Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program; over the next six episodes, I will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels. We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps. In this concluding episode, I am joined by Brandon Daniels, President, Global Markets and Erika Peters, Managing Director, Global Markets Group Head of Tech Transformation to look at supplier monitoring and provide some concluding remarks.
We began with the oversight and monitoring of suppliers within the vendor ecosystem, which is the final pillar the TRADES framework. Peters noted that it is the pillar which “upholds the long-term adherence to the other elements of the framework and ensures the evolution of the program overtime as the threat landscape similarly evolves and changes.” This means that an organization benefits from the clear concise data gathered on their supplier ecosystem, through stakeholder ownership with a clear risk framework.
As the Department of Justice (DOJ) has consistently made clear in other compliance areas, Peters related that companies “should ensure their view of the risk and opportunity landscape is monitored and dynamically addressed through continuous improvement.” It is more than simply a “risk assessment of a third party, which then is put on a shelf” because risks change and evolve. Both third party and external risk factors must be monitored. It allows you to react faster and “in turn minimizing the potential business impact and ultimately the bottom line.” Ongoing monitoring provides you quick insights, allowing you to be more proactive in risk management than reactive, when you find out that partnership is with a company who has reputational risks associated to it such as its owned by a sanctioned entity, fraud or corruption.
Daniels expanded on this by explaining that if you establish a high volume of transparency into your supplier network or into your distributor network, this would also lead to critical third and fourth and fifth and sixth parties that you need to monitor at this last phase. You will be able to evaluate the efficacy of the risk methodology and the risk assessment that you’re conducting on those vendors. Through the implementation of the TRADES Framework, you will have a “constant refresh of those data inputs that you created, that you curated, that you sourced in order to initially instigate your supplier monitoring, or excuse me, your supplier risk assessment. Just refreshing those data points, essentially will just constantly recalibrate, constantly monitor, constantly find those spikes that peak out to you.”
Increasingly, Daniels believes these types of risk are “not linear. They are octagonal.” He explained that an organization “could have a risk in your operational issues. You could have a risk in cyber, you could have a risk in legal, you could have a risk in reputational business dealings.” The key is that “as long as you consistently refresh those inputs that you have used in order to initially assess the priorities of risk that you have across your third party, fourth party, fifth party, six party ecosystem, then you are inherently doing supplier monitoring.”
This type of continuous review and monitoring allows you insights into the future because “you are essentially testing the things that get left behind. Those low-risk vendors, those medium risk vendors that sit below a threshold of risk tolerance and making sure that you’ve got the right risk prioritization in place to instigate an alert when you need it.” It is also more cost effective as you are able to move away from the costly retrospective two-year down the road audit. Daniels said, “These routine audits, these big projects, these million-dollar projects that we do every year in order to refresh 10,000 out of the 20,000 total vendors that we know we’ve got or to do deep due diligence on 5,000 of them randomly on an audit basis, that used to cost us so much money, we’re now doing that incrementally, turning this into a much lower operational cost for us because now we’re instigating when something changes.”
Finally, implementing this appropriately means continuously making sure that “you 1) update your data inputs, 2) making sure that you are assessing your risk framework, and 3) ensuring that as long as you don’t have major changes to your risk landscape,” you are “lowering the friction of compliance and actually make compliance of business accelerant when you have found third parties and supply chains that are able to deliver for you on time and cost effectively.”
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Erika Peters
Day: July 23, 2021
BIS Update
Things are bubbling in the Commerce Department as BIS add 34 companies to the Entity List due to China’s continue human rights abuses and Iranian and Russian procurement without a license. The Kitchen takes a look at the new Xinjiang supply chain business advisory published by the State Department as things continue to heat up in China.
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Today we consider the TRADES Framework uplift evaluation with Brandon Daniels, resident, Global Markets and Josh Thiel, Executive Intern (Former Commander of Special Operations Task Force).
Daniels said the TRADES Framework began with the “basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right? And so, when you think about the journey you’ve been through across the T the R the a and the D, transparency, and then your risk methodology linking to your strategic objectives, is a critical first line of defense function.”
Next is the second line of defense. Here an organization assesses its priorities and ensures mitigation of risk. Through the TRADES Framework, you can blend the first and second lines of defense. Daniels continued, “the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T, R, A and D elements is to next incorporate the third line of defense. That is where the ‘E’ comes in, Evaluate Framework Uplift.
You have to take the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Some of the questions you would ask include “Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?” These are critical questions that everyone needs to ask as they assess the impact that the T, R, A and D has made to their organization, and especially the ‘D’ then, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance.
Theil spoke to the operational perspective, beginning at the strategic level and governance. The strategic leaders, the senior leaders established the governance, establish the policies, the expectations, allocate the resources, determine Return on Investment (ROI) to see if “they got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion.”
While some of the risks are intangible, reputational, they are hard to measure. Oftentimes the savings impact from Supply Chain risk management (SCRM) is very direct and clear, and it’s easy for the senior leaders to quantify it. Theil provided the following example from the Department of Defense (DOD), “where the DOD made an evaluation of vendor screen based on fraudulent procurement during COVID which cost the US Government $500 million. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software” and it was specifically based on Exiger software performance. At the strategic level, that’s the focus of the strategic leader.”
We then drilled down into the tactical level, where the Evaluation Phase is built on real collection of both quantitative and qualitative information. Here Theil explained a “company can easily run itself and its vendor ecosystem in the T and R phases of the maturity model; and then run itself again after the mitigation plans are implemented. By using the same risk models and dashboards, clients can clearly.”
Yet, as with other data analytics solutions in the compliance, risk management and Supply Chain space, quantitative analysis alone is not enough. I would say you must always have the human element involved. Theil phrased it as “Qualitative information is critical to add context and to answer the “why.” Why did the mitigation plan decrease or increase the risk? The tactical quantitative assessment could include techniques like questionnaires for Third Parties, internal stakeholders, transportation partners, and downstream clients.’’ Either way you phrase it, there must be a human evaluation and provision for future plans.
Join us for our concluding episode, when Brandon Daniels and Erika Peters give a review of supplier monitoring and an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Josh Thiel
Welcome to a new season of Compliance Man. This season is called True or False? In this series, I am joined by Tim Khasanov-Batirov, a compliance practitioner who focuses on compliance at international markets for over 20 years. Based on his work experience at six countries as in house compliance officer Tim now consults senior managers and compliance officers globally on complex ethics and compliance matters as partner and Head of Compliance practice for ETERNA LAW. Tim is a co-founder of Compliance Club, an international community of practitioners. You can learn more about Tim, his Compliance Manillustrated series, a YouTube channel and request advice from him by clicking at Timur Khasanov-Batirov on Linked in. Check out his profile on the ETERNA Law page here.
Today we have Maria Bulycheva, Compliance Officer with compliance working experience in 3 countries in construction, energy, automotive and logistics businesses.Today we will find out whether it is true that gifts is very important cultural courtesy but may lead to corruption. Highlights include:
- Should compliance professionals have an additional Code of Conduct?
- If so what are the legal implications?
- What about existing requirements?
Join us for the next episode of Compliance Man: True or False? episode. If you disagree or wish to share your views on whistleblower topic please comment below. We will be glad to hear from you. Let’s have a sincere global conversation together.
As the Tokyo Olympics stumble out of the gate and Tom returns to the wilds of the Texas Hill Country, he and Jay are back to take a look at this week’s stories top compliance and ethics stories which caught their interest on This Week in FCPA in the No Fan Olympics edition.
Stories
- Why co-creation is key to design thinking in compliance. Carsten Tams continues his 5-part series on LinkedIn. Check out Tams Part 1 and Part 2 of his great 5-part series.
- What’s going on with ESG in Europe. Vera Cherepanova in the FCPA Blog.
- What is social risk? Lawrence Heim in com.
- What’s the current job market for compliance professionals? Matt Kelly in Radical Compliance.
- SFO secures two DPAs. Neil Hodge in Compliance Week (sub req’d)
- Responding to parallel investigations. Nicole Sprinzen and Catherine Yun in CCI.
- Auditing of SPACs. Francine McKenna takes a deep dive on The Dig. (Sub Req’d)
- EU Whistleblower Initiative? Keith Taylor in Navex Global’s Risk and Compliance Matters.
- FTC signals more aggressive enforcement. Alexander Paul Okuliar and David J. Shaw NYU’s Compliance and Enforcement
- The Enactment of Purpose Initiative. Wachtell, Lipton lawyers in the Harvard Law School Forum on Corporate Governance.
Podcasts and Events
- In a sponsored 6-part podcast series Tom visits with folks from Exiger on its ground-breaking TP&SCRM framework, the TRADES Framework. Part 1-Transparency; Part 2-Risk Mitigation; Part 3-Assessing Risk; Part 4-Determining Mitigations; Part 5-Evaluating Uplift; Part 6, Supplier Monitoring.
- Tom and Megan Dougherty conclude their series on Loki, in Episode 6, For All Time. Always. They review the concluding episode of Season 1, look back over the entire series, review it in the context of the MCU series WandaVision and the Winter Soldier and Falcon and where the MCMultiverse may be headed.
- A new month on The Compliance Life! In July I visit with Asha Palmer, CECO at Convercent. In Episode 1, from Claire Huxable to the DOJ. In Episode 2, ‘What do you think about Abu Dhabi?’ In Episode 3, she moves into compliance consulting and is surprised with what she observed.
- Are you a #GWICee? If you are not you should be. Join the co-hosts Lisa Fine and Mary Shirley for their fan fav lightening-round of listener submitted questions in this episode of Great Women in Compliance.
- What is the budget process for a corp compliance function? Kortney Nordrum lays it out for your in this episode of Survive and Thrive. Check out the video version on YouTube.
- The Compliance Handbook, 2nd edition is released. Learn about it here. Purchase it here.
Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.