Responsible Sourcing Risk Assessment Process
Responsible Sourcing Risk Assessment Process
The Corporate Responsibility team, with support from industry associations and third parties, will conduct research to identify higher-risk vendors, product or service categories, and geographies. Inputs into our risk assessment research includes the following:
- A review of vendor’s public sustainability reporting
- Vendor’s membership in an industry association related to responsible sourcing
- Vendor’s public sustainability assessment ratings
- The risk of a nexus between vendors and sanctioned entities
Potential, new and existing vendors will be engaged in the assessment process.
In short, we expect vendors to comply with our Supplier Code of Conduct. We take this expectation seriously and it is part of the standard terms of our contracts.
And we expect vendors to be responsive to our requests for information when we are conducting an assessment. They are expected to complete a self-assessment upon our request and provide policies, documents and past audit reports to help us conduct our assessment.
More specifically, we require vendors to have certain labor, health and safety, environmental and ethics-related policies, and procedures to verify compliance with those policies, in place to ensure that they and their suppliers can comply with our Code. If these are missing, the vendor is expected to address these gaps within an agreed upon time frame.
We will partner with our Procurement or business team to set expectations with vendors to complete self-assessments or complete corrective actions. The process is initiated prior to the completion of a vendor contract, or kicked-off when an existing vendor is identified as higher-risk based on aforementioned criteria. We then request the vendor complete a Vendor Self-Assessment and possibly a Facility Self-Assessment if their manufacturing or service facilities are also identified as higher-risk.
Once the vendor returns the self-assessment(s) and related documentation, they will be analyzed by the corporate responsibility team and if there are findings, or gaps between the vendors policies and operations and our code, the vendor will be expected to close those within a prescribed amount of time.
The Self-Assessment Questionnaire (SAQ), is a common risk-assessment tool used by vendors to complete an assessment of their own operations against our Code.
The Vendor SAQ looks at the vendors management system (i.e., policies, procedures, governance) while the Facility SAQ looks at actual practices, such as working hours and pay.
The Best Buy Responsible Sourcing program is a risk-based model. We will not assess all vendors but plan to assess higher-risk vendor performance, in part, through the SAQ.
Throughout the assessment process, the corporate responsibility team is available to answer questions and provide guidance to vendors, as needed.
Additionally, we’ve embedded instructions on how to complete the SAQs within the document itself. If we decide to request an audit, we can support vendors who are new to the process. If the self-assessment or audits result in findings, we are also available to provide guidance and coaching so that the vendor can adequately address the issue.
There are a variety of ways we seek to assess a vendor and their supplier’s performance against our Code and one option is an on-site audit. When a higher-risk vendor also has higher-risk facilities in their supply chain, we may request that they provide a recent 3rd party audit report. If no audit exists, we will request a Facility SAQ and if we have concerns with their SAQ or if we uncover additional information about potential risks, an audit may be requested. If that occurs, the vendor would be responsible for arranging and paying for the audit.
There may be instances when an assessment or audit of second tier vendors or sub-contractors may be deemed necessary due to risks identified when assessing our direct vendor.
While we may request an audit at a second tier or subcontractor, For the responsible sourcing program to be successful, vendors must regard the code as a total supply chain initiative. At a minimum, vendors should also require their next tier supplier to acknowledge and implement the Code.