboration: Companies that know what data to look for then move to the next step of formally going to all their suppliers and asking for data. There is a lot of incentive to do this. Aside from mitigating supplier risk, this greater data comes in incredibly handy during a supply chain crisis giving you greater visibility into your suppliers and enabling you to make better business decisions faster.

Specialized tools: Increasingly tools that have access to large business databases related to credit and/ or financial capability can take that data and translate it into risk models. They can also visualize inter-company connections and map executive relationships and tally them to blacklists maintained by OFAC and other government agencies. These tools will be a critical part of mitigating supply chain risks from tier 3 and 4 suppliers.

The new reality of your supplier’s supplier being a grave risk to supply chain resilience is here to stay. Companies need to address this vulnerability head-on by changing some fundamental assumptions about their risk models, gathering new primary data, collaborating closely with their suppliers, and relying on “smart” tools.