Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan from the faculty of Law from UNSW and David Tattam, Director of Research and Training at Protecht discussing about this important topic in a live event.
In this blog we are sharing the recording and transcription of David Tattam presentation. Watch the video below to learn the key elements of the Modern Slavery Acts – Federal and NSW? Who does it apply to, what is covered and required, and the implications of non-compliance? You will also be given a summary of what you need to do to prepare. You will gain in-depth knowledge on understanding, analysing and recording slavery risks, developing a risk assessment and monitoring approach and methodology, the importance of understanding and assessing supply chains and vendor risk assessments.
Video Transcription:
Okay, so I got up this morning, my beautiful 11-year-old daughter now and again says, "What are you doing today, dad?" And I tell her, and she glases over because it's risk and risk management. So this morning, I said, "I'm actually speaking tonight at the University of New South Wales," which made me sound really intelligent. She said, "What are you speaking on?" And I said, "The Modern Slavery Act." Her little ears pricked up, and I told her a couple of sentences what it meant. She says, "Does that mean when I go and buy my T-shirts, I'll be able to tell whether child labor has made them?" I'm like, "What a beautiful comment." I said, "I hope so." Then I thought, "Wow, we've got a big gap between maybe what we're trying, what we'd end up with, and getting there."
But that ultimately is, to me, what this is really all about. Is enabling us, as people, to make choices with the knowledge of what created what we are buying, the services we are producing and so on. At the moment, my little 11-year-old doesn't have that knowledge to be able to make that choice. She can guess, and she can read the newspaper and the stories. There was also a story in the newspaper last week about smashed avocados. I don't know whether any of you read it, but there's a few cafes in London now that have decided to stop selling avocados. I thought, "This is a bit interesting," because it's kind of a fairly good product to sell, apparently in London. I read a bit more, and it says it's because this particular restaurant in London traced back to where those avocados came from, and they found that a lot of them were created or run by the Mexican cartels. The drug cartels.
They linked it and said, "Well, I'm sure that probably the worker's conditions wouldn't be very good in producing those avocados, so we are banning them from our cafes." Those two little stories, to me, are really what this is all about in a practical sense, In terms of what we are trying to achieve out of all of this. I guess finally, it's Christmastime, and Christmastime is all about hope. I think finally, after quite a lot of time in business, I'm starting to feel a real view of hope in terms of business, in terms of us as a corporate society, caring about others. I'm getting a bit kind of Christmas-y here, but that's what this is about. I look upon it as things such as the Royal Commission into financial services. Care for customers. That can be quite novel for some. The integrated reporting, if you are an accountant, which talks about the need to report on profits and losses around all of your capitals, including human capital, rather than just shareholder capital P&Ls.
And finally, obviously tonight, the Modern Slavery Act, which again also goes that stage about caring, about caring about humans and human rights. So I guess it's one of the reasons I'm really, really passionate about speaking tonight, and talking about this. I'm obviously coming from a risk angle in terms of what should we be doing to react to this, and how can you think about integrating it into your risk and business processes, and that's what I want to talk a little bit about.
The 5 Key Components of the Act
What I want to cover really is these five things:
- Slavery Risk - looking at slavery risk in a little bit more detail so we understand the risk. We cannot manage what we don't understand.
- Risk assessment and risk monitoring - which is part of the Act, but it is also a really key part of us understanding the level of risk in our supply chains and in our business.
- Tools to support the process - in terms of assessing that risk, managing that risk, treating, assessing the effectiveness of the treatment methods.
- Reporting
- What's next
Structure, Operations and Supply Chains
Firstly, the key components. As Justine mentioned, certainly out of the Act, we've got these four key components. That is the structure of the business, the structure of the organisation, our operations and our supply chains. That's really understanding the framework, the processes that go towards producing what we do, whether it be a service or a product. Obviously from there, we can start drilling down and go, what risk do we have in that process?
Potential Modern Slavery Risks
Potential modern slavery risks. Justine started to talk about what that looks like, and the issue is, how do we find out what they are? How do we identify them? Moving to obviously assessing them. Once we've done that, actions to assess and address those risks. Sounds like controls, there might be a few other things. Finally, how do we assess the effectiveness of those actions? If we drill down into that, to me there's probably about seven or eight things we need to consider.
Key Components Required
1. Organisation, supply chain and process mapping - So we understand the beginning and the end, from right at the beginning in the field in Bangladesh, all the way up to the sale of that product or whatever it might be, from our business.
2. Risk identification and understanding
3. Risk treatments and controls
4. Compliance risk assessment
5. Risk monitoring
6. Reporting and Analytics
7. Culture - Why did I speed up then? Because all those elements are effectively enterprise risk management, and you should be doing that anyway with all of your other risks, so maybe we can start utilising our enterprise risk framework and slotting modern slavery risks in. I'm not saying might, we should, because that's why I'm standing up here, talking about how we can do that and leverage off what you are currently doing in risk management anyway. Now, in terms of doing good risk management, I guess modern slavery risk management, the first one is to actually understand the risk. That is a struggle sometimes, because risk isn't easy. I want to spend a couple of minutes thinking about what risks we face under this act, and more generally around slavery.
Understanding our organisation process supply chains
The first one step is to understand our organisation process supply chains. At the starting point, we've really got to think about your operating model. What have you got? Number two, your supplier's operating model, and their suppliers, and their suppliers, and their suppliers, and I could keep on going depending on how long that chain is. From this, we're going to need to think about then our linkages. So, we think about this. First of all, we've got our direct risks, which Justine mentioned. This is our own practices that involve slavery risk. Then we've got the indirect ones, which could come through the supply chain. Then we've got the ones that we're linked to, such as an investment in an operation that has slavery risks. So, it's fairly broad. To understand the supply chain, understand our linkages in itself is a fairly big task, and the difficulty is visibility.
How are we going to get an understanding of our supplier's supplier's supplier's supplier? Justine did a hint about that downstream reporting, which I'm sure some organisations are going to be asked, "If you don't report, we won't have you as a supplier." Because somehow, those large organisations with revenue over $100 million are going to somehow have to get visibility, and it's probably going to be with a little bit of persuasion, maybe even written into supply contracts and so on and so forth. To me, that's fantastic, because that puts this influence of this act, and it pushes it out, which is exactly what should happen. So, let's then focus on modern slavery risks. Well, let's start off thinking what risk is. Risk is the effect of uncertainty on objectives. So, what are the objectives that an organisation should have with respect to Modern Slavery Act?
Number one is to ensure we comply. Why? I know there is no direct punitive element except if you are in New South Wales, but what about the others? The reputation, the regulatory action. Perhaps disqualification from certain government supply contracts, disqualification from a supply contract to a large organisation that does have to do it. Now, this is important, the risk of noncompliance, but it's pretty shortsighted. Because the real risk we have is, or our objective is to protect human rights. And obviously, we are having this Act to influence us, encourage us to do that, but really we should be doing it anyway. So, the two risks I want to delve into is the first one, Modern Slavery Act compliance risks. And secondly, the modern slavery risk.
Slavery Risks
1. MSA Compliance Risk
1. Reporting Risks (Structure/Operations/Supply
Chains, Risks, Risk Treatments, Assessment of
Treatments)
2. Modern Slavery Risk
1. Slavery (Forced ownership, threat, coercion etc,
Physically constrained / restricted)
2. People trafficking (Human commodity)
3. Servitude
4. Forced Labour (Coercion, threat etc.)
5. Child Labour
6. Forced Marriage
I won't repeat the bottom ones, because Justine has gone through those examples, so what I wanted to do is just investigate those two risks a little bit deeper. The first one being the compliance risk, and we can define that as the risk of fines, reputation damage and/or regulatory action as a result of noncompliance with the Modern Slavery Act.
Going back to what Justine mentioned, obviously the risk of fines differs between federal and state, but ultimately it may come. Now, some of you who know us as a firm know that we like Bow Ties, Risk Bow Ties. For those who haven't done a Bow Tie, we're just about to do one. So, I have Bow Tied a couple of risks. The first one is MSA compliance risk, and then I'm going to do it on slavery risk. I'm going to be quite quick here, but I think you get the drift. In the middle, we have breach of MSA obligations.
Those that know Bow Ties, we ask but why? Until we get back to the root cause, let's have a look at that. I'm not saying this is perfect, I made it up, but this is what you're going to have to do to really understand the beginning and end of your risks, the root causes and the impacts. It could be deliberate. It could be accidental. Deliberate could be corporate sanctioned. Volkswagen, maybe it wasn't. Not sanctioned, not by the board and corporate management anyway. That could be because it's an unethical strategy, part of our strategy is not to comply for whatever reasons, because it gives us cheap labor. It could be inadequate process. Why? Lack of investment in the processes we need to do this. That links to that. Unethical behaviour of some of our staff. They want bonuses, bonuses based on their business unit P&L. A bit of cheap labor wouldn't go amiss to hit my bonus. Next, competing priorities. We've got better things to do. What about accidental, purely human error? We just didn't know that we'd been involved with slavery. It was kind of an accident, we overlooked it.
What about system designed failure? Whatever we do to do our assessments, we missed it. We didn't get our supply chain mapping correct. What about lack of knowledge? Inadequate training around everything that Justine has just been talking about. Going down the other way, what does that lead to? Compliance breach of the MSA Act. It might then get reported in the press. We might lose customers and contracts because that might be part of the contract, supply contract. That might give us reduced revenue, reputation damage, staff morale. My daughter would be horrified if she worked for an organisation that used slavery. She is only 11, so she doesn't work yet, because that would be slavery, but she would be horrified. So, the impact it has on our employees and staff. That also links there, links there, links there.
Remediation costs to fix things up, and regulatory action. Now, that's obviously the federal act, because I'd have to add fines on to the New South Wales act. Let's just look at an example of understanding a breach of MSA obligations. For those that have never seen a Bow Tie before, we put an outline around there, and that is obviously the Bow Tie. Now, I'm not saying that's perfect, but it does get us to start understanding our risks in more intimacy, because unless we do, we can't start treating those risks and managing them, and reporting them. So, what do we do next? We need to think about controls. I've come up with a few, here they are. It's a bit difficult to read here.
Training, quality assurance, attestations for people around their compliance. Breach management and reporting, media monitoring and strategy, and regulatory relationships. There may be more, but now we've got the concept of our compliance together with our treatments and so on.
Now, this is really what we're talking about when we talk about the effectiveness of our treatments, because this is shortsighted, protecting the company. I love the comment you made, Justine, saying it's about looking out. It's not about looking in and being selfish, it's about looking at your fellow man and going, "Let's protect them from the risks that we bring." That's where I want to go now, which is way more important as a risk, and that is modern slavery risk. Defined, in this instance, the risk that an entity causes, contributes or is otherwise directly linked to modern slavery practices, and that covers the three elements that Justine spoke about. So, let's have a go at this. The first one I've ever done, modern slavery risk, but I made it up. So again you would need to take this, and expand it into the relevant for your organisation. Here we go.
Modern slavery in the middle, and that is obviously the definitions that Justine has been using. But why? It could be internal. We direct. We have it in our business. It could be external, as part of some kind of independent supply-chain third-party. Internal could be deliberate. It's sounding a bit familiar here. It could be accidental. It could be corporate sanctioned. Not sanctioned, unethical strategy. The two of those go quite hand-in-hand with noncompliance, obviously. Industry practice, that's one of the difficulties we have. If we don't use slavery, we won't be able to compete. We were doing a piece of work over the last couple of years in Turkey, in Istanbul, and it was for a telco. It was developing risk appetite for their business, and they're government-owned, with Turk telecom. I'm not going to say it.
Being government owned, they had to be extremely ethical around what they were doing, so they had sero appetite not to comply with all the rules. But their competitors, who were not government owned, they don't have quite such ethics, and therefore industry practice is not to comply. And so, a lot of them are signing up customers who are coming over the border from Syria, and there's a lot of compliance breaches going on there, but they're doing it to grow their revenue. So, obviously the salespeople are looking at those competitors and going, "Their revenue is a lot higher than ours, because they're breaching," and they're wanting to be dragged into not comply. Which is always going to be a risk when we have competitors that are not doing the right thing. Therefore, this has to be an industry developed response, rather than just an individual organisation. But we need leaders, and Justine referred to some of those leaders, which people need to stand up and be counted here, and start this process going.
Then, the critical mass will happen. Then it will become part of our every day. In addition, it could be the practice of the country. The country that we work in. We used to have an office in Nairobi in Kenya. We don't anymore. Let's just say risk/reward, and the biggest risk we have is bribery and corruption. That was a bit tricky, given that we are a risk management firm, so we had to make a call and go, "This country runs on bribery and corruption, and we don't want to be a part of it." That was a big part of it. There were other reasons, but that was a big part of it. That might be an issue for us. These are just other connections here. Lack of knowledge, human error, system design failure, similar similarities to adequate training. It could be external to our supply-chain. It could be our vendors, it could be our vendor's vendor, and our vendor's vendor's vendor's vendor, all the way down the supply chain. That obviously is where the slavery arises.
That's an example. We need to drill back to that, to get an understanding of what our modern slavery risks are. Going the other way, what have we got? Reports in the press. Loss of customers and contracts. Breach of human rights, and that links with our compliance risk that we spoke about earlier. Hopefully reduced revenue, because my daughter won't buy your T-shirts.
Reputation risk, staff morale, and it's got a similar impact in terms of the other. Now, we talked about enforcement, and we talked about the fact that at a federal level we don't yet have punitive fines, but I think a lot of it is going to be driven by those ones there. Reputation, lost revenue, customers voting with their feet. That should give that, I think, a strong element. Some of you might have watched Q&A the other night, and modern slavery was being talked about. We had a couple of ministers from both parties that were talking, and the Labour minister did attack the Liberal minister based on, "We decided we should have fines, and you decided no."
They were going a bit head to head, and the comment was made that they believe that this part will be strong enough, through reputation, to enforce this. We'll wait and see, but they did say we're having a review in three years, and if it doesn't work, we can stamp some fines in then. So, I think it's actually quite good, personally, of the government to give human nature and trust in humans a go. If that fails, yes, we'll slam you with fines, but I think we should just see what the corporate world does, and have a bit of faith and hope that we will actually do the right thing here. Put an outline around that and we have the Bow Tie. Now, what are we going to do about slavery risk? We have to report on this, and a lot of that is going to be putting controls in place. So, here's some examples. I wish I had used another colour, given the colour, but anyway, here we go. It's on controls.
Sorry, I'm just going to ... Vendor due diligence is going to be critical. It's going to be asking lots of questions. We're going to build that into supply contracts and so on. Vendor contracts, sorry. Building terms in there. Vendor monitoring is going to be interesting. It sounds like third-party risk management? It is, supply chain risk management, and I believe that a lot of modern slavery risk will slot into that. We may have to go further, though, if we're going to go all the way back to the beginning of that supply chain. Vendor monitoring, we've got that. Quality assurance, industry country assessments. This is going to be risk-based. Where have we got the highest risks from countries that maybe we rate higher, and also industries? Strategic risk assessment, in terms of what our ethics are. Attestations, again, and then we've got more of the active controls, media monitoring, breach management and so on.
As you appreciate in risk management, prevention is better than cure. Hopefully we never even get to that point. If you've got great controls in place, you should never even get to that middle, so this is about being prepared, and putting preventative and early detective controls in place, and dealing with the risk really early on so you never ever get past the centre of that Bow Tie. Now, we've talked about treatment methods for controls. There are others. Let's have a quick look at them. You may, with number one and five, accept the risk. Now, you're going to have to accept some modern slavery risk. It's impossible to reduce to sero, because of the difficulties of getting that visibility, and getting that coverage. So, you're going to have to have some degree of risk acceptance with what you do. Transform the risk, process re-engineer.
Change suppliers. That would also have a great influence on behaviour. Increased controls, we've talked about that. Transfer the impact to someone else. Sorry guys, not going to work with the Modern Slavery Act, because either your costs are going to be fines, and I don't think you can get insurance for fines. I think there is a moral dilemma there. Secondly, if we cause pain and suffering to humanity through slavery, no one's going to transfer that pain and suffering to anybody else. So that one, we can almost eliminate. Accept the risk outside of appetite? I hope not. The only way you're going to do that is maybe in the early period, realise you have got modern slavery risks that are greater than what you accept, and you know it's going to take you six, to eight, to nine months to fix it.
You might have a period that you accept you are outside of appetite. We need, in my view, up to board level, with the board signature to sign that off that we are accepting for nine months, six months this risk outside of appetite. Avoid the risk, that might be the answer. Move your operations or supply out of that country. We left Kenya, not just for that, but that was avoidance. Then finally, reduce the controls? Oh, that doesn't sound very good. I don't think that's relevant right now, because we are just starting out on the journey of managing modern slavery risk. It's not a case now of we've got too many controls, let's reduce them. I think it's the other way around. So, all of those are relevant, except number four and number seven, and I would argue that number five isn't a good process to go on
That gives us then our treatments, and from that we need to think about then assessing the effectiveness of those treatments, which we'll talk about in a second. One of the biggest problems we're going to have in doing this risk assessment and monitoring all of that is our sphere of influence. Now, if we look at this, we've got our entity, and I've gone back three levels in the supply chain. That won't be too bad, because we've got a direct relationship with that vendor, so we can build that into supply contracts, vendor contracts. We can do it through due diligence, and we can take our business away if they are not doing the right thing, but then we've got that linkage as well. Now, for us to get that over the vendor's vendor is going to be a bit more difficult. We don't have a direct relationship, so we're going to have to put pressure on number two, to put pressure on number three. Then pressure on number three is going to have to put pressure on number four, and this has to filter down the supply chain.
Hopefully, the people at the top, we often call it tone at the top, the $100 million plus organisations can do that, and it will slowly filter through the supply chain, we hope. Now, one of the things you need to start off with straightaway is to get this risk into your risk appetite statement. If you haven't got it in already, which I doubt you have. And what is your risk appetite for modern slavery risks? Now, there's two parts to this. What is your appetite for breaching the Modern Slavery Act? I'm not going to answer that. I'm going to let you answer it, and it needs to go in there. What is your appetite for the risk that could lead to a breach of the Modern Slavery Act? And what is your appetite for modern slavery risks? Now I'm sure, because of our hearts, we'd all like to say sero, but I think we have to be realistic and go it's going to be very difficult to get sero, other than avoid.
So, you're probably going to have to accept some kind of appetite, but this needs to be raised at the board level and discussed at the board level, and brought up as something we need to assess in terms of our appetite. It's going to get the invisibility at board, and hopefully, I was just actually this afternoon at a client's board session doing the risk appetite statement, and we did the 14 appetite risks, and I said, "I think you've got another one." They said, "What's that?" I said, "Modern slavery risks." They said, "What?" But anyway, we're adding that on as number 15. They were already talking about it as I left, and go, "We didn't really have an idea about it, but we think that's important to put on as another risk." So, I want to leave you with that. Please get it up there, into your risk appetite.
Risk assessment and risk monitoring
In terms now of risk assessment and risk monitoring, we have to take a risk-based approach to this. Especially large organisations, which have very complex supply chains, and we need to look across that whole supply chain process, our relationship, our investment, and go, "Where are the higher risks?" Justine talked about some indicators, such as the countries, the industries that we are in, and that would be a starting point. So I'm going to call that a high level risk assessment, and then we can start drilling down. When we do a risk assessment, there needs to be a risk-based approach. Identify the areas of higher risk, and focus our efforts on those areas of higher risk. Now, the risk assessment might be by vendor, by geography, by product or service, by supply chain, by value chain. By department, division, business unit, by legal entity.
It's up to you how you divide up your organisation to do those assessments. Now obviously, some of these assessments will feed one into the other via a pyramid, and you've got to work out what level you do it at. I don't have the answer, but you've got to think, what is the right level to do that assessment? Is it the corporate level? If you are small, maybe. If it's not, it might be division or business unit and so on. But in terms of doing it, what are we going to have? Over on the left, slavery risk caused by supplier A, and that is a supplier risk assessment. We will then rank the suppliers on the assessment, give them a rating. We have our controls around it, and we would have our inherent risk rating and our residual risk rating. Inherent before controls, residual after controls, and that would be our initial assessment of the effectiveness of our treatment methods.
The difference between the inherent and the residual. We would then plot that on our typical matrix, not that I love that matrix, but that's another story. But at least it then gives us some view of what the level of slavery risk is before any treatment methods that we put in, and our perception of what it is afterwards. Now, what we've just done there is step one in enterprise risk management, which is risk assessment, but that is only one element of understanding modern slavery risk. But it is a very important one, and there it is there. We do, however, have other methods within risk management that can also help us get much better view of our slavery risk. What are they? Okay, the main ones we have, controls assurance. Justine mentioned the evidence of how effective, of how our risk or treatment methods have been. There were a number of ways to do that.
The ultimate test has the incidence of slavery reduced. I get that incidence. However, we could also assess the effectiveness of our controls over slavery risk, and some of you in your process might already have controls assurance, and that should be one source of evidence of how your treatment methods are working over slavery risks, included in your controls assurance. Incident management, the ultimate test. Have you found instances of slavery through your supply chain, through your processes, and they should be recorded as an incident. We should learn from those. Compliance. We've already covered that. A little bit shortsighted, in the sense of only protecting ourselves, but if we do comply, there is a good chance our modern slavery risk man