Author: Admin

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Once again, McDevitt showed why strong compliance journalism matters. She did not write a generic ESG success story. She examined how a global manufacturer sought to address a problem largely outside its direct control while still building governance, accountability, and measurable progress around it. For compliance professionals, that is the heart of the story. Flex is not simply trying to improve what happens inside its factories. It is trying to influence what happens across a value chain that is vastly larger than the company itself.

That challenge begins with scale. As McDevitt reports, Flex generates $26 billion in annual revenue, has about 170,000 employees, operates in more than 100 facilities across 30 countries, serves 1,000 customers, and works with 16,000 global suppliers. It is the kind of company that many end users do not recognize by name, but that sits squarely in the middle of countless supply chains. That middle position is precisely what makes the case study so relevant to corporate compliance. Many modern compliance risks do not stop at the company boundary. They sit upstream in sourcing, downstream in product use, and sideways in third-party relationships.

In environmental terms, this means Scope 3 emissions. McDevitt explains that while Scope 1 and Scope 2 emissions are relatively easier to quantify and manage, Scope 3 emissions, meaning indirect emissions across the value chain, are much harder. At Flex, Scope 3 emissions accounted for 99 percent of total gross emissions in 2019, 2020, and 2021. That single fact should get every compliance professional’s attention. If 99 percent of your footprint sits outside your direct operating control, then governance cannot be limited to internal operations. It must extend outward through influence, incentives, transparency, and partnerships.

That is why I find McDevitt’s reporting on Flex so useful. She shows that the company understood the compliance-like problem embedded in sustainability. Scope 3 is not just an environmental accounting challenge. It is a governance challenge. It asks whether a company can establish expectations, escalation paths, reporting systems, and controls for conduct and performance that rely heavily on third parties.

McDevitt presents 2019 as a hinge point for the company. That was the year Revathi Advaithi became Chief Executive Officer (CEO), and the year Flex adopted a more ambitious sustainability posture. Andy Powell, Flex’s Chief Ethics and Compliance Officer, told McDevitt that before Advaithi’s arrival, the culture needed a turnaround, and that her leadership changed the tone at the top and the company culture. For compliance officers, this is a familiar lesson. Every durable transformation begins with tone at the top, but it cannot stop there. Tone only matters when it is translated into goals, structures, and incentives.

Flex did that by making 2019 its baseline year for future targets and by setting three major 2030 goals: cut Scope 1 and 2 emissions by 50 percent from the 2019 base year; ensure 50 percent of preferred suppliers set their own GHG reduction targets by 2025 and 100 percent by 2030; and have 70 percent of specified customers set science-based targets by 2025. In its first year, the company reported a 14 percent reduction in operational emissions and said 29 percent of preferred suppliers and 48 percent of specified customers had already set GHG-reduction or science-based targets.

Those numbers matter, but for compliance professionals, what matters more is how Flex operationalized the effort. McDevitt reports that the company did not leave sustainability as a free-floating corporate aspiration. It built governance around it. Barjouth Aguilar, who leads the global sustainability program, described a tight-knit team that tracks a broad range of KPIs across more than 100 sites, runs materiality assessments, designs goals with area owners, conducts site training, and communicates performance across the organization. She emphasized that her team serves as “the connectors,” a phrase every compliance officer will appreciate. The modern compliance function is increasingly a connector function. It brings together legal, operations, procurement, finance, IT, HR, and business leadership around shared risk and accountability.

Flex has also gotten one structural issue right. McDevitt reports that its sustainability program management sits within the company’s LMS, legal, marketing, and security teams, all of which report to the general counsel. Andy Powell said that the arrangement creates tight cross-functional collaboration with the ethics and compliance program because it is “all in the same family”. That is not a trivial point. Too many organizations allow ESG, compliance, procurement, and operations to operate on parallel tracks. Flex’s structure suggests a more mature model, one where sustainability is treated as a governance issue rather than a branding exercise.

McDevitt also highlights the program’s operational discipline. Site-level representatives across more than 100 facilities participate in a sustainability network, report local progress, escalate issues, and use monthly scorecards tied to company-wide goals. This is where the case study becomes particularly instructive for compliance practitioners. Flex is not merely talking about targets. It is using cadence, scorecards, escalation, and localized accountability. In other words, it treats sustainability as a management system.

That is exactly how a compliance officer should think about ESG. The challenge is not just about the announced goal. The challenge is whether the company has a process to monitor performance, surface problems, and drive remedial action.

Another strong section in McDevitt’s reporting concerns greenwashing. Aguilar recommends a three-pronged approach: materiality assessment, data verification, and transparency. This is sound advice for any corporate compliance program. Materiality assessment aligns the strategy with business realities and stakeholder expectations. Verification creates integrity in reported data. Transparency preserves trust, especially when progress falls short. McDevitt notes that Flex has used third-party verification of environmental data through DNV since its 2018 sustainability report. That kind of external validation is increasingly important in a world where ESG claims are scrutinized by customers, investors, regulators, and plaintiffs’ lawyers.

I also appreciated McDevitt’s discussion of how Flex manages suppliers. The company’s supplier-side target focuses on preferred suppliers, about 500 companies out of a total supply base of 16,000, but that group receives 50 percent of Flex’s $7 billion annual spend on commodity sourcing. Some might criticize that as narrow. I think it is practical. Compliance professionals know that risk-based prioritization is not a weakness. It is maturity. You begin where the leverage is greatest.

Flex did not stop with expectations alone. McDevitt reports that it created a yearlong process for suppliers that includes education, webinars, training, disclosures through CDP, follow-up support, and internal review of results. In one year, Flex trained 424 suppliers and 695 supplier personnel. That is what third-party compliance looks like in practice. Not merely contract clauses, but enablement.

There is also a sober realism in the case study that I admire. David Gessler acknowledged that the closer Flex gets to its deadlines, the harder it will be to motivate the remaining suppliers, particularly smaller ones in regions where ESG language may still be foreign or where supplier resources are limited. He also noted that regulatory expectations are moving quickly and that customer demands are already outrunning some of the company’s original plans. That is another useful lesson. A modern compliance program cannot be static. It must evolve as stakeholder expectations, regulations, and commercial realities change.

Finally, McDevitt shows that Flex is thinking not only about suppliers but also about customers and the product lifecycle. The company is trying to help customers design more sustainable products, extend product lifespans, support repair and remanufacturing, and build circular-economy solutions. This matters because the largest share of Flex’s Scope 3 emissions comes from “use of sold products,” which accounted for 93 percent of total Scope 3 emissions in 2021. In plain English, the biggest sustainability issue is not simply what Flex does in manufacturing. It is what happens after the product leaves.

That, to me, is the broader compliance insight. The future of compliance will increasingly require professionals to think in systems, not silos. Whether the topic is anti-corruption, human rights, cyber, AI, or ESG, the key question is no longer only, “What happens inside our company?” It is also, “How do we govern what we influence but do not fully control?”

Aly McDevitt’s Reaching into the Value Chain answers that question with a practical and realistic example. Flex may not control every node of its value chain, but it is building a framework to influence it with structure, data, accountability, and persistence. For compliance professionals, that is a model worth studying.

Join us tomorrow as we conclude our 5-blog-post tribute to Aly McDevitt by reviewing her case study on a Ransomware attack and a corporate response. I am a columnist for Compliance Week.