Companies implementing due diligence programs face a number of challenges. It is hard enough to identify all of a company’s third-party intermediaries – agents, distributors, customs and logistics representatives, nominees, and professionals, just to name a few.

Getting your arms around these third parties to make sure they are subject to due diligence, and monitored and audited can be difficult. Risk-ranking formulas can be used to make sure that companies apply limited resources on high-risk entities.

All of these challenges apply with equal force to a company’s supply chain. The number of vendors/suppliers is likely to exceed the number of third-party intermediaries assisting a company.

Compliance professionals that bemoan supply chain management are failing to assess and analyze the real risks. I have written on this subject often and tried to explain over and over that a company’s supply chain does not create the same set of risks as third-party intermediaries.

Without repeating myself (which I am apt to do), a vendor-supplier only creates legal risks for a company when it acts on behalf of the customer-company. For example, if a supplier is delivering an order specifically for a company, and bribes a customs official to circumvent all customs regulations, the customer-company can be held liable for such conduct because the supplier was acting on behalf of the customer-company.

In contrast, the supplier of vending machines (e.g. snacks and sodas) that provides snacks to hundreds of company-customers and pays a bribe to circumvent customs regulations is a different circumstance. There is no FCPA liability for the customer-company.

Aside from these legal risks, there are reputational risks. If a company hires a vendor/supplier and it turns out that the vendor/supplier is crooked, the customer-company has to avoid being tarnished by its relationship with the vendor/supplier. While there may be no legal risk, there can be reputational risks based on the customer-company’s relationship with its supplier/vendor.

With these distinctions in mind, how should a company deal with its supply chain?

One important way to distinguish among all of a company’s vendors/suppliers is by ranking them by revenue. I know this sounds obvious but it helps to put things in perspective.

If a company buys supplies from a high-risk vendor but the annual costs do not exceed $2500, is that really a risk a company should worry about?

On the other hand, if the company spends over $1 million each year buying supplies from one supplier, that may be a risk worth evaluating. Again, the risks have to be divided between legal and reputational risks. Legal risks depend on whether the supplier acts on behalf of the customer company.

Based on this analytical framework, companies should be able to focus on higher-risk vendors/suppliers for legal and reputational risks. It can be a Herculean task but it does not have to consume the compliance staff. When you consider the level of risk, however, it is hard to devote substantial time to supply chain management when third-party risks may be more immediate and substantial. All in all, it is a careful balancing act.