Due diligence: How much is enough?

It wasn’t until very long ago that onboarding a new supplier for an organization was a straight-forward process. The focus was on three main elements: cost, quality, delivery. After preparing a shortlist of suppliers competitive on price and delivery, a buyer would send a vendor’s information for a review by the QA (Quality Assurance) Department. Perhaps too often, it may have been a perfunctory review providing the supplier could provide an ISO 9001 certificate, or equivalent.

By Stephen Cherlet

Today, the areas of focus are greatly ex-panded as are the regulations that might apply. From the 1976 implementation of ITAR [International Traffic in Arms Regulations], impacting products for defence contractors, to the 2022 EU Mandatory Due Diligence Directive, impacting companies operating in the EU, there are a plethora of regulations to consider.
Current supply chain interruptions mean that many firms are shortening supply chains and bringing elements of work, or entire factories, closer to home. But that means having a process in place to ensure firms understand not only their own regulatory landscape but also that of their suppliers.
Beyond some basics like regulations, what should organizations be looking at, and how far should the review go? That’s not an easy question to answer but here are a few quick tips:

• Develop an in-house checklist based on best practices gleaned from other firms considered to be best-in-class (they often publish articles, participate in forums, or present at conferences) as well as information from reputable sources on the internet (industry associations, associa-tions offering designations in a specific field, or educational institutions).
• Focus on key suppliers and/or apply a standard A-B-C type categorization to work through the supply base. Keep in mind, a critical supplier may be one with a low business volume (i.e. Class C by purchase but still mission critical). Remember, you can’t only focus on the top ranked and eventually the whole list should be reviewed, but we can also do a deeper dive on the top ranked.
• We need to consider the end-to-end supply chain which on the supplier end means “my vendor’s vendors”. To truly be able to validate a key vendor’s ability to perform, we may need to look a level below them. Recent conversations with colleagues have revealed that it is often the tier 2 vendors causing a tier 1 vendor to be unable to deliver.

Checklist

So, what should be some of the items on a supplier due diligence checklist? There are various aspects that need to be addressed: Overview of the Business, Financial Statements and/or 3rd Party Assessment, the Business Management Systems (or ERP), Operations Review and Quality Assurance/Management.

Overview of the Business

Chart showing legal, organizational and ownership structure of the business. This should include a list of directors, offices and key employees of the company. With the list of sanctioned countries, companies, and individuals growing continuously, this is a critical item. Summary of the company history, as well as product listing.

Financial Statements and/or 3rd Party Assessment

For most business’s needs, a 3rd party assessment by a recognized firm, such as Dun & Bradstreet or similar, is sufficient. For larger, or critical, suppliers obtaining a copy of the last 3-5 years financial statements could be a good idea. Your internal finance team can provide their assessment of the historical operating performance.
Key is to try to ascertain that the proposed, or existing, supplier can continue operations. For example, a discussion around current supply chain issues revealed that efforts to onboard a second source for a critical, sole source supplier was about to be derailed by the merger of the two entities. The existing source was ripe for a takeover and succumbed to an offer negating the mitigation efforts of the customer.

Business Management Systems (or ERP)

Understanding if the supplier has a fully functional, integrated business system is a good starting point. Many smaller firms operate with a combination of stand-alone systems for each functional silo. This can make them prone to key employee depar-ture. Such non-integrated approaches often make it difficult for businesses to scale up. For vendors who have an integrated business system, understanding its age, the vendor and maintenance status is impor-tant. In either case, you want to be aware of the timing of potential system imple-mentations or migrations. These events can often lead to lower output or actual delivery interruption.

Operations Review

Many firms skip an actual visit to the supplier’s site. This may be due to cost avoidance or lack of resources, but this is not a good approach. Nothing beats going to see where your goods are being produced. Seeing the layout, organization, cleanliness, and safety of production is always highly worthwhile. Key to validating what has been seen, is the collection of review of typical related certifications as may be applicable to your industry: ISO 14001 (Environmental Management System), OHSAS 18001 (Health & Safety Management), etc.
For firms supplying into the defence industry, other certifications may apply such as ITAR, mentioned previously, and its equivalent in other jurisdictions. For faster movement of goods, especially into the United States, C-TPAT (Customs Trade Partnership Against Terrorism) of 2001 is an example of a Trusted Trader Program.
Such programs facilitate customs clearance and can be worthwhile time savers in the overall lead time. These programs do invoke their own audit and checklist requirements. To maintain your own organization’s C-TPAT certification, you must audit your suppliers regularly for their continued compliance with the program. Both your facilities, and those of your suppliers, are subject to audit including overseas suppliers.

Quality Management

Each Quality Assurance department will have its own checklist or survey form. Some of the content of this article’s points are most likely to be included. Companies may want to consider consolidating checklists having different sections assigned to functional owners. The industry and products involved will heavily influence the requirements, so this can only be a summary.
The key certification as a validation of a vendor’s responses is typically an ISO 9001 (Quality Management Systems) approval by a respected auditor. Other certifications could include ASME, EN and others as applicable.

Conclusion

Due Diligence is a detailed and complex effort. Such a brief article is intended to show the scope, prompt some thought, and hopefully offer ideas of a way forward. This is definitely not a “one size fits all” undertaking. It can be a daunting exercise, so the key is to focus in on the key topics for your most critical suppliers first. Then start working through the echelons.