Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Laura Tulchin, ESG Solutions Lead and Peter Jackson, ESG Solutions Lead and Peter Jackson – Director of SCRM Data Management & Innovation on assessing your current risks.

According to Jackson, “The A in the TRADES framework stands for “Asses Current Risks.  In steps One and Two, you have been planning and preparing your supply chain risk assessment; now it’s time to actually carry it out. The more robust your preparation, the easier this step will be, but don’t be concerned if you find it necessary to go back and forth between this step and the previous stages. Sometimes we have expectations about the data that’s available, or we make assumptions about overall risk, that are quicky disproven as we move to actually assess our risk.  When that happens, simply back up and iterate on the planning stage to find another approach. Assessing current risks breaks down into three levels.”

The Strategic Level. Tulchin says you should begin at the Strategic Level in order to “maintain a robust, long-term third-party and supply chain risk management framework, organizations must agree to and document a broad risk appetite statement. Start at the strategic level.” Moreover, “A risk appetite statement is absolutely critical to defining the workflow for you of the outputs of the risk assessment.”

We moved to a risk appetite statement, which Tulchin said, “is going to give you guidelines about what is acceptable risk and what is not. It’s extremely important to put in thresholds and metrics to make the results of the risk assessment actionable – KRIs that tell you when things are moving toward unacceptability and what to do then.” Additionally, “Ultimately, the risk assessment is going to strategically define a workflow for you of the outputs of the risk assessment. Finally, your ”risk assessment methodology should ensure that the risk model meets your business need and risk profile – in other words, align with the way that your organization sees the world.”

The Program Level. Implementing a risk assessment program begins with defining the risk assessment application and prioritization process. From there, organizations need to determine the frequency of risk assessments and establish policies to escalate risk events. Risk thresholds and decision-making processes must be clearly documented.

Jackson said that at this level, “it’s time to buckle down and collect, analyze, and synthesize the data you need to identify your risks and fit them into your risk appetite. Something to keep in mind as you carry out your plan at the program level is that there are both weak points and strong points in any supply chain.” While many aspects of the risk model focus on identifying potential weaknesses or vulnerabilities in a supply chain, the flip side of that analysis is to discover the best and strongest parts of your supply chain as well.

Moreover, the Program Level is “the perfect place to identify what is working well and to investigate why is it working well. Since we use risk as a starting place, we can look at the bottom of the list—the lowest-risk areas—to look for positive practices that can be replicated throughout your supply chain. Program level risk assessment is the right place to drive value creation as well.  Although supply chain risk is focused on reducing vulnerabilities, there is also tremendous potential here for discovering efficiencies and creating significant value capture from your supply chain as well.”

Tactical Level. At a tactical level, the risk assessment process should include application, visualization and a vulnerability evaluation. Individual third-party risk assessments, critical supplier assessments as well as supply chain assessments should all be included as part of an organization’s risk assessment application. That risk should then be visualized to depict third-party and supply chain portfolio risk areas and indicators to provide actionable intelligence and allow for the prioritization of investigation and mitigation efforts in an efficient manner. A high-level comprehensive assessment should evaluate overall vulnerabilities across the complete level.

Here implementing the risk assessment may mean different things for different entities based upon criticality. Tulchin related, “certain types of suppliers may be subject to more stringent data collection that leads to a more comprehensive risk model that brings in a large swath of data.” It could also be that you “want to perform a risk assessment within a given supplier relationship. As defined by the risk model design/methodology, tiering with regard to the need to perform micro or single entity risk assessments.” Finally, there “may be certain suppliers, or a certain high-risk jurisdiction, or a certain critical product that require single-focus risk assessments to bring that data into an overall program review.”

Jackson feels the Tactical Level “is the place where you are most likely to discover the need to iterate on your supply chain risk model design. The tactical level is where you can best identify any persistent information gaps or determine the need for data orchestration.” Yet he cautioned, “It’s also important to keep in mind that the outputs of your assessment will be responsive to your risk priorities.”  Finally, he emphasized that it is “critical to keep in mind that we aren’t assessing just for the sake of assessing. Especially at the tactical level here, always keep in mind how your organization can use the work that you’re doing and put your outputs to immediate use. If your findings are more strategic in nature, then the changes may be sweeping organizational solutions; if your findings are more tactical, then perhaps they will result in only a small tweak to a specific buying pattern or relationship. As you carry out your risk model plans in this step, always keep in mind a clear path ahead for any given outcome.”

Join us in our next episode, where we discuss determining mitigations with Carrie Wibben and Aaron Narva.

Resources

Exiger TRADES Framework

Exiger Website

Laura Tulchin

Peter Jackson