How to help your business survive the global Economic Coercion wrecking ball

Posted on March 18, 2025 by Paul Curwell

Paul Curwell

5–7 minutes

Key Takeaways:

Economic Coercion is now a core weapon in global power struggles, directly impacting industries like tech, agriculture, and critical infrastructure.
The biggest risks? Supply chain disruption, IP theft, and regulatory nightmares.
Businesses that diversify, protect their trade secrets, and strengthen partnerships will be the ones who survive this new era.

Introduction

In 2025, the global geopolitical balance is shifting. Economic Coercion has become a core strategy for many governments aiming to secure competitive advantages that will define their economies for the next 50 years.

While governments are playing this game, the impact is felt by the real targets – businesses and commercial operations — particularly those in technology, critical infrastructure, and those with global supply chains. From China’s export bans on rare earth minerals to U.S. semiconductor restrictions, Economic Coercion is no longer abstract: it’s hitting balance sheets and boardrooms in real-time.

If you’re a senior executive, ignoring this reality is like leaving your front door open during a storm. So, how do you protect your business from becoming collateral damage?

The Playbook of Economic Coercion

Economic Coercion is the strategic use of trade restrictions, investment controls, and export regulations to force political or commercial outcomes. Think of it as geopolitics in a suit and tie.

The Top Targets:

Technology & Semiconductors (e.g. U.S. export controls on chips to China)
Agriculture & Food Supply Chains (e.g. Australian wine and barley, frequently susceptible due to the perishable nature of many products and difficulties finding alternative markets quickly)
Critical Minerals & Energy Infrastructure (e.g. China’s dominance in rare earths)
Biotechnology & Research Commercialisation (e.g. IP theft and data manipulation)
Financial Services (e.g. exposed to sanctions and currency manipulation)
Tourism (e.g., targeted through restrictions on group tours to specific countries)
Higher Education (e.g. Universities reliant on foreign students are vulnerable to geopolitical and economic shocks, as well as rapid changes in consumer sentiment)
Critical Infrastructure (e.g. critical component and part supply chains)

a barley field, agriculture is one of many industries subject to economic coercion. — Photo by Tetyana Kovyrina on Pexels.com

Industries particularly vulnerable to economic coercion often exhibit these factors:

Raw materials – Industries dealing with raw materials are often heavily affected by coercive measures
Strategic industries – Sectors with strong political lobbies in the targeted country are often chosen for coercion.
Niche, high-value products – Industries producing specialised goods where consumer tastes can change may face longer-term impacts from temporary market losses.
Industries dominated by a single country or region – Sectors where one nation has significant market dominance are more susceptible to coercion.

The Risks to Your Business

Economic Coercion isn’t just about tariffs and sanctions. It’s about supply chain fragility, intellectual property theft, and regulatory traps that can cripple your operations overnight.

Under Australia’s Security of Critical Infrastructure Act Supply Chain Hazard Rules, businesses are now required to assess the availability of critical components from offshore suppliers. Why? Because relying on a single region for critical components (e.g. critical spare parts) leaves you vulnerable to coercive tactics.

Other ways Economic Coercion may materialise as risks in your business include:

Supply Chain Disruption: Losing access to essential components from key international markets.
IP Theft & Insider Threats: Your R&D data becomes a geopolitical bargaining chip.
Regulatory and Compliance Nightmares: Sanctions and opaque foreign investment laws are applied to your business or its products and services.
Market Access Loss: Being locked out of key export markets, either directly or indirectly.

What You Can Do About It

In this environment, waiting to react is a losing strategy. The key to survival is monitoring your strategic environment, identifying risks early, and making decisions while you still have the advantage — not when you’re already vulnerable.

So, what should your playbook include?

Diversify Your Supply Chains: Reduce dependency on single-source offshore suppliers. Consider nearshoring and local partnerships.
Lock Down Your IP and Trade Secrets: Strengthen insider threat programs, trade secrets and IP protection programs (including in your supply chain and with collaboration partners) and cybersecurity controls.
Enhance Regulatory Compliance: Stay ahead of foreign investment rules and export controls.
Build Strategic Intelligence Capabilities: Monitor geopolitical developments to identify risks before they hit your balance sheet.
Capture New Markets Before Competitors Do: When others are stuck in a vulnerable market, pivot to diversified regions.

The Competitive Advantage of Intelligence

In this new era of geoeconomic fragmentation, good intelligence is good business strategy.By tracking geopolitical shifts and understanding which markets are at risk, executives can make smarter investment decisions, secure critical supply lines, and gain market share while competitors are distracted or trapped by coercion tactics.

Those who act early will not only avoid becoming victims but position themselves as leaders in emerging markets and technologies. Want tips on where to start? Well, read start with this article:

Using strategic early warning for advanced notice of emerging threats and geopolitical risks

The Bottom Line

In 2025, geopolitical risk is now a business risk. If you’re leading in tech, agriculture, or critical infrastructure, you’re already on the frontline.

The question is: are you ready to protect your business from the next wave of Economic Coercion?

Would love to hear from others in the trenches — how is your business adapting?

Channel stuffing fraud – a distribution problem

Posted on September 10, 2023 by Paul Curwell

Paul Curwell

7–10 minutes

What is Channel Stuffing?

Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

An illustration of the way channel stuffing works in a supply chain

Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

man operating silver machine for silver steel kegs — Photo by ELEVATE on Pexels.com

What industries are most exposed?

Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

Consumer Electronics
Tobacco
Automotive Industry
Pharmaceuticals
Fast Moving Consumer Goods (FMCG)
Technology, including software providers
Fashion and apparel
Industrial equipment
Alcohol and Distilled Spirits

As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

people riding on inflatable raft — Photo by Hilmi Işılak on Pexels.com

Who are the victims in Channel Stuffing?

There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

Impacts of Channel Stuffing include:

Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.

Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.

man falling carton boxes with negative words

How can you identify Channel Stuffing and what are the indicators?

Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

Typologies demystified – what are they and why are they important?

If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

Comparative Case Analysis: A powerful tool for typology development

Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

Four things businesses can do to minimise Channel Stuffing risk

With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

An introduction to third party screening processes

Posted on September 3, 2023 by Paul Curwell

Paul Curwell

6–8 minutes

What is third party screening and why is it important?

Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

white jigsaw puzzle illustration — Photo by Pixabay on Pexels.com

Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

Pre-employment screening (workforce screening or employee due diligence)
Vendor screening (vendor vetting) and business partner screening (business partner vetting), including screening of a vendor’s workforce
End User Verification
Anti-Bribery and Corruption
Third Party Risk Management
Sanctions Compliance
Export Control and Trade Compliance
Modern Slavery and Environmental Social Governance (ESG)

Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

Building your supplier integrity framework

Overview of the third party screening process

Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

Stage 1 – Screening Design

Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

Stage 2 – Screening Delivery

Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.

It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.

Third Party Screening processes employing ‘name matching’ algorithms are inherently risky

If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.

google search engine on macbook pro — Photo by Pixabay on Pexels.com

Common problems encountered when designing your screening process (Stage 1 above) include:

Spelling errors
Truncated words
Names containing multiple languages (e.g. Arabic + English)
Names that have been incorrectly translated to English (either in a database record or in the search parameter)
Dealing with initials and titles / honorifics
Words that are out of order (e.g. surname -> first name or first name -> surname)
Spaces and hyphens
Nicknames or unofficial names

When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

What should businesses screen third parties for?

Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

Company structure, officers and directors, and beneficial ownership
Financial viability
Management’s Track Record
Adverse Media
Regulatory Enforcements
Civil Litigation
Industry-specific licences and permits
Assets – such as Intellectual Property
Commercial and Sanctions Watchlists – e.g. WorldCheck, World Compliance

Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

What is Show and Shadow Manufacturing?

There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

What about emerging markets where there is no third party data?

Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

Returns Fraud – a risk for eCommerce companies

Posted on August 13, 2023 by Paul Curwell

Paul Curwell

5–8 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique — Photo by Andrea Piacquadio on Pexels.com

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

Often overlooked, Product Security is fundamental to Product Management

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

6 steps to improving security and integrity culture in the workplace

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Counterfeits can compromise your Supply Chain Integrity

Posted on June 12, 2023 by Paul Curwell

Paul Curwell

How counterfeiting threatens Supply Chain Integrity

Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:

June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines

As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.

flight flying airplane jet — Photo by Pixabay on Pexels.com

How do sub-standard parts enter a supply chain?

Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.

Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:

Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
Corrupt or malicious insider compromises the supply chain for gain or profit, or,
As a result of foreign interference by a nation state actor against an adversary

Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.

woman in black shirt holding a hand sanitizer bottle — Photo by Anna Tarazevich on Pexels.com

Step 1 – Assess the risk posed by sourcing counterfeit product

I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.

For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.

The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:

Impact / Criticality	Type of product
HIGH	LIfe dependent applications
	Safety critical applications
	Mission critical applications
	Applications where field work / repair is impossible
MEDIUM	Reclaimed / Refurbished parts
	Application critical
	Product is accessible for field repair
	Short product life expectancy
LOW	Non-critical applications

AS6174 – SAE International

man in black jacket standing beside black car — Photo by Andrea Piacquadio on Pexels.com

Step 2 – Identify which sources provide the greatest assurance

Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.

So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):

Confidence Level (non-conformance risk)	Product / Component Source
HIGH (LOW risk)	OEM or Certified Manufacturer
	Authorised Distributor
	Original Manufacturer or Contract Manufacturer
MEDIUM	Vetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
	Unknown Independent Distributor (e.g. quality, reputation not asessed)
	Unknown source
LOW (VERY HIGH risk)	Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)

AS6174 – SAE International

Step 3 – Develop your organisation’s product assurance processes

The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.

For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:

Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.

Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).

top view photo of white keyboard — Photo by Olena Bohovyk on Pexels.com

Step 4 – Plan for contingencies

It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.

Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.

Step 5 – Document your Product Assurance Framework

To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.

A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.

What is Show and Shadow Manufacturing?

Posted on October 1, 2022 by Paul Curwell

Paul Curwell

What is contract manufacturing?

The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

Contract manufacturing allows outsourcing of noncore functions — Photo by Los Muertos Crew on Pexels.com

Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

Shadow factories can involve forced labour — Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on Pexels.com

Shadow factories introduce a host of risks for principals

The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

Indicators of show and shadow factories

When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

It is possible to forensically identify potential shadow factory activity — Photo by Anton Mislawsky on Pexels.com

The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

Capacity versus output calculations in relation to a given factory’s estimated production capacity
Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
Production records – including staff rosters and payroll records
Distribution records – including vehicle logs and delivery records
Security access control records and vehicle access logs such as truck deliveries via a security gate)
Equipment usage logs – including records showing below expected machinery usage counts
Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
Accountability and traceability of rejected materials or defects arising during manufacture
Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

Manufacturer Fraud Audit

To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

Further Reading

APEC (2017). Show and Shadow Factories, Roadmap for Global Medical Product Integrity and Supply Chain Security, Manufacturing Practices Work Group, Life Sciences Innovation Forum – Regulatory Harmonization Steering Committee (LSIF-RHSC), https://www.apec.org/rhsc/rhsc-priority-work-areas/global-supply-chain-integrity
Curwell, P. (2021). Magazine article – “Supply Chain Integrity: Detecting Product Diversion”
Curwell, P. (2021). Modern Slavery, Human Trafficking & People Smuggling? (Part I)
Curwell, P. (2021). How is confidential information compromised?
Curwell, P. (2021). Unpacking AS6174 in relation to Supply Chain Integrity
Curwell, P. (2022). Building your supplier integrity framework

Supply chain integrity and security: what are the risks? (Part II)

Posted on September 17, 2022 by Paul Curwell

Paul Curwell

Introduction

Part I of this article addressed the concept of Supply Chain Integrity, which is increasingly being bunded with security under the banner ‘Supply Chain Integrity and Security’ (SCIS). SCIS is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to distruptions to global trade and commerce arising from the COVID-19 pandemic and the war in Ukraine.

Part II of the article is continued here examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate.

Supply Chain Security – a rapidly changing field

Supply Chain Security has undergone multiple expansions in scope to accomodate the evolving global threat environment, changes in international commerce, technological innovation and increasingly the 4th industrial revolution. However, this evolution has largely gone unreported by commentators in the field, with many books and articles on the subject failing to reflect the broad scope of risks now recognised by critical infrastructure and governments globally. As an example, Supply Chain Security traditionally focused on two main risks:

Cargo Theft and Warehouse Theft, and,
Product Diversion (see here for an explanation of product diversion, and here for a recent case study)

Practitioners in this area have largely focused around logistics, with security programs focusing on controls such as shipping container seals and GPS vehicle tracking. The events of September 11, 2001, helped sharpen this focus, with the USA enhancing a scheme to help mitigate supply chain security risks posed by terrorism (known as C-TPAT). Examples of equivalent national schemes include:

Australian Trusted Trader
Authorised Economic Operator Program (EU)
Customs Trade Partnership Against Terrorism, C-TPAT (USA)
Partners In Protection (Canada)
Secure Trade Partnership (Singapore)

To coordinate a consistent global response and maintain safe and secure trade and commerce, the World Customs Organisation (WCO) introduced the SAFE Framework of Standards to Secure and Facilitate Global Trade in 2005, followed by the Authorized Economic Operators (AEO) Programme in 2007. This perspective on supply chain security is reinforced by various global standards including ISO28001, which is intended to complement the SAFE Framework. However, whilst risks like terrorism, theft and product diversion all remain relevant, Supply Chain Security has evolved even further in the past ten years to reflect geopolitical threats in the current operating environment.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Consequently, the USA, UK, Canada and Australia have all issued updated guidance on Supply Chain Security, which has expanded significantly from theft, diversion and terrorism to encompass the more complete spectrum of what the US Government calls ‘Supply Chain Threats’:

Foreign Ownership, Control and Influence (FOCI – USA) or Hostile Ownership (UK)
Software Supply Chain Attacks
Insider Threats
Supply Chain Integrity issues (refer Part I)

In addition to ‘security’ focused risks, a range of frauds can also materialise in the supply chain. For some organisations, it makes sense to address security, integrity and fraud issues in the supply chain within the same business function or framework, whilst for others they are separated to completely different parts of the organisation. However, common risks here include:

IP or Trade Secrets theft
IP licensing abuse and royalty frauds
Product counterfeiting
Product Tampering
Product Extortion
Manufacturing frauds
Distribution frauds
False End User frauds
Vendor frauds

I have already written about a number of these supply chain frauds in other articles on @ForewarnedBlog (refer hyperlinks above). Future articles will also cover aspects of this topic.

Risks and business processes with a nexus to Supply Chain Integrity and Security

In any organisation, there are a number of business functions which commonly touch on aspects related to Supply Chain Risk Management. SCIS programs should try to leverage these resources where possible, either through use of common team to execute a process or through smart process design, which means a common process is used to address multiple distinct business requirements.

Examples here include due diligence and supplier audits which can be performed once and the results reused multiple times to comply with a range of regulatory obligations or business needs. Examples of risks with a nexus to SCIS that might be leveraged include:

Geopolitical risk management
Natural hazards (often managed by business continuity or crisis managers)
Export Control and Trade Compliance
Third Party Risk Management programs
Supplier Integrity, Supplier Compliance and Business Integrity programs
Bribery and Corruption risk
Modern Slavery risk
Economic and Trade Sanctions compliance
Other Environmental, Social, Governance (ESG) risks

When designing your supply chain risk management program, look across your organisation into other areas or teams (such as procurement, finance, sustainability and compliance) to understand work already performed and identify opportunities to streamline processes and systems.

In addition to reducing your operating costs, this approach could improve your supplier’s experience when dealing with you. Sometimes from a supplier’s perspective, a customer can just become too much hard work, leading to increased prices (in an attempt to encourage you to find an alternate supplier) or severance of the relationship overall.

A common example I encounter is where a supplier is asked for the same information multiple times by different teams from the same buyer, leading to wasted effort and frustration. Managing third party or supplier relationships are exactly that – a relationship – so there needs to be an element of give and take by both parties.

Supply chain integrity and security: what are the risks? (Part I)

Posted on September 3, 2022 by Paul Curwell

Paul Curwell

7–10 minutes

Supply Chain Integrity and Security is a critical part of business

Ensuring supply chain integrity is crucial for any business aiming to maintain quality and trust. This introduction will explore key aspects of achieving and maintaining integrity within supply chains.

Supply Chains are complex involving many levels of suppliers who are typically located in multiple countries around the world. For high reliability industries (such as airlines and oil rigs) or industries where there is a chance of life or death (e.g. defence applications, pharmaceuticals and food products), the introduction of a sub-standard or below specification (non-conforming) product could have serious consequences. Further, many of these industries are highly regulated to protect consumers.

Any products are vulnerable to supply chain integrity risks. — Photo by Markus Spiske on Pexels.com

The nature of global supply chains today presents a real challenge, as illustrated by the global supply chain for the Boeing 787 and Bombardier Global Express in this article from Canada’s Aerospace Review. These challenges are magnified somewhat in relation to security and integrity risks, as explored later in this article. To assist readers unfamiliar with these concepts, a simple product supply chain could be considered as having at least eight categories of actors, as illustrated below:

An illustrative example of a simple supply chain — An illustative example of a simple supply chain

Part I of this article addressses the concept of Supply Chain Integrity. Part II, continued here, examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate. Supply Chain Integrity and Security’ (SCIS) is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to COVID-19 and the associated distruptions to global trade and commerce arising from the pandemic.

What is Supply Chain Integrity and Security?

The concepts of Supply Chain Integrity and Supply Chain Security are often bundled together under the guise of Supply Chain Integrity and Security (SCIS). One example of this is in the life sciences industry, with the following defintion of SCIS being commonly cited from the U.S. Pharmacopea (a compendium of drug information, effectively the standards for all pharmaceutical compounds in the USA whose application is enforced by the US Food and Drug Administration):

Supply Chain Integrity and Security (SCIS) is defined as a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted. This is minimized by implementing procedures to control both the forward and the reverse supply chains. SCIS involves reducing risks that arise anywhere along the supply chain, from sourcing materials and products to their manufacture and distribution. The ultimate goal is to detect adulterated, falsified, or counterfeit products and prevent them from entering the supply chain.

Supply Chain Integrity defined

Supply Chain Integrity is sufficiently different from Supply Chain Security to require its own explanation. Supply Chain Integrity is defined by ENISA as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”. When I think about what this means in plain english, I deconstruct the concept of Supply Chain Integrity into three core elements:

Provenance – What are the origins of all components or raw materials in my product? For example, a ‘blood diamond’ extracted illegally from a war zone using slave labour is still an authentic diamond, however its provenance is questionable.
Authenticity – Is the product what it claims to be, or has it been tampered with or substituted? Have the products or components been “produced with legal right or authority granted by the legally authorized source” (AS6174A)?
Traceability – Can I trace the movement of components in my product from raw material to the end user? This is defined in AS6174A as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor”

supply chain integrity starts with the provenance of raw materials — Photo by Pixabay on Pexels.com

As I previously discussed in this article on SAE’s standard AS6174 and which are worth reproducing again here, the World Economic Forum identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):

Integrity of Source – did this product come from where I think it did?
Integrity of Content – is the product made the way I think it is?
Integrity of Purpose – is the product going to do what I think it will do?
Integrity of Channel – did this product travel the way I think it did?”

To address each of the elements of Provenance, Authenticity and Traceability, Supply Chain Integrity programs typically comprise a variety of activities, including:

Track and trace programs as well as serialisation to uniquely identify each component and locate where it resides globally in the supply chain at any point in time
Quality management programs, to identify conforming vs. non-conforming products
Supplier integrity programs, to understand exactly who the seller of a product, part or raw material is and assess what if any integrity risks this poses
Market surveillance (market monitoring) – intelligence activities to identify where products are being sold and by whom, to manage the risk of counterfeit or diverted products to end users and the manufacturer’s brand or reputation

Every step in the manufacturing process, including logistics, presents supply chain integrity risks — Photo by Pixabay on Pexels.com

A taxonomy of Supply Chain Integrity risks

As with any type of risk, it is possible to build a taxonomy of individual risks which reside under the category of Supply Chain Integrity. Based on my research, I have listed fourteen risks associated with Supply Chain Integrity below:

Adulteration of products or raw materials
Tampering of products, parts or components
Introduction of counterfeit material
Gray market products
Substitution of raw materials, parts, components or products
Falsified or fraudulent material
Use of substandard material (i.e. non-conforming or below specification)
Misbranded or falsely-labelled products
Expired products (moved to less-regulated jurisdiction, re-labelled, and then re-sold)
Products marked for destruction are diverted, re-labelled then re-sold
Ineffective product recall
Ineffective product storage and / or transport
Supplier integrity

These risks are related to, but also quite different to the risks listed in Part II of this article on Supply Chain Security (see link at the bottom of the page).

The relationship between Supply Chain Integrity and your Quality Management System

I have mentioned the term ‘conformance’ a number of times throughout this document, which is defined by ISO22000 as “a product which filfils a requirement”. Conformance assumes that a buyer goes to market seeking to procure products or services which do a particular thing or meet a particular standard (the requirements), and that a supplier is contractually obligated to provide a product or service which addresses these requirements.

Supply Chain Integrity touches on your Security Management System and Quality Management System — Photo by Karolina Grabowska on Pexels.com

For buyers, Quality Management Systems (QMS) play an important role in ensuring the products which are shipped to your door for use are firstly what you purchased (hopefully addressing your requirements), and secondly what they claim to be. This process is referred to in AS6174A as ‘Product Assurance’ which involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27) to minimise the likelihood of non-conforming materiel entering the supply chain. Product Assurance is undertaken using one of four methods listed below:

Documentation & Packaging Inspection
Visual Inspection
Non-Destructive Testing (NDT)
Destructive Testing (DT)

Readers wanting more information on the Product Assurance process can refer to my previous article. In many organisations, the Product Assurance process is typically performed by a combination of warehouse personnel and / or engineers, scientists or quality management teams upon delivery of new parts or products. Alternately, other organisations perform these inspections before a product leaves the factory, ensuring adequate SCIS processes are in place to mitigate any security or integrity risks that may arise between the shipment leaving the factory and delivery to its final destination.

Failure to properly perform Product Assurance may mean company takes receipt of a non-conforming product or component on day 1, however that this non-conformance is not identified until the product or component is placed into service (potentially some days later). This gap between delivery date and usage date may be an extended period of time during which warranties or guarantees may become voided. Risks here are particularly high for business critical or hard to source parts held in inventory as spares in the event of an in-service part failure, which could provide a false sense of security that sufficient spares are held in case of emergency.

To read Part II of this article, click here.

Building your supplier integrity framework

Posted on July 23, 2022 by Paul Curwell

Paul Curwell

What is Supplier Integrity ?

The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

Photo by ThisIsEngineering on Pexels.com

Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

Human Rights
Environmental Protection
Employment and Industrial Relations
Financial Crime, specifically:
- Anti-Bribery & Corruption
- Economic and Trade Sanctions
- Fraud
- Money Laundering & Terrorist Financing
- Tax Crime
Consumer Protection
Competition & Anti-Competitive Practices

In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

Why is Supplier Integrity important?

There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).

In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.

What would you expect to see in a Supplier Integrity Framework?

A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
Supplier Integrity Policy –
- Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
- Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
- Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
- Sets out how incidents are to be reported and managed.
Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

Further Reading

Australian National Contact Point [AusNCP] (2020). OECD Guidelines. https://ausncp.gov.au/oecd-guidelines
Curwell, P. (2021). The trouble with company registers – not a uniquely Australian problem, https://paulcurwell.com/2021/03/13/the-trouble-with-company-registers-not-a-uniquely-australian-problem/
Curwell, P. (2022). Australia’s Critical Technology and Supply Chain Principles – a new reality for industry (part 2), https://paulcurwell.com/2022/03/19/australias-critical-technology-and-supply-chain-principles-a-new-reality-for-industry-part-2/
Department of Justice & Securities Exchange Commission (2020). FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, 2nd Edition, United States Government, https://www.justice.gov/criminal-fraud/fcpa-resource-guide.
FATF-GAFI (2014). Transparency and Beneficial Ownership, FATF Guidance, Financial Action Task Force, https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf
Henisz, W., Koller, T. and Nuttall, R. (2019). Five ways that ESG creates value, McKinsey Quarterly, November 2019, www.mckinsey.com.
OECD (n.d.). OECD Guidelines for Multinational Enterprises – Responsible Business Conduct, OECD Centre for Responsible Business Conduct, https://mneguidelines.oecd.org/
OECD (2018). OECD Due Diligence Guidance for Responsible Business Conduct, OECD Centre for Responsible Business Conduct, https://www.oecd.org/investment/due-diligence-guidance-for-responsible-business-conduct.htm
Shahid, A. and Azar, S (2013). Integrity & Trust: The Defining Principles of Great Workplaces, Journal of Management Research, 5(4):64, DOI:10.5296/jmr.v5i4.3739.
The Ethics Centre (2018). Ethics Explainer: Social license to operate, 23 January 2018, https://ethics.org.au/ethics-explainer-social-license-to-operate/
The Ethics Centre (2018). Trust, legitimacy & the ethical foundations of the market economy, https://ethics.org.au/wp-content/uploads/2019/02/The-Ethics-Centre_180410-on-trust-and-legitimacy.original.pdf
van der Does de Willebois, E., Halter, E.M, Harrison, R.A., Park, J.W, and Sharman, J.C. (2011). The Puppet Masters: How the Corrupt Use Legal Structures to Hide Stolen Assets and What to Do About It, Stolen Assets Recovery Initiative, The World Bank and United Nations Office of Drugs and Crime, Washington D.C. https://star.worldbank.org/

Third parties defined – what are they exactly, and how should these risks be managed?

Posted on June 25, 2022 by Paul Curwell

Paul Curwell

Defining third parties

I frequently use the term ‘third party’ throughout my blog and in the course of my day to day consulting work. Most often, when we talk about third parties we are referring to suppliers, vendors or service providers, but there is a whole ecosystem of third parties present in business today – particularly applicable to those businesses that operate overseas.

As you can see from the table below, third parties also encompass contractors (often we forget about this category and may even consider them like employees, especially when evaluating insider threats, but this oversight can create downstream problems from a fraud, integrity and security perspective if not managed properly):

Third Party	Definition
Joint Venture Partner	An individual or organisation which has entered into a business agreement with another individual or organisation (and possibly other parties) to establish a new business entity and to manage its assets.
Consortium Partner	An individual or organisation which is pooling its resources with another organisation (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.
Agent	An individual or organisation authorised to act for or on behalf of, or to otherwise represent, another organisation in furtherance of its business interests. Agents may be categorised into the following two types: – Sales agents (i.e. those needed to win a contract) – Process agents (e.g. visa permits agents).
Adviser	An individual or organisation providing service and advice by representing an organisation towards another person, business and/or government official. Examples include legal, tax, financial adviser, consultants and lobbyists.
Contractor	A non-controlled individual or organisation that provides goods or services to an organisation under a contract.
Sub-Contractor	An individual or organisation that is hired by a contractor to perform a specific task as part of the overall project.
Supplier / Vendor	An individual or organisation that supplies parts or services to another organisation.
Service Provider	An individual or organisation that provides another organisation with functional support (e.g. communications, logistics, storage, processing services).
Distributor	An individual or organisation that buys products from another organisation, warehouses them and resells them to retailers or directly to end-users.
Customer	The recipient of a product, service or idea purchased from an organisation. Customers are generally categorised into two types: – Intermediate customer: A dealer that purchases goods for resale. – Utimate customer: One who does not in turn resell the goods purchased but is the end user.

World Economic Forum (2013) Conducting Third Party Due Diligence Guidelines

Distributors can be particularly challenging for product-based supply chains, especially if distributors have poor processes and controls in place to manage processes like large discounts to end users, poor end user verification, and poor inventory management controls (both stock on hand, obsolete or discontinued stock marked for discount, and stock marked for write-off). These distributors can be vulnerable to product diversion schemes.

How are companies responsible for the actions of their third parties?

It’s all to easy to forget that under legal ‘Principal-Agent theory’, the company contracting the third party (principal) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their third party arrangements.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Third party risk is an area receiving increased attention from company executives and regulators world-wide, particularly in a the following risk categories:

Reputation risks (including political donations)
Modern slavery risks
Bribery and corruption risks
Sanctions risks
Fraud & integrity risks (both vendor fraud and against the end user)
Security risks (including insider threats and product diversion schemes)

Increasingly, Environmental Social Governance (ESG) or sustainability considerations are also playing a role in third party and supply chain decisions based on preferences and / or pressure from shareholders, employees and customers.

All companies – large and small – are responsible for the actions of their third parties, and may find themselves the subject of reputation and brand damage as well as litigation, financial losses, and regulatory enforcement action if these risks are improperly managed. Additionally, small and medium sized companies are not immune to regulatory enforcement action simply because of their size.

What should companies do to manage their third party risks?

There are a number of actions that can and should be taken to mitigate third party risks such as those listed above. Whilst no program is ever able to completely mitigate the risk of something happening either now or at any point in the future, implementing steps to try to manage these risks does go a long way.

For offences involving bribery and corruption and breach of international sanctions regulations, regulators such as the United States Department of Justice (Foreign Corrupt Practices Act) and United States Treasury Office of Foreign Assets Control (sanctions regulations) provide pathways for principals to mitigate penalties for misconduct and illegality arising from the conduct of their third parties, but only where the principal has an appropriate compliance program in place to manage these risks.

Any program to properly manage third party risks must follow the third party lifecycle, which may include some or all of the following management actions:

Lifecycle Stage	Illustrative Management Actions
Third Party program setup and governance	1. Setting the ‘tone from the top’ 2. Develop the Compliance Obligations Register 3. Determine risk appetite 4. Develop policies and frameworks 5. Undertake risk assessments 6. Develop a risk management plan, including risk treatment strategies 7. Training and awareness programs 8. Develop due diligence frameworks and programs 9. Develop ongoing monitoring and evaluation frameworks
Third Party Selection	1. Document the principal’s specific requirements 2. Perform due diligence 3. Identify the third party’s material risks, process or capability gaps 4. Identify potential treatments for these gaps
Third Party Onboarding	1. Develop risk-based contract schedules which are practical, auditable and enforceable by the principal 2. Agree contracting and legal agreements 3. Agree third party audit or contract compliance arrangements
Third Party Operations	1. Perform Quality Assurance 2. Manage the third party relationship 3. Provide regular oversight and direction 4. Undertake periodic audits or contractual compliance reviews 5. Periodically review and update Compliance Obligation Registers and Risk Assessments 6. Undertake periodic due diligence throughout the term of the contract with review frequency based on the assessed risk
Third Party Offboarding	1. Execute termination protocols as agreed in the contract 2. Collect all principal documentation, Intellectual Property, equipment and other assets 3. Supervise the destruction of data, assets (e.g. molds, prototypes) or equipment where not easily transferred 4. Periodically review the footprint of the third party’s operations for a period after termination to ensure all IP has been returned and monitor for competitor relationships

Paul Curwell (2022) – illustrative actions to manage third party risks

All businesses today need third party relationships, and whilst they do present risks they also present tremendous opportunity. Further, most businesses today would not be able to thrive without access to their third party ecosystem. Whilst there are risks inherent with third parties, these can be managed effectively and appropriately via a risk-based approach that both considers the context and materiality of the risk and implements practical, effective treatments that work for both the principal and the third party. After all, any party can walk away if contracting becomes too onerous, which may not be a good outcome for either party. Treading this fine line is one of balance and mutual agreement.