Category Archives: risk assessment

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

We’ll Be Seeing You

We’ve been quiet over the past several weeks because we’ve been busy.  A number of companies took us up on our recommendation to get a program review and we are continuing to conduct those through the end of the year.  But we will be back out and about soon and available to meet and chat.

Although our parent The Elm Consulting Group International has long been recognized as a leading environmental, health and safety auditing firm and  Elm Sustainability Partners is most well known for our conflict minerals services, we also provide other sustainability/supply chain risk assessment services.  We recently summarized our general experiences with sustainability in comments to the US Securities & Exchange Commission’s Concept Release as they explore the need for including sustainability disclosures within standard financial reporting.

Where we’ll be

We are always happy to talk at meetings, conferences or phone calls.  Please don’t hesitate to reach out.

Cyber Attack on Iron Furnace Controls Causes Physical Damage to Plant

A few years ago, we wrote about how the growth of cyber attacks should be considered when companies assess environmental risk of their operations.  As highlighted in that article, rogue code was discovered before harm was done.

But an iron foundry in Germany was not so lucky.  As reported in this  WSJ article,

The plant’s control systems were breached which “resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system,”

This situation should cause concern to anyone responsible for HSE and sustainability matters.  Malicious control of production operations can result in all sorts of nightmare scenarios, especially where the manufacturing operation involves the use of chemicals.  In the most minor case, environmental permit violations and media coverage are probable.  The worst scenario could involve the intentional weaponization of manufacturing by hacking operational controls and intentionally creating another Bhopal or Chernobyl.

We continue to recommend that companies consider these issues when conducting environmental risk assessments of their operations.

Reputation Risk and Conflict Minerals

Respected governance and internal audit expert Norman Marks posted a fascinating article on reputation risk.  He quotes a line from a recent survey that summarizes the main point:  reputation risk is driven by other business risks.  In many ways, he seems to be speaking directly to conflict minerals.  A few of his salient points are below.  Actually, the whole article is so on-point we almost need to quote it in its entirety.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the likelihood of other impacts such as fines, lost time, and so on.

In addition, the impact on reputation may be positive while the impact on, say cash flow, is negative!

For example, the decision to divorce the organization from a supplier who is found to have broken the law may adversely impact costs and disrupt delivery of product to the market – while enhancing the reputation of the organization…

… when there is violence in some part of the world, people look to the US, EU, and others for a reaction. It’s not only the action that can affect reputation, but the failure to act

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents, and even customers) can affect reputation. This needs to be identified, assessed, and monitored closely as well…

Of course, reputation risk is the basis of the Dodd-Frank Section 1502 conflict minerals disclosure so perhaps there is little surprise that Norman’s comments are so relevant.  Yet in the heat of effort companies are expending for SEC compliance, some may lose sight of this risk.

Reputation risk is a subject we explore specifically and deeply, from many points of view and sources.  We also explicitly drill down into impacts on supplier relationships – both positive and negative*.

Norman refers to the concept of “risk sensing” as a means of identifying and monitoring reputation risk.  We agree – as a matter of fact, given that our experience includes traditional risk management (insurable and non-insurable), this comes naturally to us.

One client has a particular exposure to reputation risk.  We knew this before the engagement because of our pre-engagement research and “risk sensing”.  In reality, this was easy to identify because the company is very well known and recently the subject of significant negative publicity about their core operations.  Because we were aware of this existing situation, significant time was expended discussing potential reputation impacts of conflict minerals matters.  Facilitated discussions took place between many business, communications, PR and procurement leaders (among others), leading the client to a thoroughly-considered conclusion and plan of action.

Norman’s article should be carefully reviewed and considered.  Afterwards, it may be worthwhile to revisit your own assessment of conflict minerals reputation risk.


*  For instance, eliminating suppliers that are not conflict free can result in a consolidation of purchasing power (a positive), but also reduce supply chain resiliency in the event of a disruption, such as what occurred with capacitor manufacturing in 2011 (a negative).

All that Glitters: Conflict Gold Accusations in Dubai

Global Witness just published a rather shocking report that blows the whistle on allegations related to gold due diligence activities at one of the world’s largest gold refiners (located in Dubai) and the audit firm engaged to conduct the audit of the company’s due diligence processes.

According to the report, Kaloti Jewelry International hired Ernst & Young to conduct an audit of their operations in 2012 against supply chain due diligence guidance developed by the Dubai Multi Commodities Centre (DMCC), a regulatory body.  DMCC’s due diligence guidance was based on the OECD Due Diligence Guidance.

The audit team reportedly found that the refiner:

  • Engaged in suspicious cash transactions totaling more than US$5.2 billion in 2012 alone;
  • Knowingly – and routinely – accepted tonnes of gold from Morocco that was coated in silver to intentionally circumvent that country’s gold export laws; and
  • Had inadequate supply chain documentation for suspect gold from Sudan.

From there, the report points fingers at the DMCC and Ernst & Young directly for various governance failures related to the Kaloti audit results.  Eventually, the lead auditor from Ernst & Young refused to sign the audit report and resigned because the firm did not report the findings publicly (as was specified in the original DMCC guidance) and did not disengage from the client at that point.

There are, of course, two sides to this story and the Global Witness report reflects but one.  We only know what is presented in the report and have no basis on which to judge or assess the larger set of facts.  But a partner resigning from a Big 4 firm (apparently voluntarily) in response to the situation does raise eyebrows.

Even if the facts eventually demonstrate that there is more to this, the perception alone of the report could result in significant and wide ranging impacts for all stakeholders in the conflict minerals supply chain.

Additional coverage has been published by British media BBC and The Guardian, both of which include interviews with the auditor.

Environmental Risk and Sustainability in World Economic Forum’s Global Risk Report 2014

The World Economic Forum (WEF) has published its Ninth Global Risks Report.  We look forward to this report every year.  This year, a number of items caught our attention related to environmental management, sustainability, human rights and risk assessment methodologies.

  • Environmental management.  Man-made environmental catastrophes did not make the Top 10 risks, but it was noted.  In the Global Risk Landscape (Figure 1.1), man-made environmental catastrophes was rated slightly lower than average impact with slightly than higher likelihood.  At the same time, it was included in the Interconnections Map (Figure 1.4).  The map not only shows the perceived connectivity of the risks, but also weighted the strength of the identified linkages.  We find it interesting that man-made environmental catastrophes have:
    • Medium strength connectivity to climate change;
    • Medium strength connectivity to water crises; and
    • Weak connectivity to biodiversity loss and ecosystem collapse.
  • Sustainability.  WEF is working on a sustainability-adjusted Global Competitiveness Index (CGI) that “captures the extent to which prosperity is being generated in a sustainable way, taking into account environmental stewardship and social sustainability.” (Box 1.6). 
  • Human rights.  The Report does not list human rights or labor conditions at all.  There are weak implications in the report’s discussions of income inequalities, urban poor living conditions and social instability.
  • Risk assessment and management.  Risk management practitioners, including those in the EHS/sustainability realm, may find the discussions on risk assessment methodologies (Parts 2.5 and 3) particularly insightful.  Among the more important points is the potential for cognitive bias in the risk assessment process.  Box 2.5 presents a number of risk management solutions, with which EHS and sustainability professionals should already be familiar.

CMCheckPoint(sm), the Conflict Minerals Self Assessment Tool, Updated with New Feature

Elm’s CMCheckPoint(sm) tool has been updated to Version 2.1 and is now available.

The updates include:

  • Available versions that work in Excel 2011, Excel 2010 and Excel 2007/2008.  Due to limitations in Excel 2007/2008, that version has certain reduced functionality.
  • A new Document Status Tracking feature that automatically consolidates the completion status and notations for key conflict minerals program documents into a standalone worksheet, allowing the user to easily see and track of relevant documentation.
  • Improved navigation and user instructions.
  • Automated linkages for overlapping questions.  In some cases, certain questions/issues may be present in more than one topic/area as they relate to multiple program elements.  Users now need only address the first occurrence, which then automatically populates the second occurrence.  The second occurrence remains fully editable on a standalone basis to allow the user to reflect any comments that may be specific to the second occurrence.
  • High definition rendering of the SEC flowchart from MetalMiner.
  • Text edits and updates reflecting recent information, insights and clarifications.

Click here to download CMCheckPoint(sm) Version 2.1 from MetalMiner’s download page.

Conflict Minerals Report (CMR) Audit Cost Reduction Strategies, Part 3

UPDATES:  On April 7, 2014 – almost a year after we originally posted this article – the SEC published a second set of Q&A.  Question 18 clarifies that the SEC staff position is fully consistent with the strategy discussed below.  In addition, the September 2014 Department of Commerce report adds another reference point against which smelters/refiners need to be compared in due diligence measures.


The last installment of our three-part series on strategies to minimize the costs of upcoming Independent Private Sector Audit (IPSA) of the Conflict Minerals Reports (CMRs) required under the SEC final regulation. Each installment focuses on one strategy.

Our short series of articles explores ideas for reducing the cost of the Independent Private Sector Audit (IPSA) of the CMR. This final article focuses on the third cost reduction strategy – defining the due diligence process. Fair warning – this discussion gets deep into the weeds of the regulation and the OECD 5 Step framework.

As a quick reminder, recall that SEC narrowly focused the IPSA by establishing the specific two-part audit objective, and clarifying that “the final rule does not require an audit of the entire Conflict Minerals Report” (p. 56329). The IPSA is to cover the elements of the CMR that describe the due diligence activities – nothing more1.

Clearly, it is critical to clearly define/delineate how due diligence activities relate to – and contrast from – other activities.

Isn’t Due Diligence the OECD 5-Step Framework?

The default response to the question of “what is conflict minerals due diligence?” is the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High Risk Areas and the associated supplements. This document is frequently referred to as “the OECD Due Diligence Framework” or the “OECD 5-Step Framework” in reference to the five-step conceptual design outlined in the document. SEC referred to the OECD framework in the preamble to the final regulation, acknowledging that it “satisfies our criteria and may be used as a framework for purposes of satisfying the final rule’s requirement” (p. 56326). Indeed, at the time of rule’s adoption, the OECD document was the only such framework (p. 56281).

So there it is.

Or is it? Must a company’s due diligence process, along with the description of it in the CMR (which defines the boundaries and cost of the IPSA) contain all five steps?

We think not, and this graphic illustrates our views.

Statements made by SEC and OECD support the position that some steps of the OECD framework align with SEC regulatory elements other than due diligence. Among the more significant:

  • Risk identification (OECD Step 2) is part of the RCOI (SEC Step 2) (p. 56312)
  • Policy development (OECD Step 1) is part of RCOI (SEC Step 2) (p. 56312)
  • RCOI precedes – and determines the necessity for – “further work outlined in the OECD guidance – due diligence”, indicating that the OECD 5-step process includes more elements than just due diligence. (p. 56312)
  • Due diligence processes are not prescriptive, are intended to be flexibly implemented, may differ between companies and even between minerals within the same company (p.56326; OECD p. 14 and Annex I, P. 16).

The OECD Cycle 3 Report also bears out these, and other, supporting points.

Perhaps not everyone will agree with this interpretation. But we believe that for many, it will make sense and help manage IPSA costs.

Setting It Up

Once a company has reviewed the facts and circumstances and decides to move forward in this manner, the next question is how to proceed and/or prepare. We don’t think this needs to be complicated, burdensome or require significant changes in processes/systems already underway.

We use this analogy: visualize the OECD 5-step framework as separate tabs in a 3-ring binder. Removing the Steps 3 and 4 tabs and placing them in a separate binder labeled “Conflict Minerals Due Diligence” establishes the distinct scope of the due diligence process and by definition, the IPSA. The original binder can be appropriately labeled “Conflict Minerals Management Systems, Risk Assessment/RCOI and Reporting” – or similar descriptive terms. Just don’t call it “Due Diligence”.

Now place relevant documentation behind the appropriate tabs in the correct binders. As a front page for each tab, consider adding a short description of each element, how it relates to the other elements and due diligence, maybe even using a diagram. Do the same for the stand alone due diligence binder to clearly illustrate the distinction between it and the others. The summary description may even form the basis for the CMR due diligence description.

Again, keep in mind that the IPSA should focus only on the elements of the CMR that describe the due diligence activities. Emphasize clarity in these explanations as that will help the auditor understand the program element boundaries and ease the audit process. As mentioned in the previous article, companies need to ensure they select qualified auditors with appropriate expertise so that the delineation of the processes is understood.

What about Step 4?

OECD Step 4 is the audit of the due diligence practices of the smelters/refiners themselves. It is well established that both OECD and SEC support use of industry initiatives such as iTSCi and EICC’s Conflict Free Smelter (CFS) program to conduct the smelter/refiner audits2. For downstream companies in particular – as OECD made clear in the diagram on page 20 of the Cycle 3 report – Step 4 is about supporting the development and implementation of third party audits.

But in our view, the connection between the smelter audits and the due diligence “binder” is not about conducting or participating in smelter/refiner audits as that may not be reasonable or appropriate given the company’s place in the supply chain. We think the relationship between due diligence and Step 4 centers on obtaining additional information about smelters/refiners that are potential “risks” as determined from the RCOI process (e.g., non-responsive suppliers and smelters/refiners that are not CFSI audited or even on the CFSI lists) and if or how the company uses smelter/refiner audit information within its risk mitigation/response strategy and decisions.  This is consistent with the SEC’s clarification on RCOI versus due diligence.

Under this interpretation, the company’s due diligence process and explanation thereof in the binder and CMR report would identify the third party audit scheme relied on by the company (e.g., EICC CFS), and describe how the company uses that information. The IPSA would not assess the smelter/refiner audits themselves, but as defined within SEC’s stated IPSA objective, would instead compare the CMR’s description of the smelter/refiner audit information use with the way the company actually makes its risk mitigation decisions.

Are We Done Yet?

In our three articles, we presented ideas to consider in managing the costs of complying with the IPSA requirement when such an audit is triggered. Some of our commentary may be considered controversial and there may not be general consensus on them. Over time, other ideas and interpretations will likely emerge that reinforce, supplement or supersede these. We will attempt to offer commentary as we become aware of these developments, and invite others to engage in the discussion.


1 Although to be precise, auditor guidance for the GAO audit standards is in development to help auditors interpret when or if conformance to Attestation/Performance Audit standards require what some may perceive as scope expansion.

2 Others include gold audits under Responsible Jewelry Council (RJC) and London Bullion Marketers Association (LBMA), both of which have obtained mutual recognition status with EICC. The tungsten industry’s Conflict Minerals Council was launched very recently; it is unclear at this time how that initiative aligns with Step 4.

These articles represent views, observations and opinions of The Elm Consulting Group International LLC/Elm Sustainability Partners LLC and are not to be construed as legal advice, nor should they be relied on without appropriate business and legal reviews.

Analysis: Has Public Opinion About Conflict Minerals Impacted Consumer Electronics Sales?

The Elm Consulting Group International LLC has released an analysis of whether a discernible correlation exists between consumer sentiment on conflict minerals and consumer buying decisions in the electronics industry.  The report provides valuable insight to companies planning conflict minerals management programs, public messaging initiatives and related internal expectations.

We recognize that 2011 is the first year of broad public awareness about conflict minerals.  It is possible there has not been enough time for the topic to have permeated consumer consciousness and priorities.  In addition, perhaps the consumer sentiment rankings we relied on are not viewed as valid, credible, accurate or actionable by the general public*.  These points are valid, but this is the best information currently available.

The analysis concludes:

Based on the findings from this small sample, consumers are not likely to differentially punish or reward companies (in financially material sales figures) in response to conflict minerals disclosures or programs, at least in the near term.

Supporting this conclusion, we highlighted a contrast between HP and Apple.  For 2011, HP ranked number 1 in the Enough Project ratings; Apple ranked in the middle tier of the ratings and also was the subject of intense public criticism over corporate social responsibility matters, specifically including its conflict minerals status.  Yet HP’s consumer products revenues fell 2% (2011 compared to 2010), in contrast to Apple’s 66% increase in the same period.  Factors other than conflict minerals appear to be far more relevant to each company’s financial performance.

* Note:  Inclusion of and references to the Enough Project, Raise Hope for Congo and Getting to Conflict Free is not an endorsement, nor do we imply the rankings are valid, credible or accurate.  Our use of the rankings only reflects (a) the limitation that no other specifically-targeted indicators currently exist and (b) that they are intended for the general public/consumers.

Download Full Report

Please enter your contact information to download the report. Thank you.
[email-download download_id=”3″ contact_form_id=”1077″]

World Economic Forum Releases Global Risks 2012

As it has done each January for the past 7 years in conjunction with its annual meeting in Davos-Klosters, Switzerland, the World Economic Forum (WEF) has released its annual review of Global Risks.

We have enjoyed the previous years’ report and find them incredibly interesting, primarily due to the insights provided about linkages and correlations of risk areas.  This year’s report – as did the 2011 report – contains a “microsite” that allows a meaningful interactive user experience in exploring the risk topics/geographies and related linkages.  Click on the Data Explorer tab to the right of the Report Viewer window – the controls are highly intuitive.

The Report goes well beyond HSE and sustainability matters to be sure, but well worth mentioning here and the time spent reviewing the report.