Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

The privatization of supply chain compliance (Part 2)

Part One of this series discussed the ways in which corporations are requiring their business associates to commit to third-party codes of conduct (P2P Codes) and related contract clauses.

Part Two focuses on how P2P Codes can exist within commercial contracts, as separate documents or as incorporated portions of contractual obligations.


P2P Codes commonly contain several distinct types of provisions: broad human rights, labor and corporate social responsibility standards; ethical rules governing relationship issues such as conflicts of interest and gifts and entertainment; requirements to obey specific laws of concern and laws generally; and procedural rules such as the right to audit the partner’s records or train its personnel.

Process and structural rules may be imposed on the partner’s compliance activities, such as requirements to establish management accountability, develop appropriate policies and procedures, maintain an anonymous reporting system and an anti-retaliation policy, train employees, conduct periodic audits, risk assessments and remediation, and of course, sometimes to impose corresponding program elements on downstream associates. (Two leading industry model P2P Codes include the Electronic Industry Citizenship Coalition Code of Conduct and the Pharmaceutical Industry Principles for Responsible Supply Chain Management.)

All of these provisions are now commonly tied to contract provisions, raising important issues of remedies such as damages, indemnities and termination. If we are going to turn a compliance code into a contract, we need to consider all the same questions of reasonableness, proportionality and draftsmanship that we ask with any other contract obligations, and in some cases we will need different answers. Experience suggests that this type of legal analysis is the exception rather than the rule.

To the contrary, having discovered that P2P Codes are seldom reviewed for contractual liability, some companies have moved one-sided contract terms into their codes, where the omission of customary contractual exceptions and protections is less likely to trigger negotiation. At a minimum, P2P Codes regularly fail to consider predictable, legitimate interests of the other party that would ordinarily be accommodated in a negotiated contract — creating risks both for the business partner and, paradoxically, for the proponent as well.

For example, if your P2P compliance demands are nonnegotiable and everyone accepts them because they must, how can you distinguish between those who sincerely intend to comply and those who are actually most cynical and least likely to comply? Negotiation, at least, shows that your counterparty takes the matter seriously. And if you have audit or training rights but do not exercise them, or if you do not insist on receiving the required reports or evaluate them when received, have you effectively transferred the risk? Will a prosecutor equate your lopsided risk-transfer provisions with a sincere effort to ensure compliance?

If P2P compliance is in its awkward adolescence, so are the processes by which many companies confront it. Not surprisingly, many incoming P2P Codes and compliance provisions are never seen outside the procurement or sales offices where they first land, and as a result companies take on unanticipated, un-bargained-for obligations. As the volume, sophistication, and associated risks of P2P compliance requests continue to grow, they will demand an organized response at the level of both company and corporate community.

For companies managing P2P compliance responsibly and with consistency requires a protocol for handling both incoming demands and the company’s requests of third parties (including those originated both by the company and as flow-downs). This should include cataloging standard acceptable and unacceptable provisions as well as triggers for escalated review (such as indemnity clauses); triage for the referral of issues to subject-matter experts outside the compliance function, such as sustainability, business continuity, and information technology; assessment of the stakes, including applicable contractual remedies, in each case; evaluation of alternative responses such as negotiation of terms, proposing tailored remedies rather than negotiating the substantive obligations, seeking approval of one’s own code as a substitute, etc.; assignment of each of these tasks to identified personnel; and a decision-making framework for “business necessity” exceptions.

The corporate community has a collective stake in simplifying management of the P2P compliance process while retaining its best features and forstering widespread acceptance of compliance cooperation and accountability throughout the value chain. The goal should be to establish common expectations that are proportional, balanced, and sensitive to the particular risk profile of a given relationship. for example, it would be useful to draw a principled distinction between what is the appropriate content of a P2P Code, what should instead be considered for inclusion in a commercial contract, and what kinds of remedies are appropriate for each.

P2P Codes should be principle-based, and should address issues that are subject to wide consensus and that apply to all business activities. Matters that are essentially ethical in nature should appear in codes, as should all aspirational encouragement of goals where success cannot be assured or a deadline assigned, and for initiatives with no well-defined end-point and no extrinsic mandate. For many P2P Code violations, especially those directed at compliance processes rather than outcomes, remedies should be focused on moving the other party towards compliance, correction of past non-compliance, or termination of the relationship.

In contrast to P2P Codes, contracts focus on very particular business goals, and are risk-based and highly sensitive to the details of the business context. They map a path to the defined goals and seek to further each party’s legitimate interests under the factual variations most likely to arise. Hence compliance provisions that relate specifically to the particular parties, to their specific goals, to the relevant market, and to the risks inherent in each, should go into the contract where they can be negotiated in the light of those specific goals and risks, and appropriately targeted remedies can be assigned.

There will always be zero-sum business partners whose prime goal is risk transfer and who will do everything within their power to achieve it through contracts and P2P Codes. But it is possible to reverse “contractual creep,” and the proof is under our noses. Fueled by a consensus about driving key values home, and leaving the details to other documents that can be consulted and applied when needed, internal corporate codes have lately become shorter, clearer, less adversarial and more digestible and memorable. With the right consensus within the business community, we can achieve the same paradigm with P2P Codes.

Let’s get started. 


Scott Killingsworth is a partner at Bryan Cave LLP and serves on the Board of Governors of the Center for Ethics and Corporate Responsibility at Georgia State University. This post is excerpted and adapted from a white paper presented at a RAND Symposium entitled “Transforming Compliance” on May 28, 2014, which will be published in September 2014 as a part of the final symposium report. The full white paper can be found here

Share this post


Comments are closed for this article!