A Primary Vendor Quietly Substituted an Unapproved Subcontractor Without Notice. An Employee Discovers It Incidentally. “That’s the Vendor’s Problem, Not Ours.” Is That Right?

Quick Answer

When a primary vendor substitutes an unapproved subcontractor without notice, does the organization that hired the primary vendor have a compliance obligation — or is this entirely the vendor’s internal matter?

The organization has a compliance obligation. Under the UK Modern Slavery Act, EU Corporate Sustainability Due Diligence Directive (CSDDD), and the DOJ’s 2024 ECCP third-party monitoring expectations, organizations are responsible for monitoring their supply chains — not just their direct vendors. An unapproved subcontractor substitution is a material compliance event because the subcontractor has not been screened for labor practices, sanctions exposure, data handling obligations, or quality standards. “That’s the vendor’s problem” is the diffusion of responsibility rationalization that supply chain due diligence frameworks were specifically designed to address.

Choice ANote the substitution informally and let it pass. The quality appears unaffected; the manufacturer says it’s to similar standards; the relationship is valuable; and the relationship manager doesn’t want to create a problem over what appears to be a practical production decision made independently by the manufacturer.

Choice BEscalate to Legal, Compliance, and Procurement immediately — documenting the substitution, the timeline, and the manufacturer’s response. Halt any new production authorizations involving the unapproved subcontractor until the facility has been assessed and either approved or rejected. Issue a formal notice to the manufacturer of the contract breach.

Choice CAsk the manufacturer to submit a retroactive approval request and expedite the assessment of the new facility — allowing production to continue while the approval process catches up. This addresses the compliance gap without disrupting delivery.

The Right Call

Choice B — Escalate immediately. Document the contract breach. Halt new production at the unapproved facility pending assessment.

Choice C sounds like a pragmatic middle ground — it addresses the compliance gap while keeping production moving. But allowing production to continue while the assessment is pending means the company is knowingly using an unapproved facility whose labor practices, safety standards, sanctions status, and data handling practices have not been verified. If those practices are problematic, the company has continued production with knowledge of the gap — which creates significantly greater liability than if they had halted production upon discovery. Choice B is the only response that preserves the integrity of the supply chain due diligence framework and creates a documented record that the company acted appropriately when the substitution was discovered.

“That’s the vendor’s problem” is diffusion of responsibility — and it’s the rationalization that supply chain due diligence laws were created to prevent.

The UK Modern Slavery Act, the EU CSDDD, and emerging supply chain due diligence legislation in Germany, France, and other jurisdictions exist specifically because organizations historically treated labor practices, environmental standards, and compliance violations at their suppliers as “the vendor’s problem.” These frameworks establish that organizations are responsible for their supply chains — not just their direct vendors. An unapproved subcontractor substitution in a manufacturing context is exactly the situation these frameworks require organizations to assess and address.

The unapproved facility has not been screened — and that is the compliance problem, not the substitution itself.

The issue is not that the manufacturer made a practical production decision. The issue is that a facility is now producing goods for the company without having been assessed for labor practices, sanctions exposure, quality compliance, data handling, or any of the other risk dimensions the approved subcontractor list was designed to ensure. The manufacturer’s assurance that it is “similar standards” is not a compliance assessment — it is a self-interested claim by the party who made the unauthorized substitution.

The company that continues production with knowledge of an unapproved substitution has made a documented choice — with significant legal consequences if the facility is later found to have compliance problems.

Under the UK Modern Slavery Act and similar frameworks, a company that knew or should have known about forced labor or other violations in its supply chain faces significantly greater liability than one that had no knowledge. An employee who discovers an unapproved subcontractor substitution and allows production to continue has created a documented record that the company knew — from that point forward — that an unassessed facility was in the supply chain. That record does not help the company’s legal position if the facility is later found to have issues.

What supply chain due diligence obligations do organizations have under the UK Modern Slavery Act and EU CSDDD?

The UK Modern Slavery Act requires organizations with annual turnover above £36 million to publish an annual statement on the steps taken to ensure their supply chain is free from modern slavery. The EU Corporate Sustainability Due Diligence Directive (CSDDD), which applies to large EU companies and non-EU companies with significant EU operations, requires identification and assessment of actual and potential adverse human rights and environmental impacts throughout the supply chain — including at subcontractors and indirect suppliers. Both frameworks are specifically designed to address the “that’s the vendor’s problem” rationalization by establishing direct corporate obligations for supply chain conditions.

What contract provisions typically govern subcontractor substitutions and why do they matter?

Standard supply chain contracts typically require prior written approval for subcontractor substitutions, restrict subcontracting to approved facilities, require the vendor to flow down the company’s compliance requirements to all subcontractors, and provide the company with audit rights at any facility involved in the production of their goods. These provisions exist because the company’s compliance obligations extend to their supply chain — and a subcontractor substitution that bypasses the approval process introduces an unassessed facility into a supply chain the company is legally responsible for.

What should an organization do when it discovers that a vendor has substituted an unapproved subcontractor?

Document the discovery immediately. Escalate to Legal, Compliance, and Procurement. Issue a formal notice to the vendor of the contract breach. Halt new production authorizations at the unapproved facility until an assessment has been completed and the facility either approved or rejected. Conduct a retrospective assessment of any goods already produced at the unapproved facility to determine whether any compliance risks materialized. Review the contract for remedies including cure requirements, withholding of payment, and termination rights. The response should be proportionate to the risk profile of the substitution — but the first step is always to escalate rather than to allow production to continue while the assessment proceeds.

How to Use This Scenario in Training

Recommended for vendor relationship managers, procurement teams, supply chain operations, and compliance professionals responsible for UK Modern Slavery Act statements and EU CSDDD compliance. Also valuable for organizations building or refreshing supply chain due diligence programs in advance of CSDDD implementation timelines. The key recognition skill is understanding that the company’s compliance obligations extend into its supply chain — the “vendor’s problem” rationalization is specifically what supply chain due diligence legislation is designed to override.

This scenario demonstrates the diffusion of responsibility rationalization pattern as it emerges from the Decision Readiness Engine™. Decision-ready employees recognize that “that’s the vendor’s problem” is not a compliance analysis — it is the exact rationalization that supply chain due diligence frameworks were created to prevent.

More Third-Party Risk Scenarios