3 Areas Where CSR Risks Hide in Your Indirect Spend (Part 2)

The myriad challenges of managing indirect spend come down to its size, its characteristics and procurement’s ability (or lack thereof) to effectively manage it, as discussed in Part 1.

Many of these challenges create situations in which organizations have poor visibility into the goods and services being purchased, as well as insufficient data to make reasoned decisions about what and with whom to buy.

This creates many issues that can be analyzed in terms of price and control (i.e., demand management, spend under management), but because procurement is so often measured on cost savings as its primary KPI, another essential factor can be left by the wayside: risk. Especially when it comes to corporate social responsibility (CSR) and sustainability, risk remains hidden within indirect spend. To see how these dangers go unaddressed, here are three areas with examples of where organizations miss — but, with proper tools, can address — CSR and sustainability risks for indirect procurement.

1. Operational Risks

Even if the goods or services in question are not intended for resale (i.e., indirect spend), they can still present considerable risks to the normal operation of your business. This is perhaps nowhere more apparent than in the realm of cybersecurity. Given the increasing relevance of cyberattacks to businesses, companies should seriously consider how suppliers contracted for indirect purchases, even seemingly insignificant ones, can create huge CSR risks if not managed properly.

Just ask Target. In 2013, Target contracted with an HVAC supplier — that is, an indirect category for MRO — that was ultimately victimized by malware-laced emails. A small company compared with its household name customer, Fazio’s cybersecurity measures consisted of a free version of anti-virus software. The offenders were able to obtain the login credentials of Fazio employees through compromised emails, which the hackers then used to access Target’s supplier portal, posing as Fazio. While inside Target’s system, the hackers stole credit card data for millions of consumers and cost the retailer $162 million in the process.

The Target example shows how a seemingly innocuous decision (which HVAC company to contract with) ultimately created both a risk to the operation of the business and a CSR risk, since Target was responsible (through its lack of preparation) for putting millions of people in danger of financial harm.

CSR-based risks hiding in indirect spend can also present opportunities to proactively address issues. The choice of how sustainably a company procures an essential indirect category like energy illustrates how organizations can positively influence operational risk and procurement performance.

The push by companies to get to 100% clean energy procurement within the coming decades, led by companies like forward-looking Google, Apple and Facebook, is starting to spread the benefits of sustainability into other industries.

GM, for example, is moving to power all of its Texas plant operations with solar and wind energy. The strategy should help GM better insulate itself against price spikes that come along with traditional energy sources, as well as save it money in the long run: The company saved $80 million in 2016 by switching to greener and renewable energy sources.

2. Ethical and Compliance Risks

Branching off from operational risks, companies need to examine how selecting suppliers can expose the business to ethical and regulatory compliance risks. While this type of risk often brings to mind regulations like REACH and ROHS, which restrict the use of certain materials due to ethical concerns about consumer harm, indirect spend categories can just as easily expose a company to unexpected crises.

Corruption provides a compelling example because it’s an increasingly prominent risk to corporations. Corruption can take the form of any kind of abuse of entrusted power in the workplace for private gain, including bribery, conflict of interest, fraud and money laundering. Due to the dispersed and opaque nature of indirect tail spend, corruption schemes can quietly slip into supplier selections without proper procurement diligence. As data gathered by Stanford Law School illustrates, 90% of Foreign Corrupt Practices Act cases involve a third-party intermediary (e.g., a company providing services to the accused).

Consider the story of GlaxoSmithKline’s 2013 bribery scandal, which resulted in a nearly $500 million fine by the Chinese government. According to investigators, senior executives for the China operation of the British drug giant for years used travel agencies “as money-laundering shops to funnel bribes to doctors, hospitals, medical associations, foundations and government officials.” The payoffs were used to increase drug sales and raise prices for GSK’s products in China.

What’s more, this appears to not be an isolated case.

Using travel agencies to facilitate money laundering is a common practice, according to a New York Times report, and various agencies would often compete for GSK executives’ business by “offering cash, luxury travel or even by hiring young women to engage in sexual activities — or ‘sexual bribery’ — with GSK managers.”

The implications for CSR and risk management are clear. A seemingly innocuous indirect category like travel and expense, when not managed by a transparent procurement process, can invite bad actors to exploit opportunities, creating significant corporate costs as a result.

3. Reputational Risks

Reputational risks concern how your business is perceived by others — by investors, by governments (regulators) and by the public. No company wants to end up on the front page of a major newspaper for a CSR stumble, which is why procurement organizations go through the effort of identifying direct materials risks such as forced labor at contract manufacturers or the presence of conflict minerals in finished products.

What often doesn’t get as much attention, however, are reputational risks buried in low-visibility indirect categories. Services spend can be one particularly dangerous segment. If procurement neglects to run vetting processes for service suppliers or contractors, it risks opening the business to many of the same problems found in direct materials supply chains.

Consider, for example, the cleaning supply chain. Rather than run janitorial or other cleaning services itself, a business often decides to outsource the task to a contractor. But the contracted supplier may not provide the actual cleaning services; rather, it likely will fulfill the contract by sourcing workers from a web of additional subcontractors or labor contractors.

Once the contracted service gets passed down to multiple subcontractors, procurement loses visibility of what is happening in the engagement. This is precisely what happened in Australia, where the country’s Fair Work Ombudsman conducted an investigation into how supermarket Woolworths’ managed its cleaning contracts.

“Our Inquiry found deficiencies in Woolworths’ governance arrangements with regard to its procurement and oversight of cleaning contracts, resulting in serious exploitation occurring at multiple levels of its cleaning supply chain,” Fair Work Ombudsman Natalie James said in a statement. “We uncovered breaches across 90% of Woolworths’ Tasmanian sites, including cases of contractors paying cleaners as little as $7 per hour for training and $14 per hour for work — well below their legal entitlements.”

Instead of a properly orchestrated engagement management and payments structure, the cleaners were often paid in unrecorded cash-in-hand payments with no pay slips provided, according to the statement.

“Overall, record-keeping by contractors engaged at Woolworths’ sites was abysmal: At 84% of sites, workplace records were inaccurate or not kept at all,” James said.

Woolworths’ was not fined for the mistreatment of workers cleaning its stores; instead, it entered a compliance relationship with the ombudsman to rectify the underpayments and improve compliance within its cleaning supply chain. The damage to Woolworths’ reputation, however, is undeniable.

The incident that drove the inquiry, according to the statement, was when cleaners had been locked in a store overnight “to complete a strip and polish and were unable to leave until the duty manager arrived at the store the next day.”

The situation was compounded by the fact that many of the cleaners were foreign workers, many of whom said they feared speaking out about abuses because they didn’t want to lose their jobs. Such incidents can quickly tarnish a business’ brand image. Imagine shopping in a store that you knew had imprisoned a powerless worker overnight — and then you know just how important it is to identify risks in indirect spend.

How to Take Action

By now it should be clear all of the different places that risks, especially ones related to CSR, can hide deep in your indirect spend.

But the next steps are figuring out how to identify your weak points, prioritize areas to defend against and create strategies for mitigating risks as they arise.

To learn how to do just that, stay tuned for Part 3 of this series, in which we bring the question of CSR risk in indirect spend and how to solve it to one provider that specializes in this area.