Upstream Compliance: A New Approach to Managing Risks in the Supply Chain

By Kirsten Wallerstedt

The word “noncompliance” tends to dredge up the notion of fines and other penalties imposed by government agencies. For fear of noncompliance, regulations are increasingly enforced in the business-to-business setting, with obligations pushed upstream to suppliers. Due to a host of regulatory requirements in the global market, companies must make demands of their supply chains to ensure that materials, products, parts, and processes meet the demands not only of government agencies but also of consumers and investors.

To ensure against the risk of exposure, proper documentation and proof of compliance are essential. Without them, the downstream business partner is at risk. Potential risks that companies must mitigate include losing corporate customers, delays in production or transportation, hazards in the workplace, and data management demands. Manufacturing companies must also mitigate the risk of liability in case of accidents during manufacturing or distribution or as the result of packaging defects.

The risk of noncompliance is especially high for companies that deal with hazardous chemicals or consumer packaged goods (CPG) that contain such chemicals. Two regulations in particular address these issues on a global scale: Regulation (EC) No 1907/2006 of the European Parliament and of the Council on the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) and the Restriction of Hazardous Substances (RoHS or RoHS 2) in electrical and electronic equipment. Both have grown from their origins in the European Union (EU) to become global in scope and obligation, and their requirements stretch beyond mere compliance.

REACH is the EU regulation requiring the registration, evaluation, and sometimes restriction and authorization of chemical substances. Substances with the highest risk to human health or the environment are placed on the list of “substances of very high concern” (SVHC) and from there become subject to authorization, which means they’re banned from use unless explicitly authorized. Other substances known to have hazardous properties are placed under specified restricted uses, for example, to be used only in certain applications or only up to a certain concentration.

Adapting to regulatory change

Regulations are constantly changing. In the EU, the REACH deadline recently passed for the registration of substances imported into or manufactured in the region. These requirements reach into the supply chain as businesses pass on the requirements upstream. Many companies have imposed additional obligations on their global supply chain related to SVHCs. Moreover, new substances are often added as SVHCs, requiring products, data, and systems to continually adapt.

Many companies in this space seek to adapt before substances even appear on the SVHC list. For example, many companies follow the Substitute It Now (SIN) List published by ChemSec, an international nonprofit organization. The SIN List functions as an early-warning system for chemicals that are likely to become subject to regulations in the future. Thus, many companies impose requirements on their suppliers and business partners to begin to limit the use of substances as soon as they’re added to the list.

REACH has a global influence beyond just business-to-business. South Korea recently modified its Korea-REACH (K-REACH) regulation, under which (similar to EU REACH) companies must inform their professional customers about hazardous chemical substances in their own products and must collect and validate information from suppliers. As the government-imposed regulatory requirements spread, so do the business-to-business requirements. Companies want to be prepared for evaluation by their investors, by nongovernmental organizations (NGOs) that may have an environmental or human rights agenda, and by their customers, whether consumer or business. Thus, more companies are adopting proactive approaches to responsibility within their organization and are imposing their requirements upstream on supply partners.

Some examples of this include CVS’s restriction of chemicals of concern in beauty and personal care products by 2020; Target’s effort to remove certain chemical groups from all beauty, personal care, and household cleaning products by the same date; and AkzoNobel’s announcement of a new generation of food can coatings that eliminate materials of concern, including bisphenol A (BPA). More commonly, businesses subject to REACH, K-REACH, or similar regulations extrapolate those policies to apply to their entire business and supply chain, regardless of whether a particular chemical, product, or business is located in the regulated jurisdiction. More and more, companies consider this simply to be good business.

Like REACH, RoHS is also a “restriction on hazardous substances,” but it’s aimed more narrowly at electronic and electrical products. RoHS also applies to a much narrower scope of chemicals—cadmium, lead, mercury, and hexavalent chromium (the original four RoHS chemicals)—to which have now been added polybrominated biphenyls (PBB) and polybrominated diphenyl ethers (PBDE), along with a group of phthalates.

Electronic and electrical equipment is of particular concern on a global scale because much of this type of equipment is thrown away, leaching hazardous chemicals into the environment and eventually affecting people and animals.

Risks in the chain

To reduce risk of noncompliance with RoHS, companies need technical documentation about the materials in the products or components that they purchase and must perform tests to validate the information they receive from their suppliers. Thus, they must develop robust relationships with suppliers so that they can depend on what’s reported, thus reducing the need for expensive testing. Such companies need thorough process and product requirements to communicate expectations to their supply chain along with mature systems to manage the data that comes in and the ability to flag risks.

RoHS has recently been embraced in China, the Eurasian Economic Union (EEU), which includes Russia, and the United Arab Emirates (UAE) and is proposed in Brazil, among other markets. The European Union is currently undergoing a review of RoHS, which includes the review of substances that may be added to RoHS in the future. Ukraine is implementing measures following EU’s legislation.

The regulations both in the EEU and China cover a narrower range of products, which reduces the burden on companies to track and enforce data on the products subject to these regulations. On the other hand, the regulations may increase the burden in the sense that companies must distinguish between parts and products that fit these specific product scopes. The UAE and Brazil follow the EU’s sweeping product scope more closely, covering a wide range of electrical and electronic products.

Regardless, every company affected by RoHS in any market must be concerned with labeling, certification, and validation of chemical content. And to reduce their own risk, companies must impose challenging requirements on their supply chain networks. The development of such supplier and data management systems often paves the way for the imposition of more business-to-business requirements, such as those involving human rights, labor conditions, the sourcing of minerals from non-conflict zones, and more.

The common thread between regulatory and business-to-business requirements is that chemical or product companies can no longer escape the need to be accountable to their business customers. All companies must have internal management systems capable of assessing and mitigating risks. It pays to stay one step ahead rather than be caught behind.

No one wants to be faced with the threat of losing business for failure to see a trend before it becomes a customer requirement. Staying on top of the market and understanding customers and partnerships can go a long way toward helping companies build and execute a successful compliance and risk strategy.

Kirsten Wallerstedt is a senior regulatory analyst at Verisk 3E, a Verisk business.