2024 Predictions! Supply Chain Regulations and Exposure – How to Manage Third-Party Risk and Beyond

What do you need to know about managing third-party risk in supply chains in 2024?

It’s that time of year again when I get together with the one-and-only Carrie Penman from NAVEX to go through our top ten trends and predictions for 2024! She and I review the thought leadership from the Top Ten Trends ebook which was published at the end of December, along with thousands of webinar attendees.

I was lucky enough to author/co-author two of the articles we’ll be discussing on the webinar. Here is the article I co-authored with Florian Haarhaus on supply chain regulations, third-party risk, and our prediction for what’s going to happen in 2024. (Check out the second article about data privacy and protection here.)

Curious? Read on and join us for the webinar Jan. 18th. Sign up HERE!

If the term “nth supplier” joined your vocabulary recently, you’re not alone. If you haven’t heard the term until now, don’t worry – you’ll be hearing it frequently soon enough.

The “nth” supplier is the mythical last provider of materials many layers down into the supply chain. Regulators expect companies to obtain (or divine) massive amounts of information from their suppliers’ suppliers, then aggregate it magically into easily reportable sliced-and-diced data. The reality is much more challenging.

Supply chain due diligence regulation is exploding. So too, are stakeholder expectations around the supply chain, especially when it comes to environmental and human rights abuses. Gone are the days when the best price was the only consideration for product sourcing. Now, the review must consider many facets, including the environmental impact of production and the effect of production on the humans involved.

Gavel and book on a desk with scales in the background

The Current Legal Landscape

Unsurprisingly, Europe is leading the way when it comes to supply chain-related due diligence laws. We discuss some of the following regulations in light of ESG requirements in another section of the ebook. This article focuses on how these regulations apply to supply chain due diligence, as opposed to ESG.

The German Supply Chain Act

The German Supply Chain Act came into force on January 1, 2023. Where applicable, it obligates larger German businesses to identify and account for their impact on human rights, including forced and child labor, forced evictions, oil pollution, and land grabbing. The requirements extend to overseas direct suppliers and sometimes even indirect suppliers.

Due diligence procedures must be documented, and an annual report must be published and submitted to the Federal Office for Economic Affairs and Export Control.

Corporate Sustainability Reporting Directive

Just four days after the German Supply Chain Act came into force, the European Corporate Sustainability Reporting Directive did the same. While some rules are still being finalized, current reporting obligations relate to environmental matters, treatment of employees, respect for human rights, anti-corruption and bribery, and diversity of company boards (in terms of age, gender, educational and professional background).

The Directive has a staged approach for enforcement, with the first in-scope companies applying the disclosure rules to their 2024 financial year, with reports to be published in 2025.

The Coming Legal Landscape

There are many laws on the horizon that are likely to impact supply chain due diligence and reporting requirements.

European Union’s Corporate Sustainability Due Diligence Directive

The EU’s Corporate Sustainability Due Diligence Directive (CSDDD) would introduce requirements for companies to identify, prevent, end, or mitigate the actual and potential negative impacts of their activities on the environment and human rights. It would obligate them to conduct due diligence on their own operations, as well as those of their subsidiaries and other entities in their value chains with which they have direct or indirect established business relationships.

The law includes many disclosure requirements relating to due diligence and includes civil liability for companies if harm could have been avoided if proper due diligence had been performed. The law is completing negotiations and is expected to be finalized in 2024, with enforcement beginning in 2025.


United States Securities and Exchange Commission Disclosures

The United States Securities and Exchange Commission is, as of this writing, continuing to finalize its new climate-related disclosure rules. When they come into force, they will obligate companies traded on U.S.-based exchanges to report information about their environmental impact. The rules will likely require companies to obtain information from their suppliers about their environmental impact, creating a wide-ranging impact.


Other States and Countries

Human and environmental rights issues are hot political topics. Many state/country actors have stated intentions to require greater transparency from corporations. We expect to see many more formally proposed laws in the near future.

What to Do Now

The legal landscape is daunting, but there are many activities you can do now to prepare for disclosure compliance.

Map Major Suppliers Using a Risk-Based Approach

It’s tempting to boil the ocean, but a better use of your time and resources is to use a risk-based approach for supply chain due diligence and management. There are different approaches to this.

The first is spend-based due diligence. To do this, go to procurement and/or finance and ask for information about the top suppliers by spend. Start with a number you can manage, whether that’s the top five or top five hundred suppliers.

An alternative is to use a jurisdiction-based approach. For human rights concerns, the annual United States Trafficking in Persons report ranks countries by risk. Country-specific environmental protection risk may be reviewed using the Country Policy and Institutional Assessment (CPIA) data of the World Bank.

Another approach is to focus on higher-risk industries. Organizations like Walk Free, Amnesty International, and Human Rights Watch all provide good information for understanding supply chain risk.


Make it an Inside Job

Procurement/Sourcing should be able to give you access to information about key suppliers, but other departments will have important insights as well. For instance, Legal may know about the largest supplier contracts signed this year. You can read the terms and understand whether disclosure requirements or audit rights are present.

You can also ask IT for information coming out of their data flow mapping. If data is coming or going from higher-risk jurisdictions, that can be a lead you’ll want to follow.


Ask Your Suppliers

Once you’ve identified your major suppliers, call their Procurement or Compliance teams, and ask for any disclosure information they have available. In many industries, disclosure is already common and/or required. Collect this low-hanging fruit to begin your information gathering.


Check Your Modern Slavery Disclosure Requirements

Many companies are unaware that they need to disclose their anti-modern slavery activities if they reach certain legal thresholds. The United Kingdom, Australia, and California all have public disclosure requirements, and Canada recently joined that list. If you sell into or otherwise operate in any of those locations, check the rules to make sure your company is in compliance.


Create Standard Contract Language

Work with the Legal department to create standard language in contracts relating to human rights, the environment, and deeper supply chain issues.

A good approach is to have a catch-all “follow all laws, including all labor laws”-type clause in all contracts, with stronger contractual obligations for higher-risk and/or higher-spend suppliers.


Obtain an ESG Baseline Report

If you already know your company is going to be subject to disclosure obligations, consider hiring an outside expert to perform a materiality analysis and/or ESG baseline report from which to measure year-on-year.

Best practice

Best Practices

In addition to what you need to do now, some best practices include the following:


Create a supplier code of conduct

Create a supplier code of conduct that applies to all suppliers and ensure it is published on your website. Either attach or reference the supplier code for inclusion in all supplier contracts. Include language on PO’s that states that submission of the PO indicates acknowledgment of, and adherence to, the company’s supplier code of conduct.

Be sure to use a principles-based approach. Principles use universal language rather than didactic requirements. An example of this is choosing, “supplier agrees not to furnish any public official or private person with anything of value for an improper purpose” instead of, “supplier agrees to follow the company’s gifts and entertainment policy.”

Many times, supplier codes include language requiring suppliers to follow the company’s policies, when the company’s policies aren’t publicly available and/or conflict with the supplier’s own policy limits. Using a principle-based approach solves this problem.


Audit your highest risk suppliers

There’s nothing like an on-the-ground review to understand what is really going on. When you’ve identified your highest-risk suppliers, make an audit plan and determine whether your internal auditors can include human rights/environmental review in their current plan, or obtain outside auditors to perform the reviews.

Many companies already perform quality audits of their important suppliers. Where that is already happening, add human rights/labor-related audit elements to the audit plan and train the auditors on red flags. Work with Legal to ensure that higher-risk supplier contracts include audit rights going forward.


Practice at the table

It’s likely that your IT department does a data breach tabletop exercise each year to practice responding to a crisis. See if you can partner with IT to include a supply chain disruption with environmental or human rights-related challenges as part of the exercise. This will help people see the potential damage in a much more animated way.


Engage with industry associations

If your company is in an industry that is or will be subject to disclosure requirements, you’re likely not the only company contemplating what to do. Engage with industry associations and advocacy groups to see if they have advice or guidance on complying with the disclosure requirements specific to your industry. If they don’t, suggest that they start a working group to do so.


Acknowledge the limits

Unless your company is their most important customer, asking a secondary or tertiary supplier’s supplier to disclose information to your company is going to be a challenge. Over time, there may become uniform ways of disclosing information up and down supply chains that make it easy to comply with disclosure laws and to aggregate data in a consistent way. That day isn’t here yet. Be patient and acknowledge the limitations of what is and will be available, then do your best to comply using what you have.


2024 Prediction

Scrutiny of supply chains will grow stronger by all stakeholders, including regulators, employees, shareholders, other companies, and the public. Most companies will struggle to adapt to quickly changing requirements but will ultimately create successful strategies for doing so.

Share the blog!

Picture of Kristy Grant-Hart

Kristy Grant-Hart

Kristy Grant-Hart is the founder and CEO of Spark Compliance.
She's a renowned expert at transforming compliance departments into in-demand business assets.