Due-Diligence and Risk Assessment in Supply Chain Management

Andrea Tithecott - Partner, Head of Regulatory and Healthcare - Commercial / Regulatory / Legislative Drafting / Sustainability focused Corporate Governance / Sustainable Finance / Sustainable Business / Sustainable Sourcing / Climate Change & Energy Transition

Shaden Shibiny

s.elshibiny@tamimi.com Abu Dhabi, UAE

Hence supply-chain risk management has become an important part of a wider company risk management process. Effective due diligence procedures form a central component of that process for all organisations.

This article will discuss the key elements that should be included in a due diligence process which underpins a corporate risk management assessment, and the consequences of not managing risks or putting appropriate control measures in place. We have focussed on the position in the UAE however the same issues arise across the region. We also examine the extent to which technology can be used as a useful tool in assisting to identify and control supply-chain risks.

Key elements in a supply-chain risk assessment and diligence process:

There are five key elements that should be considered when seeking to understand supply-chain risk, and in respect of which, due diligence should be undertaken:

  • Know your partners in the supply-chain:

The typical starting point when establishing the identity details of a potential partner (agent/distributor) is to obtain and review the partner’s trade licence. This document is available by public record, such as from a UAE Emirate Department of Economic Development register. It provides basic information, including the legal activities that the partner may carry out, and the shareholder information. However, this document provides no clarity as to the ultimate beneficial owner. Obtaining evidence of beneficiary interests in an important factor in assessing partner risk but is not usually easy to obtain, particularly in the Gulf states, where there are many family owned businesses, often third generation with multiple shareholders, and names which are not easy to trace via public records (which in any event often do not exist). It is important however, to dig deep and not rely on a superficial level of investigation of beneficial ownership information. There could be many hidden risks in doing business with unidentified partners, for instance those who may engage in corrupt behaviour, have a criminal history, be blacklisted from tendering for government contracts, or worse-case-scenario, suspected of financing terrorism.

  • Corporate diligence:

In Gulf states the requirement to lodge certain corporate documents with a ministry or department is common-place, and it is often the case that those documents must be legalized, attested and perfected before a Notary Public. Failure to properly complete this process can increase a risk profile. When undertaking diligence in supply-chain management, a company should ask a number of questions before signing documents or entering into agreements. Examples include, being aware of what corporate and commercial documents are signed, who has the power of attorney and what happens to those documents (eg. whether they are required to be submitted to a regulator). A signed document which ends up in the wrong hands, could be misused by a third party. Certain types of agreement if lodged with a ministry may then confer additional legal rights on an agent or distributor, and it may then prove very difficult to terminate relationships with those parties, and any future disputes can be time consuming and costly.

  • Commercial diligence:

Commercial agreements between parties in a supply-chain relationship often contain clauses which requires a services provider to ‘comply with all applicable law’. The party securing the services of the provider (whether agent or distributor) could be forgiven for believing that such clauses act as a shield, protecting it from the non-compliant acts of their partners. Not so. Whist contractual risk can be controlled in this way, not all risk passes and such clauses are not, by themselves, a sufficient protector. Best practice principles should be built into the due diligence process to enable a continued level of scrutiny on the behaviour and compliance of all third party partners. A company and their suppliers form close relationships and both parties are inextricably affected by each others’ actions, and the risks associated with working together are varied, and in some cases, complex. 

  • Payment regime:

In the ordinary course of business, payments are made to the supply-chain for services rendered. Historically, a foreign producer of goods may have relied heavily on the local partner to ensure that the route to market was clear, all promotional marketing materials prepared and distributed, and sales teams working to achieve volume growth. In terms of what the supply-chain payments were actually used for, very little thought was given as to whether the behaviour of the supply-chain was compliant, corrupt or fraudulent. In recent times, the Gulf states have been active in implementing legislation which has impacted upon the behaviour culture of the supply-chain. The risk of terrorist financing, bribery and corruption and money laundering is on the rise. Thus, a supply-chain due diligence process should encourage companies to keep themselves abreast of changes which might impact on the supply-chain payment regime and be rigorous as to what services are expected in return for payments made. What used to be common industry practice in the past might now be banned. For example, in a UAE context, a party in the supply chain may have historically paid ‘commission’ payments to a third party or government official in order to attract a new order or with a view to winning a procurement tender, such behaviour would violate the Penal Code and procurement laws. In a further illustration, the UAE Ministry of Health and Prevention has issued a Circular concerning the payment of bonuses and lawfulness of discounting schemes for certain pharmaceuticals, and further policy standards which prohibit payments being made between healthcare professionals for referring a patient if insurance reimbursement is to be sought.

Furthermore, UAE laws are strict when it comes to corporate fundraising activities, which are intended to be for charitable purposes, but where there is a risk that funds may be siphoned-off and used for illegal purposes (such as financing terrorism), and the law now requires such activities (and any social-media content) to be pre-approved by the relevant regulator, and the activities conducted alongside licensed charitable institutions in accordance with Federal Resolution number 8 of 1974, the Executive Council Resolution number 26 of 2013 . A breach of these laws can be penalised by imprisonment and a fine.

  • Trade risk:

This risk covers all the legal aspects of getting a company’s products to the market. A checklist could include questions as to whether local suppliers have the correct licenses to import and clear products from customs or whether there are legal or regulatory restrictions. For instance, some products such as fire safety equipment can only be imported into the UAE by 100% locally owned businesses, and many products need specific pre-approvals before entering into the UAE or GCC region. Certain products may even be prohibited from being imported under the GCC Common Customs Law. 

Consequences of not sufficiently managing third party risks

The repercussions for legal non-compliance or not sufficiently managing third party risks are significant and can be detrimental to any business, and the individuals running the business. Companies can be fined, goods confiscated or delayed at the ports and directors risk imprisonment. The revocation of a work visa, and deportation protocols may also be triggered depending upon the circumstances.

There are a number of laws and regulations in the UAE which are relevant to supply-chain risk, for instance money laundering, terrorist financing and/or breach of financial/trade sanctions include: Anti-Money Laundering (AML) Law (Federal Law No. 4 of 2002); Federal Law No. 7 of 2014 on combating terrorism crimes; Penal Law No. 3 of 1987 and the Penal Procedures Law. A breach of the AML law, for instance, can lead to imprisonment of up to ten years and fines up to AED 1 million (about $272,000). For trafficking counterfeit goods in the supply-chain, penalties are imprisonment for up to two years and/or a fine of up to AED 1 million (about $272,000). In 2016, the UAE consumer protection authority confiscated counterfeit goods worth over Dh1.6 billion.

Suppliers and due diligence

Given that the consequences of non-compliance are severe, an increasing number of companies have become more rigorous in their due diligence processes and are now asking their suppliers to disclose information and be transparent. As a result, many suppliers have become more aware of due diligence requirements and have adapted their business processes to comply with those requirements.

Some US multinationals, when undertaking a deep-dive into partner beneficial ownership issues, require the supplier to answer detailed questionnaires as to beneficial owner information and will require personal undertakings from ultimate owners. In the global supply-chain, international companies often require suppliers to be familiar with US import/export rules and to confirm that they comply with the compliance requirements of a foreign jurisdiction supplier.

In the healthcare sector, pharmaceutical distribution agreements require suppliers to agree to a thorough process of pharmacovigilance (monitoring the effects of medical drugs after they have been licensed for use) and governance requirements (for public listed companies) which are then incorporated into the supply-chain risk assessment.

Risk Assessment Tools

There are a multitude of useful tools available to assist companies when assessing supply-chain risk, such as, detailed risk matrices and risk assessment tools, which analyse all factors affecting the supply-chain such as political, cultural, economy, markets, risks of natural disaster, terrorism, and cyber security.

The use of technology and artificial intelligence will play an increasing role in the due diligence process. There are a number of tools already on the market that can analyse documents quickly and populate a risk assessment and provide an indication of risk-level. Technology may never be able to entirely replace the expertise of trained compliance professionals when it comes to due diligence, but it can certainly help to make the process far more efficient.


Good business practice looks like this: having the processes and tools in place to manage risks before they become a problem. Once the culture of compliance is fully integrated into the whole supply-chain, opportunities for growth will emerge through being compliant, efficient and competitive, and by doing what is right.

Al Tamimi & Company’s Regulatory team regularly advises on regulatory compliance. For further information please contact Andrea Tithecott (a.tithecott@tamimi.com).