Automating due diligence: how to build the next chapter of responsible sourcing

38 minutes

In this podcast episode, EiQ CEO Kevin Franklin and Chief Customer Officer Andy Gibbard break down what automation really means in responsible sourcing and due diligence.

We explore why the transition to automation is so critical and how to take the right steps to effectively transform your responsible sourcing with AI, intelligence and the right human expertise.

Full transcript:

Andy Gibbard, Chief Customer Officer, EiQ: Hello, and thank you very much for joining us today, for this conversation on automating due diligence and building the next chapter in responsible sourcing. I'm here with Kevin Franklin, CEO of EiQ and the leading subject matter expert in this area. So at EiQ, our vision is for highly automated due diligence programmes driven by AI, driven by technology, and really delivering greater efficiency, more effectiveness, and a lot more proactiveness as well. And helping to deliver total supply chain confidence.

So, Kevin, this isn't the first conversation that we've had on this topic, and it certainly won't be the last. But I'm really interested today to hear, really what's changed since we last spoke about this. What's new? Where are we at this point in time and what's coming around the corner, as well as a little bit further out as well? But before we get there, just to set the scene, what do we mean by automated due diligence?

Kevin Franklin, CEO, EiQ: That's a great question, Andy. Automation in responsible sourcing in particular and due diligence it's really important to differentiate what is the intelligence part with the automation part. The automation part for us is really about understanding how to look at the end-to-end responsible sourcing workflow.

Each of the different steps so, risk assessment, programmeme design, segmentation, monitoring of which there could be multiple tools, auditing, worker surveys all the way through into corrective action plan, data benchmarking and continuous improvement. It’s all about looking at that workflow and being able to build automated triggers and connectivity between each of those different steps, which today is a very manual exercise.

AG: Okay. And why is this so important right now at this point in time, thinking about our last conversation on this topic. Thinking about how much that the world has changed in this area over the last 12 to 18 months. Why is this such a hot topic right now?

KF: Yeah, even in the last 6 to 9 months, really, the world has changed a huge amount. I think when we look at automation, we look at it through really the lens of maybe three major drivers. One is the geopolitics that we're all experiencing today.

Another is the regulatory shifts and changes, the regulatory complexity, the stalling, the divergence of regulation, sometimes the contradiction in regulation, and also the stakeholder and investor drivers, as well as maybe a fourth area, which could just be the increased digitisation of trade.

What all of these four things are really doing is creating a huge amount of uncertainty and a huge amount of information, data and complexity in managing supply chains, particularly through the lens of responsible sourcing and what we've seen over the last 6 to 9 months, is that expecting human beings to navigate all of that complexity consistently and continuously is just impossible.

This is where autonomy comes in, because if you design a system or platform correctly, it can actually make the right data-driven and risk-based decisions that take all of that information into account to ensure that you stay compliant, meet and exceed regulatory requirements, etc.

AG: Okay. Thank you very much, Kevin. So, on the subject then of regulation. So how are regulations like UFLPA and the EU Forced Labour Regulation shaping the need for automation in supply chain due diligence?

KF: Well, in the regulatory context, we've seen a lot of regulations around supply chains over the last 15, 20 years. Initially, there were things like the California Supply Chain Transparency Act. Then, of course, we had the modern slavery regulation in the UK, then in Australia, then regulations in France and Germany. Then it evolved to broader, reporting and disclosure type regulations such as the CSRD, Corporate Sustainability Reporting Directive, triple D, due diligence, omnibus, etc. There's so much regulation, and this is incredibly hard for businesses to navigate because those regulations are not all going in the same direction, have very, sometimes different expectations around the depth that you need to go to. And also, sometimes these days are meeting a lot of broader government resistance. This creates a huge amount of complexity in a business, creates a huge burden that up until this point, I would say most companies have been resourcing with human beings.

So, to meet each of these different regulatory requirements, more human beings or existing human beings, given more work, are asked to basically align the business processes, align the tools, systems and structures to basically support compliance with that regulation.

And as more of these come along, it becomes increasingly difficult to navigate the expectations and the requirements. This is why automation is central to that process, because if you automate the requirements of the regulation, build it into a workflow link it to your due diligence process.

You can know upfront that you are meeting X percent of Y regulation, Z percent of, you know, a regulation, etc. but trying to do that manually, sometimes navigating multiple different systems and tools is increasingly overwhelming.

AG: And that's exactly what we're hearing from our clients. So, we recently surveyed the industry, and we discovered that only 1 in 5 organizations has a high level of automation today in their responsible sourcing programmes. And actually, more than 1 in 3 has no automation at all. So, lots of people listening in today are probably just starting out. What advice would you give to them?

KF: Just get started. And I think the easiest place to get started is with your inherent risk exposure. And really that's about understanding and designing your risk assessment process. So, this is today, largely, geographic, country, product and sometimes, Sentinel adverse media information. I'd say today a lot of companies will be doing that maybe once a year from which they design a programmeme that they may deploy with an annual cadence.

I think the first step is to increase the frequency of that, because supply chains today don't change once a year. They change every day. So we can move to a bi-weekly update to your risk assessment process. Maybe you're doing that with just your top tier, or even a subset of that top tier could be your top 20 most important suppliers. But start watching your suppliers more frequently. Start using that data to drive more of an adaptive programme design.

AG: All right. And if we then flip that question over, what are the risks of not starting out and not going on this journey if we continue to rely on, manual processes, on siloed data sources, what's going to go wrong?

KF: Well, I think all of the pain that you're feeling today as you run a responsible sourcing programme, and honestly, I haven't spoken to a single client that isn't feeling that today because there's so much change. But all of that pain is only going to be exacerbated because the world is not going to start moving more slowly to accommodate your supply chain and the pressure you feel.

You're not going to have any additional budget because businesses are pressured. So firstly, that pain is going to be exacerbated. But secondly, with that, I think you're going to start to see more reputational risk exposure. More potential regulatory exposures could be potential regulatory breaches.

You're also going to see a lot of pressure on your teams. Remember that whilst those things will be happening to your company, your teams still have decisions about where they want to work and if they don't want to work in a business that isn't adapting to this rapidly changing landscape, they can move on and go somewhere else. But the business will still feel that pressure of the noncompliance, the penalties, the fines. And I think these pressures will continue to mount, right. It means if you don't start today, you're going to be repeatedly called out over time, because no human based team is going to be able to accommodate the volume of information and the speed of change that is now required for responsible sourcing and supply chain management generally.

AG: So, we've talked quite a lot from the practitioner perspective. What about if we think about the leadership perspective. So how can leaders look at this from a business priority perspective. And what outcomes should they be focused on trying to achieve. From a business and leadership perspective, this is one of the biggest opportunities that has been in this industry, potentially the biggest in responsible sourcing really ever.

It's the first opportunity to leapfrog and to truly design a programme that adds value to the core business. It's a programme that, if you set it up correctly or correctly, will have a lot of efficiency. So, will reduce potentially costs will improve impact will also reduce your reputational risk, will align your business more clearly from a regulatory perspective, and will mean that you can meet and exceed compliance and investor requirements.

It's also a case, a business case that will drive value for suppliers and oftentimes deep trust-based relationships with suppliers, particularly your highly important suppliers. By the way, which are the ones you should focus on, will be very important.

And as a business, you need the ability to do that sometimes just as much as they need the ability to work with you. And doing an autonomous responsible sourcing programme can support that because it means when the suppliers are engaged, they get a lot more for their time.

They get to share audits, they get to learn proactively. They get to be part of a healing process and a system that is adapting and evolving, and they get to potentially find more clients, more corporate clients and buyers. So, I think for a leader in our industry, this is the biggest opportunity that we've seen in the last few decades.

AG: Okay, so moving away from the human element and let's dig into the data. So what type of data is in scope or what type of data is the most important data to be thinking about when we're trying to start automating? Is it the basic supplier data? Is it going into audit data and assessment data? Is it adverse media or is it all of that and more?

KF: From a data perspective, I would say you start with the geographic risk data, the product risk data and the adverse media data. The reason for that is because it's easy, it's accessible, and at least adverse media is changing every day. Even though, in EiQ we're updating every two weeks today, we will update more and more frequently moving forward. But that is a data set that you can implement with very low barriers to execution.

And that's why I would say start there. Next, step two, right. You're connecting it to your monitoring activities. That could be audits. It could be surveys, worker surveys. It could be grievance mechanism data. It could also be self-assessment questionnaires. That's your next big step. And that gives you probably even more of a real-time cadence of what's going on. Because typically audits could be coming in on a daily basis depending on how big your supplier base is. After you've done step one and two. So tweaking and going more real time with the inherent risk then integrating your monitoring data.Step two. 

Step three is where things start to get very interesting because this is where we're now doing things like linking buying data, linking some data that might be in your central procurement systems, straight to EiQ for real-time feed of changes that are being made to your supplier base and those changes are typically much more business centric changes. So could be we've onboarded a new supplier that's have that flow straight into the process of automation. It could be that we've changed our spend with a supplier that's have that connect to our inherent risk exposure to upgrade or downgrade a supplier from a prioritisation perspective.

So that's step three, which is really about linking it to buying decisions and day to day buying cadences platforms with API connectivity and step four is actually where we start to bring in wider, broader geopolitical and external data that may come instead of step three. But when we do that, irrespective of whether it's step 3 or 4, what we'll be adding is GDP data, national and economic growth rates, tariff information, you know, general information on buying and purchasing decisions in countries.

And some of this data will be changing almost in real time, kind of like a stock ticker that you might all watch today for other reasons. Right. But something like that by external sensing information that could be a leading indicator of risk and something like tariffs would absolutely be a leading indicator of risks in a responsible sourcing environment.

Because if we have a tariff being imposed in a country, it will potentially change manufacturing outcomes in a very short timeline. This all leads to changes in recruitment of workers, may lead to the increased use of contract workers or migrant workers, which could predispose the factory to forced labour risks.

If they're using agencies, recruitment agencies, that is, and there might be fees being paid for those jobs so that external information connected to your day to day buying decisions, your day-to-day monitoring activity and your day to day media scanning and geographic risk data gives you an incredibly rich sense of information that you can use, intelligence that you could use to drive the right sort of real-time automated, ongoing risk management capability.

AG: So how important is integration here? And thinking about the, the tool landscape, the platform landscape, some big enterprises might exist. And how important is data integration with, for example, ERP or procurement platforms. And how does that work What's the nuts and bolts of good data integration?

KF: Data integration is critical. It's more and more important. And we see more and more clients asking for it. It's a very good question because traditionally people would load in supply chain information and often manage responsible sourcing on its own. But what we're seeing today is multiple clients will often have multiple systems. So they could have buying platforms, ERPs, they could have other sustainability platforms for other topics like traceability.

How we see EiQ is that it's just a part of a data ecosystem, and that means that we need to be able to push data in or out in order to allow clients to get a full, holistic view of their supply chains. In reality, for responsible sourcing, this means firstly, connectivity with buying systems, ERPs, because real-time changes to those systems should be flowing into EiQ.

They should be feeding into, risk-based due diligence and automated responsible sourcing workflow. Likewise, their results of that workflow where the suppliers are red, amber, green, being managed well or not, should be feeding back into those ERP and buying tools.

So inbound and outbound through things like APIs, in fact, primarily APIs, sort of driving this today is absolutely critical, which is why one of our four major engineering workstreams is all about having a world class and future proof API positioning.

AG: Broadening it out a little bit, and thinking about maybe the management or the leadership perspective as well. How should leaders think about this area in terms of business priorities and what outcomes should they be looking for?

KF: Firstly, they should think of it as a huge opportunity. I look at it as a huge opportunity. I look at it as kind of an existential necessity for the industry. The reality is that responsible sourcing was built as an industry based on certain risks that manifested in the 1990s through the media environments, and as an industry, it's still dominated by auditing. As an industry, it is still largely built on a template of 1990s risk management capability.

But we now live in a world with hyper levels of intelligence and information, and the responsible sourcing tools we have today are just not fast enough that presents a lot of risk and a lot of exposure for our clients, our business leaders. So, they should be looking at it one, as a massive opportunity to close that gap, close the gap of we had a really old fashioned system.

Let's step up to what the world demands of us today. Now, within that stepping up space, there are a lot of other very clear business drivers, right? One of them is about reputational risk management. Clearly, I think that one speaks very easily to most of our clients because we see a lot of reputational risk issues in the media every day affecting companies in food, consumer goods, electronics, retail, apparel.

Another one of them is about operational efficiency, which is about cost savings. This is something that every business is 100% focused on right now cost savings, EBITDA. It's a central narrative that businesses must lean into. And with the move to automation and responsible sourcing, as I said, even if we keep our teams the same size, the impact of those teams will be much greater in their ability to protect the business. So this means we can save time on emails, manual follow-ups with suppliers. My view is that probably for every audit that gets done, maybe there's two, three, four days of wasted time going backwards and forwards with suppliers, scheduling, coordinating, following up, arranging payments, then handling corrective action plans.

A lot of that can go away if you've got a well structured system, driving automation. So that's step or part two, right. It's reputational risk management. It's operational efficiencies. I think in addition to those we've got the clear opportunity for value creation. If we do this well we have a supply chain that is just perpetually excellent right. It's proactive. It's self-healing. It's solving problems before they've even occurred.

So the disruptions that you face today as a business can seamlessly go away because suppliers are being engaged proactively to ensure the risks that might stop. Business activities don't ever manifest in that supply environment. And that creates value not just for corporate clients, but also for vendors, which is really important and for the suppliers themselves. And we really need to have suppliers engaged through an incentive mechanism in responsible sourcing rather than just a compliance one. And this will certainly facilitate that sort of outcome.

AG: All right. So we've got all of this data. We've got our priorities set. Now how do we assemble this. And how does it all fit into a step-by-step autonomous responsible sourcing workflow?

KF: Yeah. Great question Andy. That's the perfect question actually.

So typically when we look at responsible sourcing today, we think of it in terms of risk assessment, programme design, segmentation monitoring, potentially capacity building, corrective action planning and then the feedback loop right through data collection, benchmarking and reporting. And this workflow has been informed by a lot of regulation.

Historically, modern slavery acts are the guiding principles on business and human rights. And most of the current regulation today in the sustainability space requires risk-based thinking and risk-based due diligence. Now, if we look at each of those steps in terms and through the lens of autonomy, there are opportunities. So in the space of risk assessment today, we think of that from a lens of geographic and product risk, maybe adverse media scanning, potentially some external data sets that could get blended in. And we think of that risk assessment step probably as maybe a once-a-year activity. Actually, a lot of companies will be doing that as a once-a-year activity from which they're going to step 2, and then they lean in to maybe adding business data and designing a programme, again, a programme to support auditing or some other form of monitoring.

And that is also often a once-a-year activity. So, in these first two steps in that workflow, big opportunities around increasing the frequency and increasing the accuracy of how this will work. So where we layer in data and then autonomy, what we will have is a continuously sensing risk assessment process that's using data both from the same different settings, geographic product, etc. but that is also bringing in external third party data, real-time information.

And it's looking across not just a constrained and client-only data set. Ideally, it’s looking at across the entire system of information. So it's looking, let's say at everything in EiQ. And it's looking at that whole set of supplier data and improvement activity. And it's able to make dynamic recommendations from a risk perspective.

Those dynamic assessments and recommendations will then feed into a dynamic and adaptive programme design. So segmentation is also not an annual activity. This is going to be challenging to a number of companies, but it's not an activity where you do it at the beginning of the year. There are a few that do it twice a year. And then you say, right, let's roll out 800 audits, let's roll out 200 audits this year, or we're going to do this next wave of factories this year because we have them on a two-year cadence.

The reality is that is not the operating landscape today. It's not a oh, the world will wait two years. Once you decide to come back for your next audit, no risks are happening and changing every day. So this next step of dynamic adaptive programme design is absolutely critical. But now we get from there. So dynamically sensing risk-based programme design, segmentation to questions around what sort of monitoring activity should happen.

Often that monitoring activity is auditing. It could also be surveys. Audits could be one of multiple different forms. Can be industry scheme audits could be our own enhanced responsible sourcing assessment tool. Could be clients’ own protocols could be multiple different audit types. Sometimes their add on modules around for example, foreign migrant workers that can get deployed with an audit. Now in the world of an autonomous and intelligent system, what's happening is the audit or let's call it, rather the monitoring activity is also intelligence.

So it's not a one size fits all. The monitoring that's happening is aligned with the risks. And that means that specific questionnaires or specific audit protocols are being deployed. Could be a standard audit protocol, could also be one with a new module around foreign migrant workers. Well, could actually just be a worker survey, right.

What's being deployed is being deployed to ideally get insight into the risk and to support you to manage the risk more effectively. That is the same for capacity building. In the capacity building space, you might receive a single request to do an e-learning on something like foreign migrant workers, or on something like fires, or greenhouse gas emissions or carbon accounting, or working hours wages. And you would just get maybe that one request could be proactive based on the upfront data that's been received.

Now, when this monitoring is cascaded out to your supplier base, you don't have to do it manually. This is a critical part of autonomy, because now the system is automatically following up with your suppliers. How can that happen? Because your suppliers are in the system, in the platform right themselves. So they're getting alerts through the platform to complete the learning. They don't need people to manually chase them. Right. They know as well that maybe they've got three clients that want them to complete this e-learning. So they're heavily incentivised. They can see the value the duplication risk is removed. And from there the same with things like corrective action plan management, which is a huge untapped opportunity for us as an industry because corrective action plans today often exist in silos, everyone has a different view and way of determining which CAPs they follow up and which ones they don't.

And in an autonomous platform, it is calibrating all of that for you. So it's actually fixing things before they even happen, potentially. But when they have happened, it is following up with suppliers, collecting the information, reviewing the information. Potentially it's not signing off the information because that is still a human requirement. There are still some very critical human requirements throughout this process, but it is speeding it up significantly, and it's helping you to look at the right things at the right time and to make the right recommendations around how to drive improvement in factories from a CAP perspective.

So recommending specific tools, specific, specific systems and interventions that suppliers might use to address things like excessive working hours, for example. And then the same with a benchmarking continuous improvement. All feeds into the system, which is continuously learning, continuously self-healing, and doing that not in a silo of an individual client's supply chain, but doing that across the entirety of every supplier, every corporate and every vendor, which is many tens of thousands. That sit, in this case, in the EiQ platform.

AG: All right. So back to the human element again. So, when we surveyed the industry, we found that the number one priority for sustainability and supply chain professionals is exactly this is automation and AI. No surprise. But those professionals will be thinking about what skills they need to continue to play that human in the loop role, and to make best use of technology and of automation. So, what is that skill set? What does that look like?

KF: Firstly, I would say humans will definitely still be needed in the world of autonomous responsible sourcing and they will be active participants. I don't see less people, I just see more impactful and more value creating people in the process. So the first area where humans will absolutely be needed is decision making, and they'll be needed in the calibration of platforms. So, where we speak about something like EiQ, that is, you know, risk-based, autonomous, someone will need to go in and say, what are my risk appetite thresholds as a company? They'll have to go in and make decisions about whether to move forward with the recommended set of monitoring activity. So calibration, decision making, will be absolutely critical. 

Throughout this process of a lot of decision-making checkpoints. So instead of having to manually assemble data to be able to reach a decision, something else will run the process, assemble the data and then you'll receive the data in order to make the decision. So step one is going to be or part one will be that the decision making but also linked to that will be stakeholder engagement. This is going to be very important because as you are able to make decisions leveraging more data, you'll also need to take your internal stakeholders with you. So that means bringing buyers, category managers, procurement leads, chief supply chain officers into the loop.

Right when you are setting up and designing a risk-based autonomous programme, in the initial calibration, in the risk appetite discussions, as well as potentially in the big decisions around where you roll out audits and how you look at the responses that come in. So each of the different stages will have checkpoints for decision making and stakeholder engagement. And you'll also be able to and this will be really important with the lens of stakeholder engagement. Lean in to buyers working with your buyers making sure that they're aligned and that you're on the same page when it comes to incentivising responsible sourcing programme design.

Now, next to buyers, will be suppliers. You have to really lean in and work with suppliers to incentivise them better to also align with your objectives. So that's another really important set and shouldn't be underestimated because there's a lot more time we should be spending engaging internally and engaging externally with buyers and suppliers accordingly, as well as clearly other stakeholders like vendors.

So those are two really big sets of activities. We should certainly be upskilling our teams to do more of that and to do it more effectively. Really leveraging the deep human intelligence that we've kind of put aside as we've really gotten all immersed in the email experience of our lives.

Thirdly, I would say there's still going to be a need for verification. Verification is going to be very important, even though we may have overall, you know, less on the ground verification. The verification that does happen is going to need to be really good, deep and thorough. So that will be a critical part of the process as well. And maybe just fourthly, although it's a little similar to the decision making, is the calibration, the calibration of your responsible sourcing programme to align with your business needs and expectations. And that means also understanding their business strategy and making sure that responsible sourcing plays a valuable part in that business strategy discussion.

AG: So, thinking about supplier engagement and collaboration and then specifically the corrective action plan management process, what can automation do specifically for this area?

KF: So, let's talk about the collaboration part of that and then flow into CAP. Today a supplier will probably still be being audited multiple times and potentially against multiple different audit standards. Could be an industry standard client sign protocol or our own enhanced responsible sourcing assessment, or maybe one of many others so they could still be today, multiple audits that are being conducted for an individual supplier.

As we lean into answering your question, the first step is to harmonise all of that information into one common framework. So we already have a process called equivalency that will do that harmonisation exercise. Irrespective of the audit. It all goes into a common, consistent data structure that can be linked to a client's own grading and rating and therefore help to focus on the priority areas for CAP for Corrective Action Plans that are relevant both to the end client and also for the supplier.

So that's part one. Part two would be the CAP itself. Now today CAPs are typically designed potentially by an auditor or by a client, or perhaps as a dedicated CAP manager, which means a single human in the loop, helping to structure the nature of that CAP moving forward. If we have an autonomous and intelligent platform, could be EiQ supporting this process, what it will be doing is actually leveraging all of the best practices and all of the learning that it's gotten from the tens of thousands of other CAPs that have been conducted in that country for that issue, and potentially in that same sector, maybe from another sector as well, by the way, where there's an ability to cross learn, but it's not a single human making a single decision about the structure of a CAP.

This is one that's based on real world data that we've seen to be effective. So CAPs can then become a lot more focused and a lot more ground truthed. Very good example of a CAP we all see a lot, is one that might relate to excessive working hours. A lot of factories will have excessive working hours issues. And often this from a CAP perspective then leads to things like time recording systems or requests, sometimes to hire additional workers, or maybe to structure a third shift, etc.. Now, in the world of an autonomous and intelligent CAP process, it will give you very specific guidance on maybe what sorts of time recording tools to use, what time of the year they're going to be needed.

And it will also give you, as a supplier, potentially some ROI, return on investment information, to support that decision. So what it's giving you is much more concise and actionable information that really incentivises long term use and traction and long-term remediation of that CAP. Often today, we see CAPs recurring over and over again, because the first set of things that might be human led from a decision-making perspective can easily get resolved. Boxes get ticked, evidence gets uploaded into a system or provided by email. But there's no real incentive to keep doing those because there aren't really the right things for the supplier long term. If we have CAPs that are linked to ROI, that are linked to costs that are linked to evidence points, we've seen through a much bigger data pool, it's much more likely they'll be sustainable and lead to long term traction with a supplier base, which means you have a position of perpetual and continued excellence in your supply chain. Rather, one with peaks and troughs of performance.

AG: Thank you. Kevin, you've given us a fantastic orientation of where we stand right now with AI and automation. What, what things people need to be thinking about over the next, say, 12 to 18 months. But before we close, I'd just like to stretch that out and look out further into the future. So, what's your longer-term view here? What's going to happen in the next 5 to 10 years in this area? And where will we be by 2035, 2036?

KF: 2035 is very far away, I have to admit. I don't think I can imagine a world of responsible sourcing quite that far away, or at least I would like that it came earlier, I would like it came by 2030, and I think by 2030, it could be a world where you don't even really need to request any audits or any programme management or monitoring activity from your suppliers. If we do this right as an industry, suppliers are perpetually engaged. A system is managing everything, running everything, and you can just log in and see the status of your supplier. Red, amber, green. Right. Because you've calibrated it, you've set it up effectively and it's now all running itself. But because we've also connected fully, the supplier base made them an active part of the process. Incentivise them. They're engaged. And that engagement is a lasting engagement where when they receive alerts or requests from a platform like EiQ, they're proactively addressing them. And that means that you should have a supply chain that is always green, always excellent and always performing.

AG: Kevin, thank you very much. That was fascinating for me and I hope equally interesting for everyone, listening in today. And thank you all for being with us here. Please check us out on eiq.com please follow us on LinkedIn to see what else we've got coming up, to see where you can meet us at an event, or to see how you can really get under the hood of EiQ with a demo. Thank you very much and enjoy the rest of your day.