Networking shares the risk

Picture of two dice

First published in Procueemtn PRofessional, the official magazine of CIPS Australia, April 2010


Collecting compliance information from suppliers and subcontractors is a costly, time-consuming,
soul-destroying task. Nigel Dalton-Brown suggests an alternative approach that distributes the
administration costs across the industry.

Key points

  • The job of collecting and verifying the compliance information of each supplier is not a trivial task.
  • Almost every supplier and contractor document is being logged hundreds of times.
  • Under an alternative approach, it is the supplier’s responsibility to load the compliance information for presentation to its customers.


By applying social networking ideas to the business environment, a purchasing and supply manager can go from around 10% compliance reporting to over 95% – and reduce administration costs at the same time. Community of Interest (COIN) networks eliminate vast amounts of administrative effort across an industry, working on social network lines, but adding common purpose, dialogue and security.

Before examining the differences between the old, Excel-based way of doing things, compared to the COIN approach, we need to understand the scale of the requirements. What compliance documents are actually needed? What are the risks of not managing compliance?

The compliance matrix

Compliance can be split between internal and external compliance. This article focuses on external compliance – compliance relating to the supply of products and services. 

For an organisation that has hundreds, if not thousands, of suppliers and subcontractors on its books, the job of collecting and verifying the compliance information of each supplier and each of its products as well as each services provider and each of its employees is not a trivial task. As it is a mandatory requirement, someone ends up with the job of being on the phone, calling and chasing up the expired or missing documents. As an added complication, many documents have expiry dates and need to be checked on a regular basis and some certificates are issued by third-party accreditation bodies and insurance companies and so need to be checked for fraud.

So what kinds of documents need to be collected?

The Compliance Matrix outlines the types of documents that need to be addressed by most purchasing and supply professionals: 

  • Company
  • Product
  • Contractors
  • Plant and Equipment

One COIN network lists over 5,000 different types of compliance certificates for the food and facility management industries alone.

Table of Compliance Matrix


It’s worth highlighting that while the requirement for collecting company and product compliance requirements is generally well recognised and understood, there is some confusion regarding the need to collect compliance information on contractors. Once contractors are provided with a work order, purchase order or verbal order, they are considered employees and, as such, the organisation needs to ensure their safety. As a result, companies have a legal requirement to carry out the following checks on all contractors:

  • Do they comply with all the necessary OH&S legislation particular to your region?
  • Can the contractor prove that all insurances are valid and up to date, e.g. Workcover and Public Liability?
  • Do all contractors and staff (electricians, plumbers, blasters, etc) have the right licences and are they up to date?
  • Has site induction been carried out for your premises?
  • Have they received a copy of your OH&S policies?
  • Has all their equipment been tested and granted a valid certificate?

For facility managers, safety and duty of care includes visitors. I have noticed an increase in formal site inductions when visiting some companies. For the more advanced organisations, it’s more than simply signing a visitors’ book and obtaining a badge; they now request all visitors to go through a formal online site induction. One leading mining company checks tagging of power cords for laptops and projectors for all visitors at their head office.

The consequences of non-compliance

Product and contractor compliance generates significant paperwork for purchasing and supply managers; however, the consequences of non-compliance can be very severe for the company, the directors as well as the managers, including:

  • Damage to the brand and reputation of the organisation;
  • Financial penalties for individuals and the company; and
  • Jail terms.

There are plenty of horror stories where excellent companies have been caught out by non-compliant product suppliers, e.g. lead paint in children’s toys, poisonous baby milk in China and many others. The damage to the brand takes years to rectify and the costs reverberate throughout the supply chain. Food safety incidents have serious consequences for growers, food processors, distributors, retailers and foodservice entities. These incidents can result in significant financial damage, including the cost of product recalls, decontamination and other recovery costs, lost sales, litigation costs, damage to brand and reputation, trade restrictions, and reduced company valuation or stock price. A recent Electrical Regulatory Authorities Council (ERAC) report states that unsafe electrical equipment can cause fires resulting in fatalities, serious injuries and extensive damage to property. It estimates the cost of electrical fires and fatalities at $489million per annum. For OH&S infringements alone, individuals must pay their fines with no financial support from the company, and there is no insurance available to manage the company’s or the individual’s risk. These include prison terms of up to five years and fines in excess of $1.3million. While the maximum penalty is generally imposed on repeat offenders, it is also imposed on breaches that cause serious harm to employees or persons (subcontractors) at work.

A day in the life of John

Suppose we have the luxury of John, a full-time staff member responsible for collecting and reporting on compliance.

Every day, John comes into the office and starts uploading documents that suppliers and contractors have faxed or emailed into the system. Not all suppliers fax the right document, or even the current one, so John spends the majority of his time on the phone, asking for the correct, missing or renewed document. Some suppliers might be busy or unavailable, so John has to call again and again.

In the meantime, suppliers and contractors come and go, so John needs to contact them to get them to fax or email documents in. If John gets through the list for the day, he then looks at the database or Excel spreadsheet, monitoring for any expired or missing documents. When he finds an outdated certificate, John has to contact each supplier individually, chasing the missing or expired documentation. If there is no response within a couple of days, John has to call them up again. In the occasional free time he has, John does a double job of filing away each supplier’s compliance documents as a back-up copy. John is also expected to run random checks for fraud, calling up issuing authorities to check the validity of certificates and compliance documents. This tail-chasing exercise continues for John day after day.

This time wasting occurs for the supplier as well. Suppliers are continuously being asked by their customers to fax or email in compliance documents. The same documents can be requested for each and every proposal, no matter that they were posted in before as they have now been “filed somewhere else in the system”

The COIN Approach

The common approach means that documents are being logged multiple times, increasing the chances for errors. Almost every supplier and contractor document is being logged hundreds of times.

The COIN approach is best described by comparing old-fashioned mail to Facebook. In the old days, if you wanted to update your friends, you wrote and posted one letter to each. In return, you received as many letters back in return. Things improved slightly with email: you wrote one letter and copied it to all your friends, but it was still “send many; receive many”. For compliance documents, a medium-sized company can easily have 443 compliance documents, 337 relating to staff. With 100 customers, those documents are being logged in various systems 44,300 times across Australia.

Social networking has changed this. You create a presence on Facebook or LinkedIn and post your information, news and updates; you say who can see your information and who cannot and your friends get alerted to any changes. The approach is “post once, viewed by all trusted partners”.

With a COIN-type solution like iCiX (The International Compliance Information Exchange), the responsibility for loading compliance information is turned on its head. It is now the supplier’s responsibility to load the compliance information for presentation to its customers. Much like Facebook and LinkedIn, the supplier scans all 443 documents and publishes them, as well as key metadata such as start date, expiry date, issuing body, etc., on to the COIN network – once, and once only.

The supplier then allows access to all 100 customers to view their documents and metadata. From the purchasing and supply manager’s point of view, his department no longer has to load the documents and track them, as he can now use the COIN network to run reports on expiry dates across all documents across all suppliers. Taking the supplier above, instead of 100 customers loading 443 documents, the supplier now loads 443 only once, a saving across the industry of 43,857 times.

John’s task has suddenly become much easier. He no longer has to chase and upload documents; his suppliers are doing it for him. Nor does he need to check for expired documents; the system does it for him. As all John’s suppliers have now posted all their compliance documents on the system, with expiry dates, John can generate real-time reports in seconds. Previously, these reports took days to generate and were out of date when they were produced. Most COIN solutions also have a broadcast facility so when John runs a report that highlights some expired documents, he simply broadcasts a message from within the report to the non-complaint suppliers to remind them to update their documents.

This is just the start for John. COIN network solutions, by their nature, are based on communications, so they provide additional features such as incident and claim management, an additional source of cost savings for John’s organisation. Research from MetricStream in the US shows that most organisations do not track and measure the cost of poor supplier quality (COPQ) which may add up to over 10% of the organisation’s revenue. Even worse, fewer than 50% of companies pursue cost recovery with their suppliers. John is well on his way to becoming a hero within the organisation.

Table of Contents

Nigel Dalton-Brown, GAICD, AMIIA, MBA

Managing Director, Chair, Speaker, Lecturer, Author

Nigel is the Founder of Strytex and has been presenting and writing on Goverence, Obligational Awarenss, Risk Management and Compliance administration (GORC) since 2010.

Leave a Comment