A company needs to get an overview of their risk exposure, define what is acceptable risk in order to handle risk efficiently. The first thing which is needed is a policy document that says what the company's Code of Conduct is. Once this is described one can also express the company Code of Conduct to their suppliers and sub-suppliers and ask them to verify that they comply with these standards.
Once this is in place the company need to define what is an acceptable risk for them. To do this they first have to define what type of risk the company is exposed to in the supply chain, and then describe the consequence of that risk happening. Once that is done one needs to define the probability of that event happening.
