Unlocking Risk-Ready Strategies: Mastering EU Compliance for Supply Chains

February 7, 2024

Everstream Analytics and BearingPoint experts explore the EU Corporate Sustainability Directive, highlighting a significant shift in supply chain ethics and the enforcement of carbon neutrality. Compliance isn’t an option; it’s essential for sustaining resilience and competitiveness. 

This webinar delves into the implications for businesses, equipping you with practical risk management strategies to navigate EU compliance requirements. Gain the tools to ensure your supply chain remains resilient, ready to tackle risks in 2024 and beyond.  

Current strategies might leave you unprepared for the evolving regulatory landscape and the demands of the EU Directive. Adopting green, ethical, and slave-free practices is now crucial, urging businesses to revise practices and embrace transformation. Watch now to learn more. 

Ulf Venne, Leader Center of Excellence


Ulf Venne

Leader Center of Excellence

Laurent Charmes, Senior Manager, Supply Chain Resilience at BearingPoint


Laurent Charmes

Senior Manager, Supply Chain Resilience at BearingPoint

Franziska Nothofer:     

Hello, everyone. Good morning. Good afternoon. Thank you for joining us today for the session “Unlocking Risk Reading Strategies: Mastering EU Compliance for Supply Chains”, presented by Everstream Analytics and Bearing Point. All attendee lines are currently on mute, and if you have any questions throughout the session, please drop your questions in the Q&A box, and we will get to as many as we can towards the end of the webinar. This session is also being recorded, and we will send you a copy afterwards. My name is Franziska Nothofer, and today I’m joined by our two presenters, Ulf Venne, Vice President of Enablement here at Everstream, who has been instrumental in raising supply chain risk awareness and developing resilience strategies. Ulf is joined by Laurent Charmes, Senior Manager for Supply Chain Resilience at Bearing Point, who is an experienced risk management advisor, and both will guide us through today’s content. With that, I will now turn it over to Laurent, to kick off the session.      

Laurent Charmes:      

All right, good morning, or good afternoon, depending on where you are. So, we are going to talk about the, especially about the EU Directive, but more generally, what we see over the course of the last year is a trend, where we have more and more regulations related to environment protection and human rights. So, this is the case we have here a couple of examples on the slides, but in all countries, you have very similar laws in these fields.      

The European Directive is aiming at standardizing that a little bit in the future. It’s forthcoming, it’s not yet there, but you will see the same, providing transparency on your supply chain and making sure that throughout the value chain, there are no products or services delivered to the detriment of the environment or human rights. That there is no forced labor, there is no child labor in your supply chain. So, the number of regulations is increasing, but as well the depth of requirements behind. We take, for instance, an example with the Lieferkettengesetz or the German Supply Chain Act, which became effective in January 2023, so last year. It was initially applicable to companies with more than 3000 people in Germany. Since last January, it’s for companies with more than 1000. And, if we look at this year’s CSDDD or the EU Directive, the companies will go down to 500 in Europe. So we’re clearly seeing that it is going in a direction where more and more companies will be in scope of those regulations.      

Another way to look at it, is, if we look at the transparency, initially, it’s on tier one. So, Lieferkettengesetz, you look at tier-one suppliers; If you have some suspicious activities, you will go beyond. CSDDD does not do the same thing. You need to already go beyond. And this is, we will see later with the Everstream Demo, this is an important part, which is a game changer to have this transparency beyond tier one, to be compliant. So, the requirements and the depth of scrutiny are increasing, as well in terms of fines, which we can see on the next slide.      

The fines from, and again, if we make a parallel of the evolution from the German Supply Chain Act relating to European Due Diligence, in the German Supply Chain Act, the fines will go up to 2% of the global turnover. The European Due Diligence foresees fines from 5%. So, already, we are going one step further, and on top, the European Due Diligence Act foresees as well social liabilities. So, it means your company may be liable for any damage done to the environment or to human rights if you don’t take the right course of action during due diligence. So pretty important to see that in parallel. What are the requirements? What are those regulations asking you to do?     

So, unlike what lots of companies see, the law doesn’t ask you to send questionnaires with hundreds of questions to all your suppliers. This is important to have in mind. What they are asking are things in your own business area. For instance, publishing a policy statement showing how you deal with human rights and environmental protection, nominate a human rights officer or someone within your organization who really owns this topic and will really be responsible for it.     

Third, establishing a grievance mechanism, which can be a simple thing on your website, allowing people to complain or to express that there is a concern in your supply chain. Those are three things. The other part, we will see more in detail afterwards, is establishing the right risk management processes and methodologies and systems to support the process. Having something where you can identify, you can analyze the risk for your supply chain, in your own business areas.   

So, depending on where you are on the planet, where your factories are located, being able to say here, potentially, I have a risk, and I have the mechanism to identify and act on it. But, most important, as well, to do that outside your company. To do that as well for your supply chain network is a much bigger challenge because, of course, you don’t have the same visibility, the same control over that. And here you need to prove you can identify those risks. You can analyze them, you can take appropriate action, and you can document that to the authorities.      

So, all of this can be pretty complex if you don’t have the right approach. Again, if you do the same thing across the board for all your suppliers, but if you have the right methodology behind to say, well, I have a quick way, first of all, to identify where do my suppliers operate, what do they do for me? You will already be able to segment them into multiple tiers of risk and take the appropriate action. For instance, if you have a supplier providing you with some tax advisory in Germany, it may not be the first thing you do to check them for this regulation, so you will do nothing. But on the other side of the spectrum, if you go to a supplier providing you with manufacturing services located in Asia, maybe then you will first start with this one, you will stop, and you will deploy more efforts. It’s extremely important to have the right indicator and methodology. But for that, I think, Ulf I will hand over to you to dig more into the details.     

Ulf Venne:      

Hello, everyone and a warm welcome from my side, although it’s not too warm where I am, because it’s raining. I hope the weather is better wherever you are. Laurent indicated especially the supplier side is something that can get very complicated, and while we don’t want to drown it, we want to quickly talk about how to embed that efficiently into your processes it and goes essentially the same way you would establish a risk management system where you manage by exception. And you do that in the natural processes you’ve established for your sourcing team already. So, here you see the supplier life cycle essentially where you onboard your source to contract, to go over. And then you really work with the supplier and procure to pay, continuous improvement as performance management and then eventually, offboarding. So, early on, you can already start managing risk by looking at long-term probabilities of something to happen and then moving more and more into monitoring key activity. So, manage by exceptions. 

Look at those that are most likely to fail, implement more stringent monitoring, implement sub-tier discovery, and then you go and eventually look for anything that happens, which is maybe misconduct or maybe performance losses, and then you take them out of the picture. Obviously, sourcing is not the only area where you should look to establish sustainability and risk management efforts. You can do the same in planning, you should do that also in your production environment, and especially also in logistics. Because for a lot of environmental risks, for example, the Scope-3 emissions, logistics plays a vital part.     

And again, making it really sustainable comes from adding risks together with sustainability. Because by managing your risks, you manage your cost of goods sold, you reduce the amount of money you spend on doing things. And then sustainability gives it the compliance and also the customer validation that you need. So you can kill two birds with one stone, which is great.  

And with that, I want to just quickly mention that we are going to do an in-depth demo at the end of this session to show you a little bit about how this system works. It’s not going to be as in-depth, it’s going to be 10 minutes high level, but it’s going to give you a very good view of what we do, how we do it as a company, and how you’re really able to enhance the visibility, mitigate risk, ensure compliance, and also stay resilient at the same time. Because, essentially compliance and resilience go hand in hand.    

And with that, I’ll hand over to Laurent.      

Laurent Charmes:      

So, what is important here is to really have a comprehensive approach. We cannot look at that purely from one angle. There are three main points which are illustrated here. First of all think about the governance of your program and how you lead this resilience system, how you drive sustainability. The first theme, governance, is to talk about roles and responsibilities. Is it a supply chain topic? Is it a compliance topic? Is it a sustainability topic? There are really many different departments involved in this topic, and it’s very important to clarify who is doing what. Because the answer is, there is a collaboration between all those departments. It’s needed to be efficient so that everybody knows what they have to do and when. And two, that they have the right way to report that, that they have the right indicators and drive, again, the program.    

The second part of this process and operation. So how do we operationalize the view generated at the higher at the strategic level and operationalize that, making sure that people in the operations, they know how to manage risks. They know where to focus their effort. They understand the supplier they are working with, for instance, what is the risk and how to mitigate it.      

And last but not least, all of this is possible if you have a strong digital data foundation. That you have all data in proper shape, joining the dots, and enabling the processing operations. Both providing the tactical view, I would say, and the tools and automation, but, as well, the strategic view of the governance so that we can get enough transparency and drive the program where it needs to.  

So, it’s extremely important to be able to do that across the board and to have these multiple views, and this is what we see on the next slide, please, Ulf. This is why the partnership we have between BearingPoint and Everstream makes a lot of sense to propose to our clients a blended offering where on one side, you have expertise with Bearing Point of the functional expertise of supply chain risk management sustainability, procurement, where we have more than 600 practitioners around the globe with this expertise. And on the other side, we have Everstream providing cutting-edge technology, which is absolutely needed, given the millions of data you have to process to manage to do that efficiently. With that, I think enough words, let’s go into more action. And let’s see how Everstream works. Let’s see that we have some concrete examples. You are on mute.     

Ulf Venne:     

I am on mute. That is such an unfortunate thing. Everything I just said was awesome, just trust me on this one, but for now, we are going to go into a short demonstration.     

And it’s actually quite exciting, because our system was majorly updated recently, and our UI is brand new. Which makes it exciting in two parts. The first part is that it’s new, and you will see something that is a new experience for most of you, and it’s going to be awesome. The second is that I’m demoing it for the very first time. So if there’s a mistake, it’s my fault. Anyway, so what we look at right now is a new view that we call supply chain where you can list all of your, you can build different lists. For example, now I look at all the facilities that are within my network.      

There’s a long list of facilities. The ones I look at are the ones for internal and external risk score. And I will talk about internal and external risks in a second. Now, I want to know which of them are problematic. So, I select the risk model, because we can score based on different profiles. So, we’re talking about strategic long term risks. I say, what is the probability of something to happen, but also, what is internally, the risk we know about already? Or what is the impact on my supply chain? So, now look at one where we have our standard profile, essentially enhanced, with a few internal risks. And then I add to this, a risk score, and say, I want to only see the risks that are greater or equal to 15. I apply that filter, and now I see that we have one supplier that is a high likely risk supplier and has a high impact. And then I can go and have a look why. So this is Boardtek Electronics Corporation, by the way, Boardtek is a good company and everything I will show you is in part made up, and some of these are the real risk scores, and I will explain that.   

So, looking at the strategic risk here, you can see that we have an external risk of 11, which is a medium risk. It’s quite OK. Nothing really serious. You can see that we cover natural disasters, operational, political violence, social political risks, sustainability risks and risks to individuals. All automatically, by default, they get drawn in. For the demo, we actually excluded some of these risk scores, and there’s a reason for that I will explain in a second. But you can also see that although it’s inaiwan, it’s in a part of Taiwan where the earthquake risk isn’t so bad. It’s only six, So it’s green, green is good.      

Then a major risk is a tropical storm, which is at 25, and 25 is our highest score, and it’s red and red means “bad”. We tried to innovate a lot of things, but we kept the color coding of green is good and red is bad. What you also see here is we have an internal score. That is where you add your own data points or you add partner scores, or you inquiry with a survey your supplier and add more data to it. Here we made a survey around sustainability and the result was that this sustainability agenda is not very good and that’s why it’s 25. This part of the scores on the left side, this part we made up to build a storyline by just making sure more tech is probably very great. And we also check that with echo bot scores. And you see that this is similar. We also have a credit rating in there. And then you see that the customer added relationship with this relationship, it’s ok.  

But from a sourcing strategy, this is not a single source. So for them, it’s fine and it needs a lot of governance. And it needs a lot of thought to build up these internal scorecards in a way that they become actionable for you. So this is where governance is a very important role making sure you have your processes in flow. So, if we want to know more about Boardtek, we can see them here on a map. We can actually see that it’s connected within the network. Only to one location, which is a plant. And then I can also see here that several materials flow from there into the plant and I can see for which final product they are used. I can also look at different planes, so we get a ton of information that was built up over time, around this supplier, and everything is stored here. A lot is automated and then part of it, you gather over time yourself. So, we not only want to look at the strategic risks and positioning of this specific supplier. We also want to go and look at some incidents and because we talk about compliance today.      

I want to look at forced labor. And you can see here these are all the forced labor alerts we have in the system today. We have an own dedicated analyst team that covers around 1500 incidents every day. And we also look at these sustainability related things, like human labor, and so on, all by validating them through humans, using a lot of AI in the background, obviously. But giving it the human touch. Also, some of the right pages, you can’t really access, using AI, web scraping, and so on and so forth, so we take the extra mile to really find all incidents. So this is very superior to the mundane modern media monitoring solutions that otherwise are out there in the market for when it comes to forced labor. And then you can, for example, here, see that Mexico, there was a forced labor violation against Fujikura Automotive, Mexico, and that was part of the deal between the US and Mexico, that these inter-state relationships are deeply checked. And they were here able to clear up the allegations, so that’s great. That’s positive news. We also have positive news in there, because obviously, that’s an opportunity to maybe select them as a new supplier in the future, despite them before having the investigation ongoing.     

So this is incidents. Short-term, real-time things that are happening also can predict anything for up to six months. Then we have the long-term risk scores that talks about the likelihood and your exposure to the risk as a company where you can add impact and other third party data. But all in addition to that, it’s all about identifying the sub tiers, as already mentioned. I’m going to show you this system, by the way, live. What I’m going to show you now is a sub tier network graph, and that is a lot of data, which means it has to load really quickly. And I’m trying to do that to show you also the performance of the system. Despite this being a lot of data in the background, we can still load it very quickly.     

You can see here now that this network is very complex and very big. And now we have the network graph of this specific account that is made using AI and data science and then expert validation. And we’re querying the whole network for you based on a material basis and on a site location basis, because it’s very important to manage risks and sustainability bye because it makes a huge difference. If you have the invoicing office in Shanghai or if you have the production plant, that might be in change. And for us, the big focus is to give you the best experience to manage risk and sustainability, which means we do it on a location basis. So now we have a very complex network graph. And some of our customers, are looking way bigger and way more complex. So what we now do is we ask the right questions. We have here, a lot of filters next to it, to ask the right questions, and also have a lot of different ways to look at it from a viewing prospect.      

So what we’re going to do now is we’re going to look at German suppliers that are in Germany in either tier one, two or three. And I will look at another type of view that is a tiered view. This is helping me especially identify risks that are based on positioning in the network. Looking at this view, we now see that these are all related to German suppliers. Why did I choose Germany? Well, Laurent and I both live in Germany, we’re presenting today, and that’s why we’re looking at Germany. That’s the only reason, also it’s in the EU, and it’s about the Supply Chain Law. So, it kind of makes sense. Also, I needed to find something, and I thought that was a good story.   

So, looking at this network, this now is not applying any of our risk data to it. No risk scoring. No incidents. That, obviously, is a, given that we do that, I wanted to show you something that is different, right? This is a different use case, this is about risk concentration. And what we find here is that this supplier here is for this specific network, what we call a sourcing diamonds, so essentially it connects to this supplier, connects to a three-tier, to tier three suppliers, and then all of them are strongly connected to this tier. You know, that’s a tier two, that’s a tier three. So, essentially, that tier three here is a big problem, because it eventually could bring down all your core suppliers that all go into their suppliers of your supplier of yours. So you’re struck that you would struggle with him having an outage, which means you go and challenge your suppliers to go and try to find alternative sources.  And this view really enables you to look at that very quickly, very efficiently.    

There are different other views we have that then are more focused on the risk management aspect, where we then add our automated risk scores and our alerts to the network crash, But this is here about risk concentration. I wanted to show that because it exemplifies that there are various use cases you can have leveraging up to your data and compliance and you do that for the compliance in part. But you cannot have a lot of operational benefits and there are tons of use cases out there. And actually, because it’s a rather new technology in comparison, we’re finding more and more exciting use cases every day, and that makes it actually quite fun and intriguing, and you can be part of that journey. Isn’t that great? And with that, I wanted to stop our demonstration and wanted to see if we have any questions.     

Franziska Nothofer:    

Amazing, thank you so much. Appreciate the insightful presentation and diving into the demo today. We have, indeed, a few questions that just came in. The first question is around proprietary data. Does Everstream already have a database of companies of their supply chain data and rating? Or do we have to enter the data manually for each of our suppliers and continue to enrich?     

Ulf Venne:  

So, obviously, we have a lot of data. Otherwise, we wouldn’t have these network graphs, and we have 300 clients. So there’s a lot of data available. Generally speaking, we don’t think it’s advisable to just take the generic data from anybody, including us and just put that on top of you because, essentially, it’s about your supplier and your product. So, you need to know exactly because one supplier can have 300 different plants, so you need to know the right plant, and you need to know the right product, and then, we can use smart priorities to find your specific relevance up to your supply chain. Obviously, it’s easier to just take a network graph and if you want to, we can do that, but it’s just smarter to really do a tailored query because it just brings so much more benefit, otherwise, we generate, whoever is doing it right, generates noise for you that that doesn’t help you right, then there comes an alert. And then you go to your tier one supplier and say, hey, it looks like your 2 2 is disrupted, and he’s like, yeah, that’s not my tier two and has nothing to do with me actually because his source is with another plant. And it’s a different product and whatever. So, the use case is minimized if you don’t do tailored queries. And, we feel given that we advise our customers on this approach is a very differentiated approach within the segment of sub-tier visibility.     

Franziska Nothofer:    

Perfect, thank you. One more question around human rights violations. What is the best practice to identify potential human rights violations within my network? And do you have any specific examples?     

Laurent Charmes:    

I will take this one. So, the best practice is first to have the list of country risk ratings. For example, the question was about forced labor, or child labor. For the CSDDD, we think it’s just one of the risk indicators, but I think there are like 20 to 30 criteria. So what exists is a list of standard risks per country that will tell you: If your supplier operates in this country, the risk is high, medium, or low. You can even have a rating; BearingPoint has a methodology from 0 to 100, for instance.     

So this is pretty standard. The other criteria that you need to cross with it, well, what the supplier is doing? So, it’s usually something that is not, I would say, standard knowledge, something that needs to be elaborated together with you, to say, well, these are the categories, for instance, producing raw materials, packaging, services, things like that, and associating a risk to that. For instance, if I have a supplier doing tax advisory, then that would be very low to the highest range, which is a raw material, for instance. And, of course, it’s a bit more elaborate but that’s the idea. Now, if you cross that and you say, well, in this country, the sub-tier visibility operating in this country and doing that, you can calculate an overall risk. This can go pretty quickly, providing that your data is properly structured.     

In case you have very quickly a map that will tell you the supplier, whatever it is even without touching the supplier, an inherent risk of high, medium, or low. And depending on these, then you will say, ok, the risk is high, you will monitor it closely, I will go into much more detail. If the risk is low, I will do basically nothing, and in the middle, you can have some intermediate action plan.    

Ulf Venne:    

In addition to that, maybe to add real quick, because that was the risk assessment part, we obviously also provide an automated generated risk score on that, but you always have to do the monitoring, as well afterwards, especially for the high-risk suppliers, and you have to establish the grievance mechanism, especially for forced labor. That’s important, because they should be able to get access to you and be able to tell you that there might be an issue. Everstream sees forced labor really as something that we are quite focused on as a company, and we’re working together with Slave-Free Alliance, which is an NGO really tailored in that space and really cares about freeing people out of supply chains that are struggling because of forced labor. And they actually help us validate our solution, make sure that we are covering the right alerts for this topic regularly, and provide sources and everything else. So for us, that’s really a passionate topic. That’s also why I wanted to showcase it in the demonstration, because it’s an unfair advantage for people leveraging that and it’s on the back of humans. And that’s just not something we really appreciate and like and we’re trying to really combat and fight that.     

Franziska Nothofer:    

Right, thank you both for touching on that. We want to be respectful of everyone’s time and are coming to the end of the session. If you have any additional questions about the content covered or would like to get in touch with our team directly, please reach out to [email protected]. And we will also get back to you on any questions we couldn’t get to today, and we’ll send out the recording within the next day. And some exciting news for you to look out for. We have a follow-up webinar happening next month on the 6th of March. Both Ulf and Laurent will go beyond compliance, diving deeper into crafting business value and competitive excellence in supply chains. Feel free to e-mail us with any topics you’d specifically like us to incorporate and cover in more depth.Thank you to all our attendees who joined today. Thank you, Ulf, thank you Laurent. Have a great day. And with that, we will close this session.     

Laurent Charmes:    

Thank you very much. Have a great day.     

Ulf Venne:    

Have a nice day.   

Share this post