In the modern business landscape, enterprises are increasingly intertwined through complex networks of suppliers, vendors, and other third-party relationships. While this extended enterprise system brings immense benefits, like specialization and economies of scale, it also introduces challenges in terms of ESG, compliance, and operational resilience. As organizations lean more heavily on their external partners, ensuring that these partners share values, meet regulatory requirements, and can withstand potential disruptions becomes paramount.
Compliance isn’t just about adhering to laws and regulations. In the realm of supplier and vendor management, compliance also encompasses. Resilience is about how your extended enterprise responds to unforeseen challenges. Recent global events have shown that disruptions can arise rapidly, from pandemics to geopolitical tensions. A resilient supplier and vendor network can mean the difference between continuity and chaos.
It’s crucial that partners have congruent ESG objectives, commitments, values, and standards. When an organization’s suppliers and vendors comply with shared values and standards, there’s less risk of reputational damage, financial loss, or operational disruptions. Increasingly, consumers and stakeholders demand that businesses act responsibly. Ensuring that your suppliers and vendors also uphold these standards can cement your reputation as a responsible enterprise. With digital resilience, protection, and other privacy regulations taking center stage, it’s vital that your partners treat data and processes with the care and respect it demands. Any breach on their part can have ripple effects, damaging trust and possibly resulting in hefty fines. One CIO was recently personally fined £80 million pounds for a third-party risk/resilience failure.
Organizations need to consider . . .
- Diversify Supplier Bases: Don’t put all your eggs in one basket. By diversifying, you reduce the risk of a single point of failure.
- Regularly Review and Update Resilience Plans: Make sure every stakeholder knows their role in case of disruptions. This should include communication protocols, resource allocations, and backup suppliers.
- Invest in Technology: Modern supply chain technologies, like blockchain and AI, can provide real-time insights, helping to identify potential choke points and ensure smoother operations.
Organizations globally are gearing up to respond to a whole range of EU regulations and UK regulations/laws that impact this intersection of resilience, ESG, compliance, and the extended enterprise.
- EU Corporate Sustainability Reporting Directive (EU CSRD)
- EU Corporate Sustainability Due Diligence Directive (EU CSDDD)
- EU Corporate Sustainability Reporting Standard (EU CSRS)
- EU Digital Operational Resilience Act (EU DORA)
- EU Cybersecurity Resilience Act (EU CRA)
- Germany’s LkSG (Supply Chain Due Diligence Act)
- UK FCA/PRA/BoE Operational Resilience Act
- UK Senior Manager Regime/Certification Regime (SMCR – a CIO was personally fined £80 million for a third-party risk/resilience failure)
- UK Governance Code (UK SOX, recently proposed revisions . . . which require resilience statements and a focus on ESG)
Many firms in the USA and the rest of the world have to respond to these laws. If your clients/prospects are anywhere in an EU supply/value chain, then many of these apply to them. Just the first three on Corporate Sustainability (what I call the EU ESG Trifecta as they all work and support each other) impact 50,000 firms directly, but exponentially many more in vendor and supplier relationships. There is a lot of movement right now on EU DORA as organizations become aware that it has a very broad net, including anyone that services and supports the financial services industry, with a lot of downstream impact.
Organizations must understand that their reputation, operations, and success are deeply linked to their extended enterprises to truly thrive in today’s interconnected world. By ensuring compliance and resilience in supplier and vendor relationships, businesses safeguard their operations and position themselves as trusted partners in an increasingly complex ecosystem.
Ultimately, these relationships aren’t just about transactions but trust, collaboration, and shared growth. As we look toward the future, organizations prioritizing these values will undoubtedly stand out as leaders in their respective industries.
Here are some of the events GRC 20/20 is involved in on this topic over the next few months . . .
September 14th Webinars
- A risk-based approach to operational resilience: When prevention isn’t always better than a cure.
- Third-Party Risk & Resilience: From Uncertainty to Business Confidence
September 18th Webinar
September 20th Webinar
September 25th Workshop in London
September 26th Seminar/Roundtable in Amsterdam
- Designing GRC programs to Manage Risk, Regulatory Compliance, Third-party, and Digital Operational Resilience Requirements
October 10th Webinar