The unfortunate truth is that every day, well-meaning companies make contracts with and pay invoices to fictitious suppliers. Governance, Risk and Compliance (GRC) are the controls that provide the right steps to prevent fraudulent supplier contracts from slipping past the nose of your controller.
“Tone at the Top”, supplier management, and compliance
Compliance to GRC standards should be engrained within your daily business practices. These ethical standards and expectations are set in motion by the top leader and executives of the company, hence the term the “Tone at the Top.”
What does Governance, Risk Management, and Compliance (GRC) mean to your organization?
Ethical best practices in the Procure to Pay process are governed by GRC principles. GRC is comprised of three central concepts: Governance, Enterprise Risk Management, and Corporate Compliance.
Governance is directed by the senior officials and executives who oversee the controls of the entire organization. It’s a top-down way of guiding all activities to follow established protocols through decision making and management strategy. It’s making sure all activities within an organization follow the guiding principles set by management and government regulations.
If governance is the “all seeing eye” of GRC, then risk management is the telescope through which it views risk.
Through risk management channels, management identifies weaknesses or threats to overall business objectives. These threats look like technology vulnerabilities, data security, compliance violations, bad investments, or external legal issues.
Organizations should know what kinds of compliance issues present the biggest threat to the business and perform a risk assessment to identify those.
Part of the desired outcome is identifying the areas in dire need of compliance oversight—and prioritize those—specifically as it regards supplier management.
Compliance is conforming to a set of predefined rules. Governmental bodies, laws, regulations, and policies affecting your industry are all influencers on your business's’ compliance requirements.
Sometimes, there are costs of non-compliance that outweigh the benefits of adjusting to accommodate for specific regulations. However, non-compliance situations should be weighed carefully, as a misstep could significantly impact an operating business.
Applying GRC to the Supplier Management Process
Now we arrive at how governance, risk management, and compliance affects Supplier Management Processes. Use the steps below to see how GRC can tighten controls and enforce compliance within your organization.
1) Supplier Qualification Process: Ensures that services provided by suppliers fit your company’s needs.
2) Supplier Sourcing: Gather the appropriate documents necessary to understanding a supplier’s service. This includes request for proposals (RFP).
3) Onboarding: This is the phase when applying GRC standards is the most crucial. During the early stages of reviewing a supplier’s contract, contractual compliance is of the utmost importance. Compliance screenings (OFAC, OIG, BS, PEP, AML) are helpful in this phase.
4) Supplier Compliance and Screenings and Managing Performance: Once the supplier is validated, performing ongoing compliance screenings is one way to prevent a fictitious supplier from slipping through the cracks of your organization. Service Level Agreements (SLA) can also be examined at this step.
5) Managing Supplier Performance: A prepared exit strategy that identifies a supplier’s non-compliance or contract breaches helps provide a smooth transition for the supplier and your organization.
6) Placing a Supplier on Probation or Establishing an Exit Strategy: An effective supplier management program as outlined will protect a company against the risk of non-compliance fines and internal control issues.
About the Author
Chris Doxey, CAPP, CCSA, CICA is an independent management consultant providing Internal Controls and Business Process Best Practice Solutions. She has extensive experience in procurement, accounts payable, internal auditing, internal controls, Sarbanes-Oxley compliance, payroll, logistics, financial systems strategy, and financial integration at Digital, Compaq, Hewlett Packard, MCI, APEX Analytix, and Business Strategy, Inc. She was recruited to assist MCI (formally WorldCom) recover from their internal control challenges. She has a bachelor's degree in English, a bachelor's in accounting, a master's in business administration, and a graduate certificate in project management. Chris has written numerous articles and published two handbooks: AP Leadership Skills and Implementing a Controls Self Assessment Program for Your Accounts Payable Department.More Content by Chris Doxey