A key challenge of supply chain compliance management is access to reliable real-time information.  Apps and technology tools can offer a possible solution, though they also come with some risks.

There is an increasing array of data analytics products utilizing data on the market that seek to support supply chain compliance by providing up-to-date data and other analytics to help businesses navigate increasingly complex supply chain compliance issues. The COVID-19 pandemic has seen even more products appear to assist with different aspects of the supply chain. We highlight a few types of supply chain products below and their potential use for compliance purposes. We then discuss potential risks posed by these products.

EXAMPLES OF SUPPLY CHAIN TECHNOLOGY TOOLS

Supplier discovery and screening tools

Several businesses have already been integrating supplier discovery and screening products into their supplier vetting processes. For example, supplier discovery predictive tools can help companies streamline a company’s new vendor due diligence process by using a tool to search through a database of millions of suppliers, evaluate their credibility and provide recommendations. A supplier discovery tool may, for example, provide a trust score for each supplier based on factors such as whether the supplier is currently working with an established company. For existing suppliers, the tool can continue to provide up-to-date information so that businesses can be made aware of any new issues.

Processing mining tools

Another type of tool deploys process mining to identify compliance risks and support internal audits. Process mining tools can give a company greater visibility on aspects of its supply chain so that the company may more effectively manage risks. A process mining tool typically takes existing data (such as data on purchase orders, invoices, etc.) directly from a company’s underlying IT systems and also integrates external data from third-party partners, suppliers, and service providers. It then uses data analytics to analyze the processes flowing through a company’s system to capture the company’s digital footprints and visualize processes in the supply chain.

Process mining can identify processes that are not performed according to operational guidelines. It does this by detecting and visualizing the actual process in a supply chain and comparing that with the target model to reveal any deviation. This may be used to identify process breakdowns that could create compliance issues and to assist in preparing compliance audits. For example, process mining may discover unapproved purchase orders that do not meet compliance standards and allow a company to make rectifications.

Process mining can also reveal how prepared and responsive suppliers are to business and compliance risks posed by global events, such as COVID-19. This provides companies with information to avoid external risks, for example by opting for better-prepared suppliers.

Trade and labor management tools

Trade management technology helps businesses stay up-to-date with emerging trade and customs regulations by providing information on product classification, denied party screening, and import/export controls. These tools are able to check for issues related to compliance with embargoes and sanctions as well as licensing requirements.

Other products focus on environmental, social and governance (ESG) compliance. For example, these products might map out slavery, carbon, environmental footprints across different supply chains and investment portfolios. They might also track the flow of raw materials and show, for example, that raw materials used for a manufactured good are routed through a jurisdiction susceptible to modern slavery risks.

Labor-focused tools can be used to help companies mitigate forced labor and modern slavery risks in their supply chain. For example, there are products designed to detect forced labor risks generated by recruitment data to provide patterns of forced labor risks in a supply chain. Other products focus on migrant labor exploitation risk indicators, for example, by detecting forced labor risks generated by recruitment agencies and the recruitment practices of business partners.

RISK CONSIDERATIONS IN UTILIZING SUPPLY CHAIN COMPLIANCE TOOLS

While these digital tools may provide numerous benefits for managing compliance risks, they may raise other compliance and legal issues. We highlight some of these below:

Trade secrets

Allowing third-party products to access and analyze a company’s supply chain processes and related data might risk compromising the value of trade secrets that companies may have created in their supply chain, including information on suppliers, materials, etc. A trade secret generally includes information (including patterns, methods, techniques, or processes) that derives independent economic value (actual or potential) from not being generally known to or readily ascertainable by others.

Questions to consider:

  • In deciding what information to make available to be used by the product, is there a need to segregate more sensitive proprietary information from other information? How will providing information to the technology vendor affect any trade secret nature of the information?
  • Will the technology vendor have in place protections for these trade secrets? Does the agreement provide sufficient protection for the company?
  • Will the data be used to provide analysis for the technology vendor’s other clients?

Issues around collection and processing of data

Supply chain products such as process mining collect a large amount of data, which could raise issues around the collection and use of such data. Some of the data may be considered personal data that is subject to data protection laws. With growing interest and understanding of data privacy by regulators and the public, it is important for companies to consider whether they have an appropriate legal basis to share data with third-party technology vendors. Data ownership and limitations on vendor rights to use the collected data are other important considerations.

Questions to consider:

  • Would the vendor be given access to personal data? If so, how are data privacy requirements addressed?
  • What do the terms say on how the vendor will protect and use the data?
  • Is the vendor able to commercially exploit the provided data?

Cybersecurity

Cybersecurity risks are obviously front of mind for many businesses. Some of the supply chain compliance products may allow technology vendors to access or integrate with IT systems. Given this, it is important for companies to ensure that technology vendors have in place appropriate cybersecurity protections. This is particularly important for supply chains for products that are required for critical infrastructure or that may impact national security, as these products may be subject to higher scrutiny or regulatory requirements.

Questions to consider:

  • Has the vendor adopted adequate security measures?
  • Will embedding the digital tool into the company’s system compromise the security of its systems?
  • Can the digital tool also compromise any of the systems of the company’s business partners and other service provider (e.g., in the case of connected systems)?

AI limitations and considerations

AI or predictive tools can help speed up specific tasks, such as process mining a supply chain and identifying key suppliers. However, AI and predictive tools are not error-free. Key dependencies are often the accuracy of the data or rules on which the technology is built.

Further, AI technology utilized in supply chain analytics will need to be trained. This could raise issues between the company and the technology vendor about who is responsible for training the AI and who will have rights to any improvement made to the AI technology.

Questions to consider:

  • Who will provide training to the AI?
  • Will the service provider or the company own the rules built for the AI?
  • What are the limitations of the AI technology and how will these be addressed?
  • Is the data processed by the AI verified? Who is charged with verification of data?

Regulatory accountability does not sit with the app

At the end of the day, the responsible entity and in some cases their directors, employees and other personnel are legally accountable for meeting supply chain regulatory requirements. Accountability cannot be contracted out to an app.  Products and tools of the type outlined can support the supply chain compliance function, but they cannot replace it.  As noted above, AI and predictive tools are not error-free, so their use must involve sufficient human oversight and scrutiny to detect errors or limitations in the results provided by using these tools.  In order to effectively adopt digital transformation in the supply chain, compliance personnel must be trained in operating new tools and in detecting and responding to any risks posed by these tools.

Questions to consider:

  • What due diligence has been done to understand the risks and potential limitations in deploying a supply chain compliance tool?
  • What training needs to be provided to personnel who will be using the tools?
  • What level of oversight needs to be built into the organization’s compliance risk management processes to monitor for problems with using the tools?

While technology can help businesses with managing various compliance risks at different stages in the supply chain, there is a limit to what these tools can do. These tools may not able to ascertain the quality of data inputted and their algorithms may not be able to handle more complicated activities such as developing new strategies or implementing improvements. Further, adoption of digital tools may raise other legal and compliance issues relating to trade secrets, data privacy and cybersecurity. That said, these digital tools are constantly improved and their potential to help with managing a wider range of supply chain compliance issues seems promising.

Author

Anne's practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice. Anne regularly leads projects for drafting, localising or rolling out commercial agreements of data protection policies for multiple jurisdictions in Asia Pacific and conducting due diligence for undertaking new activities in Asia Pacific markets.