Maintaining an Ethical Supply Chain

Along with security and legal concerns, ethical considerations are an increasingly crucial component of third-party risk management.

By ensuring third parties engage in fair and lawful employment practices to avoid environmentally harmful manufacturers, companies are not only doing what’s right—they are reducing risk and enhancing their reputation.

PrivSec Third-Party Risk will explore the ethical dimension of supply chain management—and consider how to make sure your third-party service providers live up to your values.

Transcription

Robert Bateman:

Hello. Welcome back to PrivSec Focus: Third Party Risk. I am Robert Bateman. I’m the head of content here at GRC World Forums and your host for today. Before we start the next session, another big thank you to our sponsors ProcessUnity and ServiceNow, and a reminder to please ask questions using the chat feature. And between sessions, you can navigate platform, there’s lots of resources on grcworldforums.com and you can view our sponsors pages too, all using that menu bar on your left. Now our next session, we’re onto some supply chain management for the next couple of sessions. Maintaining an ethical supply chain, this is hosted by Merilyne Davies, who is global director of privacy and data protection officer at RX Global. I’ll hand over to Merilyne now.

Merilyne Davies:

Good afternoon, everyone. Thank you, Rob. And as Rob says, I am Merilyne Davies global director for privacy and data protection for Reed Exhibitions. And I welcome you all to our session on maintaining an ethical supply chain. I’m delighted to be joined today by a panel of experts who will help us all understand this area a lot more. So we’ll open with quick introductions. Regine Bonneau of RB Advisory is up first, Regine.

Regine Bonneau:

Oh, awesome. Good morning, everyone. Thank you for having me. I’m Regine Bonneau, I’m founding CEO of RB Advisory, background is in engineering. Third party risk, the supply chain is a very key and important aspect for our clients. We do advisory and consultations from the healthcare industry, finance, DOD, energy and water. So when you look at that for the public sector, how do you start managing all that? So we are here to help and looking forward to the session.

Merilyne Davies:

Amazing. Thank you, Regine. And over to André Paris of Fakos.

André H. Paris:

Hello everyone. My name is André. I’m a managing partner at Fakos, a data privacy and compliance consultants firm. I’m also a professor in the GRC field. I’ve wrote a book that it was translated to the English language as Ethics and Transparency, A Path to Compliance. It’s a great value to be here with you all.

Merilyne Davies:

Amazing. Fantastic. Thank you, André. And finally, over to Brian Myers of Beckage. Thank you, Brian.

Brian Myers:

Good. Hi, I’m Brian Myers. I’m an attorney with Beckage, a law firm based in the United States. We focus on technology, data privacy, and cybersecurity compliance and litigation as well. And we are very aware that third party supply chain is very critical for all of our clients, especially in all the environments that we work in. So very happy to be contributing here today.

Merilyne Davies:

Fantastic. Well, set to be a great session today. So if any delegates have any questions, please do submit them via the private chat and I’ll pose them to the panel as we go on. But we will begin, panel members, to talk about ethical supply chain standards, which can vary of course from organizations to organization, but also from jurisdiction perspective. So can you give us an idea of how you advise your clients on how they might be able to navigate this area? And what does good look like, certainly what you’ve seen in trends that your organizations and clients follow. So if I may, if I can pose that to André first?

André H. Paris:

Okay, thanks. As a consulting firm, we always advise our clients to access the risk inherent to the vendors, suppliers, and other third parties that the company do business with. So for instance, if your organization is in the fashion and clothing industry, the company will always must assess if their suppliers respect labor laws and the dignity of the people that are working with them. And unfortunately, as we all know, we had a relatively recent case here in Brazil, in which Zara a Spanish company had a problem, an issue regarding forced labor in it supply chain. And because of that, it had a big reputational damage, not only here in Brazil, but also in trading their stocks in the Spanish stock market. And because of this, we also advise our clients that after identifying which third parties brings the greatest risk to them regarding ethical aspectives, they should also implement some controls to mitigate it, the risk that were detected.

André H. Paris:

So for example, we also advise them to implement some contractual clauses that deal with ethical issues and the most known of them is certainly the anti-corruption and anti-bribery law. I think it’s very much consolidated, don’t introduce these kind of clauses in their contract, but we can still find some. Also doing ongoing due diligence procedure prior to the celebration of a contract of a business relationship with a third party, it’s also a best practice. Requiring the third party to read and to comply with a company code of conduct in other relevant procedures and policies is also a best practice that we share with our clients. And sometimes we also advise that the relationship that was made with third party be terminated if the third party doesn’t share the same ethical values that our client does, for example.

Merilyne Davies:

Absolutely. And on that point with regards to ongoing due diligence, et cetera, Brian, is there anything that you can add to that, that you’ve seen has been great practice on how we might be able to implement due diligence once the contract’s in place?

Brian Myers:

Yeah, I think André was just making a great point, that codes of conduct are a mechanism that you can really use to help promote ethical conduct in your supply chain. And the code of conduct is a great opportunity for your organization to write down, here are the things that we value from an ethical standpoint, and these are what our priorities are, and this is what we expect from our partners. And you can build those into your contracts, and you have contractual rights based on what those codes of conduct will stay. There are also great opportunities to put in things to help your due diligence, like setting up annual or some other time period, annual inspections or audits, which you can look in and check in with your vendors, your third parties, and see what they’re doing and get an update on where they are, because all organizations are changing over time.

Brian Myers:

So it’s always good to be checking back in with people. And also a code of conduct is something that doesn’t have to stay in your contract. You can publish that. And we know that for many organizations, their customer base is hoping to see ESG measures and other activity in that space. And your code of conduct is just one opportunity to be something you can publish to your community and say, here’s what we do. And here’s what we’re trying to promote within our own ecosystem. And it is just another great marketing piece for your firm.

Merilyne Davies:

Absolutely. And certainly from our experience, it tends to uplift the industry. So where people follow, I may follow suit, and then it becomes an expectation of customers as well. In your experience, Regine, in terms of how you advise your clients in this space, have you seen more and more companies publish their codes of conduct as to what Brian and André have been speaking about in terms of this is marketing themselves as an ethical provider, but also uplifting the industry more and their customer’s expectations?

Regine Bonneau:

Yeah. So I think this issue started a long time ago, a couple years ago with Kathie Lee and her clothing line. I apologize, Kathie, I didn’t want to bring that up, but when you’re seeing that, if you are looking at that, this is where a lot of this is more prevalent. Prevalent in that kind of industry. So what we’ve been seeing as well here is that it created a momentum, not only on just that certain industries, but across all industries, it requires because we know we outsource a lot. We outsource services in the security world where I focus a lot that has become a concern as well for some clients, depending on who their third parties are and what they’re supporting for them. So with that being said, I always tell them is an extra thing, an extra layer.

Regine Bonneau:

So code of conduct is always been a publish because now it was expected. It’s something companies were doing to differentiate themselves, but now it’s becoming the norm. And then now it’s really realigning, reapplying and aligning and updating that code of conduct to show this moving forward in this green spectrum. How do you minimize your carbon footprint? You’ve seen that on large organization and the US side and globally, because now it’s becoming that norm. And we all are seeing that global warming is not something of a myth. We’re seeing it. And when you are looking at it, it touches these three. So we are here on the third party. Security is another aspect. You’re like, well, who’s in charge of that? Is it security with where in the department is going to be the one guiding that and making sure that their due diligence process is done because there’s one aspect that you can go, once you move into environmental.

Regine Bonneau:

But what we are looking to do, we are actually brought that up as part of the conversation, as part of that due diligence process and then assign another group to really investigate. I think Brian and André mentioned, right? The same way we doing a regular assessment, a yearly annual assessment, this is the same thing, it’s another application, another information that you’re asking for. And I love the fact that I always say trust, but verify, correct, is that source. I trust that’s what we’re doing once in a blue moon, I will verify it as well, not only by documentation, but if we’re doing business, expose what that looks like for me as well, because here’s what we stand for. And because of that alignment, then it’s easier for companies of what that look good looks like is the process. We’re following the same steps. But however, we adding that effort because we understand the humane factor of it, the impact it has on the climate as well as much within the technology.

Regine Bonneau:

Well, what impact does it have? It has an impact because you shifting physics and chemistry and we don’t see that as past that, except that software platform that’s moving. What carbon is it exposing outside? So what good look like is really going through that process that you know already, aligning the initiative of your company and the company that you’re doing business with, not showing them, but talk, having a conversation, understanding their concept. Yes, next steps. What’s the next step that is going to align with yours and now limit a little bit of your reputational risk that you will be associated with in any way that it forms. And because of that factor, everyone has really taken a movement into it. We’ve seen more companies doing that, putting their best foot forward, even the technology they’re bringing out, the social good impact. So all of that is part of that movement. What is the social impact technology now being done? So yeah, there’s those same steps, but alignment and those good conduct and alignment to them is the key for them.

Merilyne Davies:

Great. Thank you. And I have to say navigating this for our organization, if we are using small and medium size enterprises where they’re completing due diligence documentation which you mentioned, Regine, actually, that they do often struggle with completing these due diligence documents. And sometimes even terminology that we are used to handling both in privacy, security, environmental controls, et cetera, and due diligence sanction screenings, they find it a struggle to complete. So it’d be great to hear from the panel actually, how do we support our SMEs in completing these due diligence documents so that we get the information we need in order to complete our assessments? And if I may, can I put that to Brian first?

Brian Myers:

Yeah, I think it’s important to be clear with them all along the way that this is something that you are serious about, so that they’re aware that it’s something that they need to be prepared to respond to. That they’re not surprised when it comes up during the due diligence process. And set the expectation that it’s something that you want a certain amount of time to be devoted to. And that it’s okay that they do devote time to it, that they don’t feel rushed. So that when you set that tone in the room, that this is a serious matter and that we want it to be given its due consideration, I think that helps to set the tone in the conversation and that they know that it’s worth committing, maybe an extra person or two and however much time is needed to make sure that it’s actually responded to in a serious manner. I think that setting the expectation is probably one of the best things you can do to help facilitate that.

Merilyne Davies:

Thank you. And André, any thoughts to that at all?

André H. Paris:

Perfect. As Brian said, it’s a very important issue. And I think that it’s not unusual, especially in the data privacy field, but it’s something relatively new here in Brazil. And we have a lot of issues regarding understanding of what are we demanding from our third parties. And it’s also a problem in itself if the third party have some issues, understanding what are all of these concepts that we are asking them to answer and give information that indicate that they might not be as well compliant with our data protection law as we would like it to be. So we need to have a little patience here in Brazil and ask them when they’re not already compliant with our data protection law, to at least say to the company that are doing the due diligence, when they will be compliant, when they will implement a privacy problem.

André H. Paris:

And the company should look for evidence when the time comes that they were able to implement the privacy program. And between this time, the company should also look for alternatives. Let’s look to my supplier vendor competitors, if they are in compliance with our data protection laws or any other law that the third party is being subject to the due diligence. So the company should at least state a time for the third party to comply with and also always be looking for alternatives or the competitors who maybe doing business with.

Merilyne Davies:

That’s really nice. Regine, do you have anything else to add to what André has just in put there?

Regine Bonneau:

Do you have time? Not just [crosstalk 00:18:24] We have these conversations all the time. It’s just that one extra thing. So especially that market, you just chosen, the small business. First, they’re just getting a handle of their business, they’re actually doing. So that’s awesome, yay. Next you’re like cybersecurity. What are we talking about? Well, technology using, that thing using, that’s what it’s about. But I don’t see if you don’t need to see it, don’t worry. So we are looking, we are at that level. And everything now, as we are grasping what that is, then you have data privacy, all of these things. And I tell them, I said, well, it’s always been there. We just never actually put it as part of our practice because that wasn’t the first thing that comes to mind. So it’s really, this has been said in the front time, I don’t think I can do this, but we have to do it, is keep it simple.

Regine Bonneau:

There’s this thing, we say, keep it simple, stupid, like that kiss thing. The CEO is the person that drives it all. And then maybe some of them may have a board. So that starts that conversation when things like those changes that happen for everyone else to follow has to come from the company as a whole. And now if you are not correct, how can you act? That require to be correct because you don’t know what you’re looking for. So let’s fix what we need to do here, because we have mentioned that all around, standards, those code of conducts, aligning the company. And I tell you, regulations are always going to be there. They’ve been there before you were born. But however, what is your fiduciary duty to what you hold true to yourself and what you’re providing outside?

Regine Bonneau:

So whether regulation existed doesn’t, you have to do it because with one aspect, if you double that hard earned time, and this is time you can’t get back. So it’s really talking to the risk and align it properly and bring it to a level that they understand. So you talk to CEO, the finance guy, the attorney, there’s an attorney in the room. So what is that language factor that we’re bringing to the table and realigning and helping them understand that. And as I mentioned, data privacy now is becoming the buzz. I call it buzz because that’s what it is. Yeah. Cybersecurity became the buzzword and everyone is jumping on it. Now you have data on privacy and I’m like, guys, it’s nothing new. We just now picking the subject, it’s like 100-step process. Every year there’s one that comes to light as soon as we grasp the other one. So we’re building layers of security, layers of guidance and standard.

Regine Bonneau:

So here’s the first one, let’s get the foundation through security. So now, what does that mean? Part of that family of control, data is part of it, guess what? You’ve been collecting it for a long time. So let’s take a look deeper dive into what you’re collecting. What is it that you need? So when I say you simpling it down, it’s like, well, this TPRM needs to be in this format and they’re looking at it great, what does TP and R and M mean? Because other people use the language supply chain as well. So how do we have one common title? And then now they cipher it a little bit a deeper dive and then bring it to here’s what you are doing as a company. Okay, so now what is the information you’re collecting, why are you collecting that information? And even go to a deeper sentence into who are you servicing at the end, because now you are the third party, then there’s a fourth and the fifth, which is your vendors now.

Regine Bonneau:

And now who are they supporting? And we all said this, so if you have just compliance, just process in place and putting as a company, as a whole, then now you can translate that to those of those requirements. And we are seeing that day in and day out. I get questionnaires all the time, that’s awesome. I can answer them. Do you need any documents? No. Are you serious? Okay. No problem. Opportunity. So is that follow through and André mentioned something, we all see there’s strict guidance, that you have to do. If you sit down and have a conversation, you’ll learn that they’re doing it, except it’s not documented and the process needs to be a little bit mature. And then now you can say, hey guys, you’ve been doing this. Here’s a quick one. You’ve been doing this, but here’s the real format, compensating factors, on same thing in security.

Regine Bonneau:

And the technology side is the same thing they’re supplying. What are you doing now that now can help as you move forward with the corrective action plan and your timeline and putting the right measures in place. So we are doing this, let’s limit the engagement a little bit, limit the access to it a little bit, because all come down to access control. If we can limit who has this, then we start in the right path. But it’s great conversations to have. And we say, we keep it simple in the sense that let’s understand what you’ve been doing. Where are you now? Where are you going? What does that really mean to you as a company? Unfortunately data privacy is for everyone, you can’t escape it. You just understand what works best for you and put that in place.

Regine Bonneau:

And response time, who’s in charge? Who’s going to be that lead person there? And again, a great thing to say for small businesses and they all turn around and look at the owner of the business because that’s who responsible. And that’s the first thing to say, but yeah, so it’s really another layer I put it, look, this is another layer on top of it, but this is what we here to do. They don’t have the time to go out there and understand and bring it the table and now apply it. We are here to provide that guidance and in communicating with the right people, now that can drive it forward for them as well. So a lot of it is education.

Regine Bonneau:

Education is always going to be key. And then here’s who you have around you that can help in that sense and how does it apply to you as a company moving forward? And like André said, and Brian, we don’t need you to do it today. It will be great, but we know that can’t happen. But however, having it forefront and front, and as part of the conversation, every little step count towards what you need to achieve. And at times we need to do it quickly, because it is between surviving or not and in the timeline. So if all of this comes into play, but fun conversations on top of the other.

Merilyne Davies:

[crosstalk 00:25:41] Our approach has been going to Brian’s point earlier, is having been public about what our standards are, but it’s actually working with the industry with our competitors. So this is more than just being a Reed Exhibitions issue. This is an industry issue. So if we’re clear about what the standards are as an industry around privacy, cybersecurity, environmental impact, et cetera. And any supply that wishes to work with the industry is very clear on what it is that we’re expecting from them. And for the smaller businesses that are operating in our industry, they are guided by the guidance that the bigger players like us are helping to pan and help them to follow.

Merilyne Davies:

Because they don’t have the resources internally to create things from scratch. They’d be very much looking to the bigger players and going to the points that were made earlier, this is part of the benefits of been public about the standards that we follow, because we benefit a smaller, medium size enterprises that we wish to work with. Because they’re the ones that have the innovation mainly, the two guys in the garage that create this wonderful tool.

Regine Bonneau:

Now we’re using today. You know what? Quick comment. And as you mentioned earlier, what you said is perfect. What we are doing now is taking something that was for a certain sector in the business realm, we are applying across because now we are using outsource employees in other countries because of the financial, all of this. That finance, cutting costs, what’s the CapEx, OPEX, all of these beautiful acronyms that we have. So how do we move it from one industry? So you’re looking at more of the scientific, mostly those type of industries were the one that were really being scrutinized about those climate issues, environmental issues. But now they’re also extending themselves to suppliers and getting… So now it’s that shift. Also, I don’t know, I don’t do any of that. That’s great. But that’s not what we’re talking about, how does it apply to you in that sense? So perfect sense. And as an industry, as the guiding light, I say we need to put that classification very clear and define it across the industry and what you do as a business as well.

Merilyne Davies:

That’s [inaudible 00:28:18] thank you. And I was just reading through the questions that have been post here by the data, I guess, and the general theme has been around what’s your advice on organizations trying to navigate this area in jurisdictions where this might be particularly challenging? Where this either is unlegislated for or where there might be some issues with certain sanctions, et cetera. How do you advise companies navigating that? So if I may, if I can put that to Brian first?

Regine Bonneau:

Legal, right?

Brian Myers:

Right, yeah. And that’s the reality of the global world is that legal is a very… It’s not a clear cut question. Even within one jurisdiction, it can be fuzzy, but then when you introduce other jurisdictions, it gets even fuzzier. I think this again is a good indication of the opportunity and the value that exists in your codes of conduct because you can make those… That can be your way of saying this is my universal all jurisdiction standard. And that code of conduct is going to be informed of course, by what you consider to be some of the best examples of legal standards and the jurisdictions that you operate in. And so that gives you an opportunity to bring those into other jurisdictions that you’re operating in and can use those to also educate third parties that maybe operating in other jurisdictions that are not as routinely familiar with some of those standards.

Brian Myers:

And so that does create a good opportunity to help you do that and maintain some consistency about how you do business in different jurisdictions, in different parts of the world. So I think that’s another… There’s indescribable list of values that you can get out of a well made code of conduct. It just keeps yourself accountable, wherever you’re doing business, to make sure that you’re following these standards in their every jurisdiction and that you can have your third parties following those same standards as well.

Merilyne Davies:

Absolutely. Yeah. Good point. And André, anything to add to that?

André H. Paris:

Yeah. Perfect. As Brian said, this jurisdiction problem is a very concerning one. For example, the field of briber and corruption issues. We know that some jurisdictions are tolerant regarding facilitation payments here in Brazil. I know that in UK and the US we are not tolerant with facilitation payments, but in some jurisdictions you can do it. But you as a global company should know where are you landing your feet on and assess the third parties that you will be working with. And that will be representing your company, that will be acting on your behalf, we’ve put authorities to get license and everything that is needed to operate in that new country.

André H. Paris:

So you need to assess, you need to share the values that are present in your code of conduct, as Brian said. And if you can, you should also assess the comprehension of the third party of your code of conduct. Because you can see read my code of conduct, this is my values. And they say, okay, we will read it, never read. So maybe a test with some apprehension test to understand how much of the content they really comprehended. And at least you have an evidence that I tried a lot to share my values. Maybe it won’t be enough regarding sanctions, but it will at least mitigate the sanction applied.

Merilyne Davies:

Absolutely. And in terms of due diligence with that, so you say we have our code of conduct and we require everyone to follow that. But in jurisdictions where this really doesn’t exist or maybe it’s just a light touch, how would you go about conducting your due diligence? Making sure that yes, okay, that might not be alleged or otherwise requirement in that local jurisdiction, but how do you make sure that they are following your code of conduct requirements? What do you think André in terms of how you advise your clients on that, navigating that particular tricky area?

André H. Paris:

Perfect. When we deal with very risky jurisdictions as the example that we shared, we do a deep dive in the third party. So we send them the checklist. And then we ask for evidence of the answers that were given. And we also look for independent sources of information to also verify if the evidence given is right, like some news or regulatory or judicial procedures in the third country, that the third party may be a part of. And we may also, as Brian also mentioned, do in local audits to see if everything out there disconnect with the reality that we are seeing in the third party. And we can also interview some employees of this company to try to figure out that we know that they may not always be as honest as you like in the answers, but it’s another action. Another caution that we can take to try at most to guarantee that the third party share the same ethical values that the company that our client has.

Merilyne Davies:

That’s a really good point. Because I have to say in my experience, it’s really important to review the answers that are given in all of your assessments. Because normally, especially in the big global organizations, you have a procurement team, you have a legal team, we have a cybersecurity team, you have a privacy team, and we will have our own different assessments. But actually what we are doing in Reed Exhibitions, we’re consolidating all of that. And so we actually get visibility of what the third party is provided at each stage. And so we’re finding sometimes they’re providing different answers depending who they think the audience is reading. And there is inconsistency and it’s from a privacy perspective, we’re reading that in conjunction with what they’ve stated publicly on their privacy policy, privacy notice, what they’ve said in their terms and conditions in their contract, and as well as their due diligence screening. Because if there’s inconsistency there, that’s something you want to pick up before you put the signature on the contract. So yeah, any thoughts to that, Regine, actually in terms of if you’ve seen that yourself and?

Regine Bonneau:

No, I’m glad that you’re doing… You actually just mentioned that because that was one of the things that I get to sit down and read each of these from different departments and review them. And I say, this is the fun part. We map them together and it’s like, okay, are you nuts? Okay. Well, no problem. And also to the documentation, like you said, it’s different, the answer is different, but consolidating it and having it in one track is the key. And that’s why we’re promoting to get done. And now we’re restructuring that as well for some of our clients on streamline the process, get that information done. And also too, as you mentioned, not only the communication factor between each of these departments is very key when you are looking to, and answering the question of how do you really assess these companies and the environment because of sanctions or the high level of the risk.

Regine Bonneau:

Maybe not just the supplier, but now you’re dealing with a political aspect that is not within their control as well, things outside of the control. And we are seeing that today. And then we are all suffering that today from the supply chain of what’s happening from COVID to back here, to end of today here. So I’m very keen on what they’re going to do with all these supplies that are stuck. Especially preferable ones or what’s not. But we all mentioned here, your code of conduct is very key and applying it across, I always say, go with the most stringent of them all. If we are looking at GDPR and I said, been here for a long time, we just catching with the clients. When companies are discussing, what should we do? I said, well, the best thing you should do is go with the most stringent, and then be a bit agile and enough that it will fit within where you’re going and then you could add onto it.

Regine Bonneau:

And legal is your best friend. I always say that. Legal is your best friend. They’re my best friends as well, because those are the guys I go to first. I don’t even go to the finance guy because if legal says, yes, finance will definitely say yes, because the risk is there. And build a team outside of your team. We always hear about inside council outside council, but even in each of what we do, we also have counterparts that we collaborate with outside of that, because those are going to be the [inaudible 00:38:38] team that’s going to give you exactly what is needed. But you’ve said exactly what I was going say earlier. Just saying that, yes, this is the trend that I’m seeing, that we are promoting as well because of the different, and so that you get on top of that, we are using solutions that are actually sending pieces to the different groups of persons that are in charge.

Regine Bonneau:

And of course, bias is always key. And you won’t get that until you go and show me. I’m the show and tell person. And in that sense, and look, if it’s not there, how do we fix it? How do we put it back in place? But yes. So definitely all of these comments that have been made and guidance is very important as I go with the stringent one and move backward. If you’re getting too much data with data and information that you may not even need, has nothing to do, just streamline it. Make things easier. And then now you can actually move forward into what you really need to do. And as André said, I’m taking your line, okay, André, where as a global company, especially you have the backing and we’re not dealing with SMEs that are forced to do it with, or without resources, as a global company, you need to know where you are, where you land your feet. I’m taking that line and it’s key. It’s very important. It’s key because it’s not being used anymore.

Merilyne Davies:

Yes, super. And Brian, any thoughts to that, what the guys have already said?

Brian Myers:

Yeah. I think one thing that’s important is just to always to have a healthy level of skepticism about what your third parties are telling you and just think it through, on your own side, they’re saying that they’re doing it in this fashion. Does that make sense? What would that actually entail on their end? How many personnel would they take? Do they have that many personnel? Are there turnaround times consistent with all the things that they say to that they’re doing? These kinds of thought exercises and that’ll help you then figure out what the questions you should be asking them, things that you should be looking at, corroborating evidence to say, okay, I think they are telling us what they are doing, or it could tell you some red flags.

Brian Myers:

So I think, you’ve got to be… It’s not just about asking the right questions. It’s about being proactive on your own side and thinking out what could be happening here? What is the realm of possibilities, figuring out which ones you think are most likely, and then doing what kind of investigation you need to know what is actually going on? And then you take the right action from there. So it just takes a little bit of however frequently it makes sense, just reevaluating, having an honest look at things and seeing if you need to recalibrate on a pre-routine basis.

Merilyne Davies:

Brilliant. Absolutely. Well, we’re in the final three minutes, but it’d be great to get some closing comments from you guys. Specifically also if we could direct folks to a third party risk management or some sort of thing that someone can jump off of as a good practice that they can go for further reading, that will be great. So, Brian, if I may, we can go to you first. That would be wonderful.

Brian Myers:

Sorry. I was distracted by something for one second. [crosstalk 00:42:35]

Merilyne Davies:

The question is just in closing comments. And is there anywhere that you would advise folks to go to any kind of be it standard, be it international or whatever that you would advise folks to go to for the guidance and just the start?

Brian Myers:

Yeah. I think, one, start with your peers. I think you’ll see that a lot of your peers are doing similar things, your peer organizations. We have talked about codes of conduct, lots of companies have them published. We mentioned that it is the kind of the norm. So look at what other organizations are doing. Especially ones that are either in or, or close to your field and you can pull from there what things are you seeing are common? What things stand out, what things seem like they’re more pushing in an interesting direction and that’ll tell you something about yourself, about what stands out to you and what seems interesting. And that can tell you the threads that you want to push down and for your organization. So I think that’s a great place to start.

Merilyne Davies:

Thank you and André, on to you.

André H. Paris:

Perfect. I think companies should always give attention to its stakeholders expectations. So if you are in the cosmetic industry and your customers are demanding more quality free products, you should hear them. And you should also demand that your third parties also meet these expectations. So I think a key aspect for due diligence is always hearing your stakeholders expectations, their demands, because as we said, along our panel, not only legislative requirements are important to be followed, but also ethical aspect that may not be yet legislation. So also follow your stakeholders expectations.

Merilyne Davies:

Thank you. And Regine, have you got any short [crosstalk 00:44:49]. Pretty quick.

Regine Bonneau:

No, no. I think Brian and André have mentioned as well, but the one thing that André just mentioned and I had it down is look internal. What is your own morals and ethics? Because really, even if someone tells you have to do it, guess what? Nine out of 10 you going to go with the shortcutters. I think this is where you’ve seen a lot of companies are reassessing themselves. They call it culture realignment, bringing all that together because before you adapt and see I’m doing it, you are going to do it. You have to be really the person that says that is what you do on a daily basis. It’s part of you. And then you are going to get it done.

Regine Bonneau:

As I said, I tell everyone what you do behind the door is more important than what you do in front of outside. So really look internal within yourself. But because this is what we are talking about, more of the ethics thing, that’s why we are focused on that. But aside from that, the regulation of standards are out there. Your process for your third party is the same process. You have SIG from share assessment, you have certain things that you can use to get that done. But peers, your code of conduct, look what everyone is doing, but the ethics starts with you.

Merilyne Davies:

Brilliant. Thank you ever so much panel, great insights there. It’s been a real pleasure speaking to you today and wonderful. Thank you.

Regine Bonneau:

Thank you for having us.

Robert Bateman:

Thanks so much to Merilyne and the panel there, really interesting session, things getting so much more complicated in supply chain management, so much to consider now. In just three minutes, we have our next session. We’re going to go straight into it really. So stick around where you are and I’ll see you in a couple of minutes for our session on preventing software supply chain attacks.