Expand +



Does Procurement Play a Starring Role in Your Compliance Strategy? It Should!

by Don MacLennan | SAPinsider

April 1, 2007

Since so much accidental business risk can be traced back to your supply base, companies are wise to root their compliance strategy in the procurement department. Learn how procurement can prove its value to the business by spearheading a company’s compliance efforts, and discover the SAP capabilities that will support them.

Outsourcing. Global supply chains. Social responsibility concerns. Environmental protection. Strict financial reporting requirements. Organizations are now responding to numerous regulations that have been created to mitigate risks associated with these business trends (see Figure 1).

Regulation Procurement-specific highlights Applicable companies Industries
Sarbanes-Oxley Act Requires reporting of future purchase commitments, as well as controls for contracting signatories based on amounts and terms Companies subject to the Securities and Exchange Commission (SEC) regulations on US exchanges All private-sector industries
Gramm-Leach-Bliley Act Establishes controls to ensure that vendors secure your customers' data when processing on your behalf Companies subject to SEC regulations on US exchanges Financial services
Restriction of Hazardous Substances (RoHS) Directive Restricts the use of six toxic substances (including toxic flame retardants found in plastics that may make their way down the supply chain) in several types of products Companies manufacturing or selling goods in the European Union Manufacturers of several equipment types
Basel II Accord Requires operational risk controls for preventing supplier-caused disruptions Companies in countries that comprise the Basel Committee on Banking Supervision Financial services
21 CFR Part 11 Requires use of approved vendors when sourcing product ingredients and packaging US companies Pharmaceuticals
Figure 1
Examples of regulations and their impact on procurement organizations

What many companies fail to recognize is that all of these trends, policies, and regulations place a heavy responsibility on procurement to manage risks in the supply base — risks such as supplier viability, product reliability, and missing contractual protections. Neglecting these risks could drive customers to avoid your goods and services, or lead to financial losses from regulatory fines and sanctions.

Making matters worse is the fact that compliance requirements are not typically well aligned with procurement goals. Too often, procurement is narrowly focused on generating savings — not on managing risk or avoiding substandard suppliers that could prove costly to the business and the bottom line. With the exponential growth in regulations and policies, it is no longer safe to assume that your procurement professionals understand all compliance requirements. Nor should you assume that they are fully equipped to comply in a reliable, auditable manner.

For procurement departments, compliance now deserves executive attention and investment of resources. This includes investing in systems that support compliance and in revised employee incentives that are better aligned with compliance goals.

The term "compliance" is not limited to the realm of regulations. It also includes the policies and procedures that a company defines internally — either to adhere to regulations or to deal with some external force or business objective.

The first step is to fully understand where the risks are — do you have a firm grasp of everything from the regulatory compliance of your suppliers to consumer interests in ethical sourcing and product safety? Next, what compliance challenges will your supply management team run up against? Then, how should you define the attributes of an effective system for compliance — and how can SAP help?

The Risk Factors That Complicate Compliance

Compliance processes are rooted in the reduction of risk. To that end, procurement teams must take a comprehensive look at all risk factors that play a role in their compliance efforts.

Embedded in any compliance strategy are sound business practices, many of which are rooted in risk reduction. Accordingly, procurement teams should embrace, rather than resist, compliance to enhance their strategic value to the organization.

Increased Use of External Resources

Companies are increasingly spending more on external suppliers than on internal employees, and are therefore shifting dependency and risk to suppliers outside of the company. The gains in efficiency and agility are well worth the change, but only provided that you manage any risks associated with that change through effective compliance procedures.

In the services realm, for example, there has been an increased use of suppliers for outsourcing and offshoring. Business process outsourcing (BPO) — that is, outsourcing an entire business process to an external provider — is common in human resources administration, IT management, transportation and logistics, and warehousing and distribution.1

Despite BPO's rising popularity, companies considering it must be one step ahead, able to predict any problems that may arise. Consider the use of call centers in India. On occasion, Western European and US companies have experienced quality issues — and related cost increases to overcome those issues — with the level of customer support provided. This has even resulted in "insourcing" call centers back to domestic, in-house centers.2

Perhaps the root cause of a failed outsourcing effort is that the company attempting it did not do its due diligence and properly evaluate the supplier's capabilities or infrastructure. Or perhaps different service-level agreements (SLAs) were needed. These SLAs could address English language proficiency standards, which would be taken for granted with domestic employees. In the case of the call center in India, for example, an effective SLA would quantify the agent's language, product proficiency, and acceptable levels of service. This specificity could also affect the company's sourcing decision, since the supplier would be required to bid for the contract in accordance with the fully defined SLA specification.

These types of quality issues arise most often from incomplete specifications and requirements that cause the two parties to enter into an incomplete agreement without clear, mutual expectations. This, in turn, hinders an outsourcer's ability to measure contractual performance since the exact metrics and measures were not defined at the contract's onset.

In the realm of materials and physical supply chains, the trend toward using more external resources applies as well. A higher proportion of product design, development, and production has shifted externally to suppliers. Dell is an example of a company that virtualizes its supply chain, relying on third-party design, sub-assembly, warehousing, and customer shipment across a global theater.3 To stay competitive, many companies are beginning to do the same.

Consider the widespread use of electronic manufacturing services (EMS). The nature of the value-added services delivered by EMS has expanded from product assembly to product design, supply chain design, and component sourcing. Use of EMS is not without its challenges, however. For example, your company's intellectual property may be inadvertently transferred to a third party as the role of product design shifts to the EMS supplier. To mitigate risk when structuring such arrangements, you need risk/reward evaluations. Once a contract is in place, strong controls over knowledge and document sharing are also necessary.

Another consideration in virtualized supply chains is the possibility of inadvertent trading with barred parties or countries. In the US, for example, the Customs-Trade Partnership Against Terrorism (C-TPAT) is a program designed to reduce terrorism risk by securing supply chains. Companies that integrate C-TPAT measures into their procurement processes ensure that goods flow smoothly, avoiding delays and additional inspections.

Heightened Consumer Awareness

Consumer and social values affect the way consumers choose products. And consumers are now examining not just finished goods, but product supply chains as well. Empowered by the Internet, consumers have gained visibility into supply chains and have used this information to organize communities of interest and to lobby regulators and companies about product content, product safety, ethical sourcing, and so forth (see sidebar).

Customers Seek Compliance: How the Rise of Special Interest Communities Affects Your Sourcing Decisions

Compliance doesn't only affect your company; it affects consumers too. A potential customer may avoid your product or service if you don't carefully consider issues around consumer and social values and have sound compliance procedures in place to address them.

Consumer Protection

Food and drugs are among the most highly regulated products in existence. Drugs have rigorous tests for ingredient and packaging toxicity, and food and nutritional supplement sectors are only slightly less regulated. However, these sectors still carry tremendous risk in consumer liability given the mass consumption of these products. For example, the recent recall of fresh-bagged spinach in the United States because of bacterial contamination cost spinach producers untold financial losses.

Social Responsibility

Some of the most prominent examples of the effects of social responsibility programs on the supply chain can be found in the apparel industry. These programs monitor, among other issues, the ethical use of labor in emerging economies and in the extended supply chain. Because of these concerns, many companies have taken action to prove their own social responsibility. Nike publishes a list of its supplier factories and those factories' ratings according to Nike standards.4 US retail giant Gap Inc. is one of many companies that has gone so far as to publish an annual Social Responsibility Report, which is accessible from the company's home page.5

Environmental Protection

Consumer concerns about pollution are showing up in the supply chain as well. In Westernized economies, stricter regulations to help cut back on pollution exist in part because those economies can absorb the cost of compliance. For example, the European Union Restriction of Hazardous Substances (RoHS) Directive bans six toxic substances from various product types, such as appliances, IT equipment, and other electronics. These product types often have complex, multi-tier supply chains, so monitoring the source content of components is a difficult but necessary task.

Let's look at a real-world product safety example. An automobile manufacturer had to recall a car model because of a faulty part — an ignition coil — that could potentially spoil customer satisfaction by causing stall-outs. Those ignition coils were a supplier part with an unacceptably high defect rate that went undetected because of ineffective compliance policies. The car manufacturer then faced a highly publicized, pervasive product issue that, though attributable to a supplier quality problem, reflected on the car company itself. An inadequate quality-control procedure at the supplier directly affected customer loyalty; because of poor supplier performance, customers may opt to purchase another car make and brand in the future.

Consumer and social values affect the way consumers choose products. And consumers are now examining not just finished goods, but product supply chains as well.

Key Compliance Hurdles: A Procurement-Focused Look at Why Compliance Isn't Easy

When confronted by all of these issues, your procurement organization will need to overcome multiple barriers to compliance.

Lack of Clarity

Documents alone define many compliance procedures, which means that companies rely on two key assumptions: that the right employees know they need to access those documents and that those employees interpret the documents correctly. But most organizations lack systems that clarify compliance processes and offer supporting materials.

One Company, Many Categories

Imagine you're the supply chain executive at a global apparel manufacturer and retailer. You face a continuous, multidimensional compliance problem: All of your procurement spend is subject to Sarbanes-Oxley compliance; your product supply chain must abide by your standards for social responsibility; and you must constantly evaluate which products are subject to RoHS based on product distribution. With all of these factors to consider, it's no wonder procurement contracts slip through without all applicable compliance requirements checked off.

Incentive Misalignment

For most companies, success in procurement is based on savings created, not on risk avoided. For as long as this is the case, many company's procurement incentive structures will not reward compliance. And without incentives, systems that ensure compliance will not be fully utilized in situations where there is an option for saving money and skipping some compliance requirements.

How Procurement Can Drive a Strategic Compliance Solution

As we've seen, companies face a complex landscape of regulations, risk-management policies, and consumer-based concerns. By embracing — not resisting — these challenges, procurement teams can seize the opportunity that compliance presents and become the enablers of compliance.

To prove its strategic value to the business, procurement can establish a compliance workflow system, along with supporting documentation, that routes any goods or services subject to compliance requirements through procurement. This will ensure that other departments make the right judgments; as long as individual departments are allowed to engage with suppliers without procurement's involvement or assistance, these departments will likely misstep on a corporate compliance procedure or accidentally enter into risk on the company's behalf.

As long as individual departments are allowed to engage with suppliers without procurement's involvement or assistance, they will likely misstep on a corporate compliance procedure or accidentally enter into risk on the company's behalf.

When implementing a system to ensure compliance, consider the following requirements for deployment success. Note that these requirements all rely on a strong technology foundation.

Define Reliable Procedures and Processes

Employees should easily understand which compliance procedures apply to them in their day-to-day work. This means establishing clarity through system-enabled workflow processes and supporting documentation. The procedures and their purposes should be clear even when subjective judgment is required. For example, how does one evaluate suppliers' financial viability? There is no simple answer, but employees should have guidelines to facilitate a sound decision and tools to document their findings.

While multiple regulations, policies, and trends may apply to your company and your procurement team, it's important not to look at any of them in isolation.

Ensure That Your Processes Can Be Repeated

Regulators and auditors often test for the consistent application of compliance procedures across similar events or circumstances. Compliance procedures, in turn, should ensure consistency within processes. Imagine trying to demonstrate such consistency when a process is based on individuals' use of email, free-form document templates, and so on. In contrast, a template-enabled system that contains all key processes and data makes it easy to ensure and measure consistency.

Leave an Audit Trail

An effective compliance process is one that can be proven. This means that the system should capture all of the necessary workflows and data, and it should not require the person auditing the process to invest significant effort to conduct the audit. Just as traditional tools, such as email and free-form documents, make it difficult to apply processes consistently, they also make it difficult to audit for compliance. Imagine that a senior member of your team leaves the company, her hard drive is wiped clean, and her email account is destroyed. If a complex contract is then audited, someone must reconstruct that employee's email trail, document versions, and discussions in order to address the business risk.

In contrast, a workflow-enabled system with supporting documents and data makes auditing a simple task. One customer reported that its efforts to produce Sarbanes-Oxley filings based on contract obligations were reduced by 75% when they implemented an online contracting system.

Optimize Your Processes for Both Compliance and Business Goals

Compliance procedures are not always aligned with business objectives, such as supply-base savings. Those procedures should be optimized to best serve both regulatory and business objectives. Procurement can accomplish this by focusing on process simplification wherever possible — in the supplier due diligence process, for example. Using easy-to-repeat templates, a company can define the key criteria by which they address suppliers' financial viability. An automated system can even score the suppliers against standard measures, removing the guesswork from the process.

Plan for the Long Term with Maintainable Procedures

Changes in regulatory or business objectives are a given. Just consider the effort you'll need to invest in future change procedures, including system configuration and end-user training. This is often a daunting task when evaluating a new system. It's much easier to review features and functions than to develop an understanding of a system's configurability and flexibility. Still, when you evaluate a new IT system, take the time to develop a new scenario and walk through the process of configuring that system accordingly.

Why SAP?

SAP provides an integrated solution that is keenly attuned to the compliance challenges that confront today's procurement organizations (see Figure 2). SAP's offerings include SAP solutions for governance, risk, and compliance (GRC) and mySAP Supplier Relationship Management (mySAP SRM).

Requirement of a compliance solution Supporting SAP capabilities Added business benefit
Definable Context-specific help, document repositories, and an intuitive user interface ensure a familiar environment
for system users
Defining clear work processes enhances user productivity
Repeatable Template-based forms and procedures make processes easy to duplicate The entire staff, not just your "star" team members, will adopt best practices
Auditable End-to-end workflow processes ensure that every process step generates auditable information Linking processes together shortens cycle time by reducing data entry and identifying bottlenecks
Optimized Scoring and analytics simplify decision making when users face qualitative decisions Teams can identify new sources of savings and value when working through trade-off scenarios
Maintainable Highly configurable solutions meet the needs of numerous industries and company types Solutions can be rapidly configured to meet the changing needs of the business
Figure 2
The key requirements of a compliance solution, and how the capabilities of both SAP solutions for GRC and mySAP SRM address them

Organizations create tremendous efficiencies from running standard business processes on unified systems on a global basis. But as they address globalization, they must also address localization; organizations need to conduct business according to country-specific regulations. Without flexibility, these two objectives will collide. Based on an enterprise service-oriented architecture (enterprise SOA), SAP's solutions are unique in that their configurable processes meet both needs at once.

SAP's solutions manage all facets of the supply base, from source to settle, automatically. Through integrated, workflow-enabled processes, every compliance procedure is clear to the end user, managers, and auditors. What's more, the robust use of templates and workflows ensures that procurement can manage each spend category according to its applicable compliance procedures.


Compliance doesn't have to reinforce the perception that procurement organizations clash with other groups within their own companies, slowing down business functions from achieving their goals. Effective organizations can orchestrate their processes so that procurement is seen as the enabler of compliance and a source of enhanced value.

For procurement to transform compliance into a value-creating exercise, it's essential for teams to think about risk at every step in an integrated process. While multiple regulations, policies, and trends may apply to your company and your procurement team, it's important not to look at any of them in isolation. Only by stepping back and looking at compliance collectively can you take a more holistic approach that will not only satisfy all the supporting regulations and issues, but will enable procurement to move beyond cost savings and establish itself as the "go-to" resource for compliance expertise and business value creation.

1 For more on business process outsourcing, see "6 Trends You Need to Know Before You BPO" by Bernd-Uwe Pagel in the January-March 2007 issue of SAP Insider (

2 See Eric Bangeman's "AT&T decides to bring broadband call center back onshore," available at (September 25, 2006).

3 See Dick Hunter, "Tying Supply Chain to Customers: How Dell succeeds in an increasingly competitive market," available at (December 2005).

4 See to learn about Nike's factory compliance life cycle.

5 See to view Gap Inc.'s Social Responsibility Report.

Additional Resources

Don MacLennan is a member of SAP's Solution Marketing organization, focusing on supplier relationship management. He has over 18 years of experience working with enterprise software solutions and has focused specifically on SRM solutions since 2001. In 2006, Don was named a "Pro to Know" by Supply and Demand Chain Executive magazine. He is also a frequent speaker on best practices at industry forums, such as the Sourcing Interests Group and The Conference Board. Don holds a bachelor's degree in economics from Acadia University in Canada. He can be reached at

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!