Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
In this episode, I visit with Theresa Campobasso, Senior Account Manager, National Security and Intelligence and Matt Hayden, Deputy Lead of GovTech Solutions (Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) on risk methodology.
It all begins with setting a strong foundation. At the strategic level, you should work to determine business, third-party and resource threat and opportunity landscape to commit to a definition of risk. At the program level, you should work to develop and maintain the risk assessment methodology and ensure that it is tailored to the specific organization. Then set the standardized guidance for how the following two actions will be conducted. First, look externally to identify which risks align to the organization’s industry and supplier types. Determine the underlying risk indicators to measure the supplier risk. Consider both inherent risks to individual suppliers (e.g., supplier financial health) and macro risks (e.g., geopolitical factors, resource shortages, etc.). Second, look internally at the organization by conducting a criticality analysis or “crown jewel assessment” to identify what assets within your organization are essential for mission accomplishment, and ensure risk framework alignment to those prioritized critical assets.
Finally, at the entity or tactical level, you should consider both the internal and external view from the program level and identify the specific inherent and macro risks for each third party. Some macro Supply Chain risks include: Disruption due to geopolitical conditions or natural disaster; COVID-19 Pandemic; Resource Scarcity; Catastrophic weather events, etc.; operational risks, foreign ownership controls and influence; reputational, compliance & regulatory risk; and financial health.
Theresa related, “A Crown Jewel assessment would look at those key elements that are critical to an organizations operation and success.” It would include, (1) “What would be the priority targets during a compromise to disrupt the products or services the organization provide.” (2) It would “set a threshold specific to your industry of what the top 10 items are without trying to boil the ocean for an entire organization using impact of loss as a determining factor.” (3) Finally, you need to “customize the methodology based on critical assets such as people, equipment, proprietary intellectual property, etc.” It would provide you a manner to adjust to risk events or indicators based on the products or services the organization provides.
Join us in our next episode where we discuss how to assess current risks with Laura Tulchin and Peter Jackson.
Resources
Exiger TRADES Framework
Exiger Website
Theresa Campobasso
Matt Hayden