If your team only finds out a supplier's ISO certificate expired when:
an auditor asks for it
a customer questionnaire lands in your inbox
or something actually goes wrong
...you are not alone.
In a lot of organisations, supplier risk and compliance are still handled with:
manual checklists
scattered folders and email attachments
one person "keeping an eye" on expiry dates
occasional one off ESG or financial checks when someone remembers
Meanwhile, procurement is being handed more responsibility for compliance, sustainability and ESG "because you own suppliers", without being given tools to manage it. Everything falls on procurement's lap, but the ways of working are reactive by design.
This post looks at:
how reactive supplier risk and compliance shows up day to day
why regulation and stakeholder pressure make this unsustainable
what a proactive model looks like
how Kodiak Hub helps you go from "we find out by accident" to "we knew weeks ago and already acted"
Here is what teams describe when they say "we are reactive".
ISO, IATF, HACCP, safety certs, insurances and policies are collected once, then parked in folders.
Expiry dates are in someone's spreadsheet, if at all.
No system alerts anyone when something lapses or is missing.
You only discover the gap:
during an audit
because a customer asks for proof
or after an incident, when Legal or Compliance goes hunting for documentation that does not exist or is out of date.
ESG questionnaires are often one offs:
sent during onboarding and maybe never updated
stored as PDFs with no structured data
disconnected from actual risk tiering or commercial decisions
At the same time, supply chain due diligence rules around human rights and environment are tightening globally. EU's Corporate Sustainability Due Diligence Directive, for example, requires in scope companies to identify and address adverse human rights and environmental impacts across their value chains. (European Commission)
Doing that with static spreadsheets and PDFs is not realistic.
Many teams:
run a credit check once during onboarding
maybe look at a cyber questionnaire during a big IT sourcing event
never update these systematically over time
If a vendor's financial rating drops or their security posture deteriorates, you only notice when service degrades, invoices go unpaid, or there is a breach in the news.
A familiar pattern:
Compliance, Legal, Sustainability and Security point to procurement when risk issues involve suppliers.
Procurement is expected to "put something in place", but only has email, Excel and generic S2P modules.
Everyone is under pressure from regulators, customers and the board to "get proactive" on supply chain ESG and risk. (lfmeab.org)
That is a hard circle to square without dedicated supplier risk and compliance tooling.
There are at least three reasons the "we'll deal with it when it happens" approach is breaking.
Across regions you now see:
Supply chain ESG due diligence laws (CSDDD and similar frameworks) that expect clear processes, supplier screening and remediation, not just a code of conduct on your website. European Commission+1
Security regulations like NIS2 that explicitly mention supply chain security, meaning you must assess and manage risks introduced by suppliers and service providers, and often embed requirements into contracts. (DLA Piper)
These do not say "ask a few questions once". They assume you have ongoing visibility and controls.
Recent research shows:
supply chain due diligence is seen as one of the most impactful systemic changes in global trade and supply chain management
ESG in supply chains is a growing factor in risk assessment, brand value and access to markets. (Thomson Reuters)
Boards, investors and customers are asking "How do we know our suppliers are credible and compliant?" That requires more than a shared drive full of PDFs.
When you find out about:
forced labour concerns
environmental violations
massive safety non conformances
or a financially distressed supplier
...after the fact, it hits revenue, margin, reputation and sometimes personal liability for directors.
In short: being proactive is no longer a nice to have. It is risk management.
A proactive model has a few recognizable building blocks.
Not all suppliers are equal. You define:
risk tiers (critical, high, medium, low) based on spend, category, geography, ESG exposure, cyber sensitivity and substitution difficulty
what checks, evidence and review cadence are required for each tier
Critical suppliers get deeper onboarding, more frequent reviews and richer monitoring. Low risk suppliers get a lighter approach.
Each supplier has a single profile that holds:
ID and ownership structure
sites and categories
certificates, insurances and policies with expiry dates
ESG and human rights declarations
risk assessments and ratings
financial and security risk insights where relevant
audit history and CAPAs
No more hunting across drives and tools.
The system:
tracks expiry dates
sends reminders to suppliers and internal owners in advance
flags non compliance automatically
can trigger holds or re approvals if evidence is missing
You stop "remembering" expiries and let workflow handle it.
Risk is not a one time project. Proactive teams:
integrate external feeds and internal signals (incidents, quality issues, delivery problems)
watch for rating changes and negative news on critical suppliers
use dashboards and alerts to prioritise where to intervene
You learn about problems early, not when a line stops or a newspaper calls.
Findings are only useful if they lead to change. A proactive setup links:
issues and non conformances
corrective and preventive actions (CAPA) with owners and deadlines
re evaluation, share of business decisions and contract changes
That is how you move from "we saw the risk" to "we addressed it and can prove it".
This is exactly the gap Kodiak Hub was designed to close for procurement and supply chain teams.
Kodiak Hub gives you a 360 supplier record where you can store and structure:
all certificates, insurances and policies with their expiry dates
ESG and due diligence questionnaires and answers
risk assessments, audits and findings
performance data like OTIF and quality incidents that often overlap with risk
Everyone works from the same view, instead of assembling it from mailboxes and shared drives.
With Kodiak Hub you can:
define which documents are required per risk tier, category or region
collect them directly from suppliers through a portal
track expiry dates automatically
send reminders before they lapse
flag suppliers as non compliant if critical evidence is missing
This turns "we discovered expired documentation by accident" into "we knew a month in advance and the renewal is already in progress".
You can configure:
onboarding and re qualification flows by risk tier
ESG, human rights, security and quality questionnaires
approval steps across procurement, quality, compliance, legal or sustainability
evidence checks, with clear audit trails
This gives you a structured process that aligns with emerging due diligence expectations and is easy to show to auditors, customers or regulators.
Kodiak Hub can combine:
internal signals such as delivery performance, quality issues and audit scores
external risk insights where available (for example, financial ratings or news)
So your team sees a risk picture that moves over time, not a static snapshot from three years ago.
Risk findings and non conformances in Kodiak Hub can be turned into:
CAPAs with owners, deadlines and required evidence
follow up tasks and re evaluations
clear views of open vs closed actions
When the board or auditors ask "What did we do about this risk", you have an answer and a record.
You do not need a giant transformation project to change direction. A simple path could look like this:
Pick 50 to 100 critical suppliers across a few key categories.
Define a basic risk tiering model and minimum document set for those suppliers.
Set up Kodiak Hub to hold their risk and compliance profiles and collect missing documentation.
Configure reminder workflows for expiries and a light re evaluation cadence.
Add one or two ESG or due diligence questionnaires that align with your key regulations or customer expectations.
Review results after one or two quarters: fewer surprises, better documentation, clearer visibility.
From there you can expand to more suppliers, more categories and deeper risk coverage.
If your current story is "we are reactive on supplier risk and compliance and it has to change", you are in the same place as many teams talking to us. The good news is that with the right platform and some focused steps, you can move to a model where:
expiries do not catch you off guard
due diligence is structured, not improvised
ESG and regulatory expectations are built into your workflows
procurement is equipped to carry the responsibility it has been given
Kodiak Hub is built to help you make that shift.