September 25, 2024

An Investor Framework For Analyzing Supply Chain Compliance and Risk Management Startups

By Nirwan Tajik

At the heart of today’s interconnected global economy are increasingly complex supply chains that span continents and involve numerous stakeholders – from suppliers to customers.

The sophistication of these systems has enabled producers to draw on international resources and labor pools to create new generations of products and services. However, as the pandemic demonstrated in often stark ways, that same interconnectivity creates new vulnerabilities when something unexpected disrupts vital components of those systems.

Given the essential role supply chains play in the economy, a growing range of regulations have been adopted by governments at all levels over the past decade that target their safety, reliability, and impact. These new regulatory mandates – coupled with evolving customer expectations – have catalyzed the market for supply chain compliance and risk management (SCCRM) solutions.

SCCRM had long been considered a niche sub-category for investors and entrepreneurs. But in recent years, the amount of funding flowing into this sector has surged. With the profile of this sector rising and attracting more attention, the Revaia team took a deep dive into the topic to understand the trends driving SCCRM, the problems being addressed, and how investors should think about the value and opportunities.

Rising Regulatory Wave

In recent years, countries and international bodies have introduced a host of new regulations aimed at ensuring sustainability, human rights, and transparency across supply chains. This wave of regulations includes major legislation such as the EU's Corporate Sustainability Due Diligence Directive (CSDDD) and the German Supply Chain Act, which place stringent requirements on businesses to monitor and ensure compliance within their supply chains.

As the volume of these regulations grows, so does the scope and nature of their impact. This can be broken down into 4 distinct dynamics:

Complexity: The sheer number of regulations compounds the challenge of compliance.
Applicability: Existing regulations tend to apply to more verticals and size segments (defined by e.g., revenue, number of employees) over time as regulators clarify and refine the rules and how they are implemented and enforced.
Latency: New regulations are hitting the market faster while the time-to-implement shortens.
Specificity: New regulations and updates of previous regulations are more specific in requirements.

The result of this is a kind of regulatory flywheel spinning faster and faster that covers a broader range of industries.

It should also be noted that beyond new legislation, customer expectations of greater transparency and sustainability add another dimension that companies must acknowledge. Many companies, particularly in Europe, are seeking solutions that help them adhere to ESG-related regulations, not only to mitigate risks but also to improve their public image for socially conscious consumers – and employees.

Companies have no choice but to adapt their operations and invest heavily in compliance functions. As the cost of compliance rises, businesses must decide where to allocate resources to scale their operations while maintaining compliance.

That has expanded the market for technology solutions that can potentially simplify compliance processes and reduce costs.

Tech’s SCCRM Opportunity

Faced with budget tradeoffs and legal obligations, adopting advanced technology to navigate these challenges is a logical response for these companies. Tools that integrate seamlessly into existing operations and help businesses automate and optimize their compliance processes are immensely attractive.

For investors, SCCRM offers a fertile ground for innovation and growth. Software solutions in SCCRM fall broadly into two categories:

Compliance monitoring: Adhere to regulatory requirements, industry standards, and company policies. This includes tracking and documenting compliance with environmental, social, and governance (ESG) criteria.
Risk management: Identifying and evaluating potential risks in the supply chain, such as geopolitical risks, supplier financial instability, natural disasters, and cyber threats. This involves analyzing data from various sources to predict and mitigate potential disruptions.

Investors must understand which segment a startup is targeting because the customer bases and industries could look quite different. For example, logistics companies might focus on compliance with safety standards, while manufacturers may need tools to assess geopolitical risks or supplier financial instability.

As companies seek to automate their compliance and risk management efforts, there is growing interest in solutions that can integrate with existing enterprise resource planning (ERP) systems and offer specialized functionality. This has created a fragmented but competitive market, with horizontal players (offering general solutions across multiple industries) competing with vertical players (offering tailored solutions for specific sectors).

In addition, several interesting solutions are emerging adjacent to these two main pillars in categories such as analytics, training, incident management, supplier management, and auditing. Investors should continue to monitor these segments as they mature. Companies in these sectors could scale if their addressable market grows – or become interesting acquisition targets for SCCRM companies that want to add products that allow for upselling or cross-selling.

Investment Opportunities

The SCCRM space has seen significant investment activity in recent years.

Revaia tracked 74 SCCRM companies between 2020-2024. Within that cohort, the amount raised jumped from €163 million in 2020 to €721 million in 2023. This rising investment was driven, in part, by the growing maturity of these startups that attract later-stage funding, especially in the U.S. where Assent Compliance raised €310 million in 2021 and Xpansiv raised €494 million in 2023.

While the U.S. has taken the lead, Europe is catching up fast with large rounds raised by PreWave (€63 million), TrusTrace (€22 million), Tacto (€50 million), Oritain (€53 million), and Integrity Next (€107 million).

Investor interest continues to climb because the first wave of early-stage investments seems to have borne fruit. Exits rose from 3 deals valued at €626 million in 2020 to 6 deals valued at €7.5 billion in 2023. Consequential and equally important, especially for late-stage investors, the average exit deal size increased over time.

Perhaps the most notable SCCRM exit so far is the $3 billion buyout of AuditBoard, a leading compliance software provider, by PE firm HG. The success of AuditoBoard can be instructive for both investors and entrepreneurs in this sector.

Founded in 2014, AuditBoard developed a subscription-based SaaS model but also earns revenue from software integrations, consulting, and support services. In 2023, the company reported revenues of €184.83M – 33% YoY growth.

In terms of product strategy, AuditBoard started with a single-framework, horizontal solution that targeted auditors – a previously underserved user group. Because one of the founders came from an auditing background, the company had strong insight into the problems this sector faced, and credibility when it began reaching out to potential customers. This singular focus allowed AuditBoard to build a robust foundation by demonstrating its deep understanding of customer needs, leading to a highly tailored and effective solution..

This focus on customer success fostered strong relationships with top-tier clients, including nearly half of the Fortune 500. Subsequently, the company expanded to other user groups. Today, AuditBoard's suite of interconnected modules addresses comprehensive risk management and compliance needs, making it an indispensable tool for large enterprises.

The platform’s ability to integrate operational, financial, and supply chain risks revolutionized the audit and compliance landscape. As it scaled, it also achieved profitability in 2018, making it incredibly attractive for a PE buyout.

The result: a billion dollar exit valuation for a company that had raised only $43 million in venture capital.

Challenges and Outlook

While the SCCRM market presents significant opportunities, there are also challenges that companies and investors need to keep in mind.

Just as the increasing complexity of regulations creates a market opportunity, it can also drive up R&D costs and reduce profitability for SCCRM players. The more specific a regulation is, the more it increases the R&D costs for the SCCRM platform.

This is why it is key for investors to understand whether an SCCRM is a horizontal or vertical play. Each of those requires different strategies for remaining ahead of the evolving regulatory landscape. It also determines the size of the addressable market.

Additionally, the rise of AI will disrupt the market further. AI-enabled startups will offer more efficient and predictive risk management tools. More established SCCRM companies need to keep pace with the AI arms race, or they will get disrupted by younger upstarts.

Finally, ESG is a core issue for SCCRM. Certainly, ESG regulations are expanding the market for tech solutions that help companies remain compliant. But for SCCRM companies, there could be vulnerabilities to issues such as how the cost of energy might slow IT growth, the exposure to data protection rules, the lack of diversity, and the introduction of bias into risk models.

There is no universal model or thesis for assessing all SCCRM startups. But we think there are a few key questions that investors should ask when starting to scrutinize these companies for a possible funding round:

Is it a horizontal or vertical play?
What is the implication of AI for the business model: enabler or threat?
What are the levers that will drive costs, especially for staying current on relevant regulations?
Is there potential for competition from established companies in sectors such as ERM that may move into SCCRM as an adjacent market?
How easily is the solution integrated into existing IT within a customer’s stack and how complex is onboarding?
Is there a solid product roadmap that considers what additional features might make sense or future markets that could be targeted?

The rise of SCCRM is not a passing trend but a fundamental shift in how businesses operate, driven by a combination of regulatory pressure and technological advancement. By understanding these changes and the trends that are fueling them, investors can position themselves to identify the right opportunities as they emerge in this evolving landscape.