Skip to content


Managing Third-Party Risks in Your Global Supply Chain

By Miriam Konradsen Ayed (Updated )

Earlier this month Apple and its main manufacturing contractor, Foxconn, woke up to a now familiar headache for global firms: allegations of sweatshop labor in one of the plants Apple uses in China to make the iPhone X.

According to several articles in the Financial Times, high school students in Zhengzhou, China, were sent to work in a Foxconn factory as unpaid “interns” for as long as 11 hours a day. The students were told they needed work experience to graduate, even though working on an assembly line had nothing to do with their studies. (The school trains students to be railway managers.)

Under Chinese law, students are not allowed to work more than 8 hours a day, or 40 hours per week. Foxconn was quick to respond to the abuses, and vowed that no students in any of its plants will work overtime again. Foxconn has been struggling recently to keep pace with demand for the iPhone X.

For better or worse, labor abuses in the global supply chain are no longer shocking news. And to Foxconn’s credit, it has tried to respond to the allegations promptly. Still, if we consider how global businesses tumble into these compliance quagmires, a few lessons emerge.

Oversight needs to go further. Yes, a business with a global supply chain should always include right-to-audit clauses in its contracts with key contractors (for anti-bribery, labor abuses, fraud, or any other risk on your mind). Most large companies, however, already have right-to-audit clauses—and still, supply chain abuses happen.

In reality, modern supply chain risks require more than the right to audit. Some retailers and manufacturers, for example, specify that their primary contractors can’t subcontract work to others. Or they dictate the size and layout of contractors’ manufacturing facilities, with prohibitions against moving the work to another site.

Governing how your supply chain works is becoming just as important as maintaining the right to inspect it. We are shifting from managing a compliance risk to governing an operational one.

That shouldn’t surprise. As global supply chains grow more complex, and social media increases reputation risk for your organization, the consequences of labor abuses will grow more profound. The risk becomes greater. So your risk-based approach to governing the supply chain becomes ever more exacting.

Documentation matters. Let’s remember the core misconduct in this Foxconn case: wage and hour violations. Those are among the most mundane compliance risks companies face.

Within the United States, HR and payroll departments have developed sophisticated systems to tame that risk, from time-sheets to employee classifications.

Other countries have wage-and-hour laws too, and suppliers there have documentation systems to prevent abuses. One crucial question is how your parent organization can gain visibility into those documentation systems—or if not, how you can gain assurance that the documentation is complete, accurate, and functioning. Answering that question should be part of the expanded oversight cited in our first point.

Internal control and procedure matter. A companion problem to our second point above is that—don’t die of shock here—unethical managers lie about documentation. They don’t report all hours worked. They forge wage-and-hour reports.

So, really, you need assurance that the supplier’s internal controls and procedures work to prevent those abuses. Otherwise, you will literally have a paper compliance program: you can only look at papers from your supply chain, without any sense of their connection to reality.

When you do audit a supplier, or perform due diligence on prospective new suppliers, that’s the other key question to ask. “How do I know the documentation I have is accurate? How do I know it works? How do I learn about instances when it doesn’t work, in a timely manner rather than reading about it in the media?”

Smart governance of processes. Complete and accurate documentation. Assurances that the processes behind the documentation actually work. Those are the methods to tame supply chain risk.

They are not new. They will, however, only get more important in the future.

due diligence pitfalls

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.