The Minsk agreements continue to go unimplemented, so the EU extends Russia sanctions again; OFAC grants an export license for certain petroleum products destined for Venezuela and the Kitchen is there to look into the details.
Categories
Author: admin
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Laura Tulchin, ESG Solutions Lead and Peter Jackson, ESG Solutions Lead and Peter Jackson – Director of SCRM Data Management & Innovation on assessing your current risks.
According to Jackson, “The A in the TRADES framework stands for “Asses Current Risks. In steps One and Two, you have been planning and preparing your supply chain risk assessment; now it’s time to actually carry it out. The more robust your preparation, the easier this step will be, but don’t be concerned if you find it necessary to go back and forth between this step and the previous stages. Sometimes we have expectations about the data that’s available, or we make assumptions about overall risk, that are quicky disproven as we move to actually assess our risk. When that happens, simply back up and iterate on the planning stage to find another approach. Assessing current risks breaks down into three levels.”
The Strategic Level. Tulchin says you should begin at the Strategic Level in order to “maintain a robust, long-term third-party and supply chain risk management framework, organizations must agree to and document a broad risk appetite statement. Start at the strategic level.” Moreover, “A risk appetite statement is absolutely critical to defining the workflow for you of the outputs of the risk assessment.”
We moved to a risk appetite statement, which Tulchin said, “is going to give you guidelines about what is acceptable risk and what is not. It’s extremely important to put in thresholds and metrics to make the results of the risk assessment actionable – KRIs that tell you when things are moving toward unacceptability and what to do then.” Additionally, “Ultimately, the risk assessment is going to strategically define a workflow for you of the outputs of the risk assessment. Finally, your ”risk assessment methodology should ensure that the risk model meets your business need and risk profile – in other words, align with the way that your organization sees the world.”
The Program Level. Implementing a risk assessment program begins with defining the risk assessment application and prioritization process. From there, organizations need to determine the frequency of risk assessments and establish policies to escalate risk events. Risk thresholds and decision-making processes must be clearly documented.
Jackson said that at this level, “it’s time to buckle down and collect, analyze, and synthesize the data you need to identify your risks and fit them into your risk appetite. Something to keep in mind as you carry out your plan at the program level is that there are both weak points and strong points in any supply chain.” While many aspects of the risk model focus on identifying potential weaknesses or vulnerabilities in a supply chain, the flip side of that analysis is to discover the best and strongest parts of your supply chain as well.
Moreover, the Program Level is “the perfect place to identify what is working well and to investigate why is it working well. Since we use risk as a starting place, we can look at the bottom of the list—the lowest-risk areas—to look for positive practices that can be replicated throughout your supply chain. Program level risk assessment is the right place to drive value creation as well. Although supply chain risk is focused on reducing vulnerabilities, there is also tremendous potential here for discovering efficiencies and creating significant value capture from your supply chain as well.”
Tactical Level. At a tactical level, the risk assessment process should include application, visualization and a vulnerability evaluation. Individual third-party risk assessments, critical supplier assessments as well as supply chain assessments should all be included as part of an organization’s risk assessment application. That risk should then be visualized to depict third-party and supply chain portfolio risk areas and indicators to provide actionable intelligence and allow for the prioritization of investigation and mitigation efforts in an efficient manner. A high-level comprehensive assessment should evaluate overall vulnerabilities across the complete level.
Here implementing the risk assessment may mean different things for different entities based upon criticality. Tulchin related, “certain types of suppliers may be subject to more stringent data collection that leads to a more comprehensive risk model that brings in a large swath of data.” It could also be that you “want to perform a risk assessment within a given supplier relationship. As defined by the risk model design/methodology, tiering with regard to the need to perform micro or single entity risk assessments.” Finally, there “may be certain suppliers, or a certain high-risk jurisdiction, or a certain critical product that require single-focus risk assessments to bring that data into an overall program review.”
Jackson feels the Tactical Level “is the place where you are most likely to discover the need to iterate on your supply chain risk model design. The tactical level is where you can best identify any persistent information gaps or determine the need for data orchestration.” Yet he cautioned, “It’s also important to keep in mind that the outputs of your assessment will be responsive to your risk priorities.” Finally, he emphasized that it is “critical to keep in mind that we aren’t assessing just for the sake of assessing. Especially at the tactical level here, always keep in mind how your organization can use the work that you’re doing and put your outputs to immediate use. If your findings are more strategic in nature, then the changes may be sweeping organizational solutions; if your findings are more tactical, then perhaps they will result in only a small tweak to a specific buying pattern or relationship. As you carry out your risk model plans in this step, always keep in mind a clear path ahead for any given outcome.”
Join us in our next episode, where we discuss determining mitigations with Carrie Wibben and Aaron Narva.
Resources
Exiger TRADES Framework
Exiger Website
Laura Tulchin
Peter Jackson
Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley. Lisa and Mary welcome listeners back to a new season with hot seat questions put forward by their audience without time to prepare. They also give a spoiler alert for their next joint episode as something to look forward to and think about your submissions for the future. Here are the questions Lisa and Mary tackled in this episode:
- How do you continue to learn in order to stay on top of things in your role?
- “If your ideal compliance leader was an animal, which animal, and why?”
- When did you realize that GWIC has grown from the podcast to a larger community? Was there a moment for you?
- If you had an extra $10k and had to spend it within the month- what would you do (personal or professional)?
- As someone who is a global traveler, when you get to go home to New Zealand, once you recover from the flight, what is the first “local”/hometown thing you want?
- Is it ever okay for an E&C investigator to employ deception when interviewing a subject? I’ve worked at companies that allow very limited exceptions and others that say “never.” A common exception involves a subject who might figure out who the reporter is (and then retaliate against her/him). As we seek to do everything and anything possible to prevent retaliation against reporters, the investigator might say to the subject during an interview (in a situation where the internal reporter is known to the investigator), “Please make no effort to guess or otherwise identify the reporter. Doing so risks violating our anti-retaliation policy. The reporter may be anonymous or from outside the company–it doesn’t matter. The bottom line is, you must refrain from trying to determine or conclude who it is.” Of course, nothing in this example is a lie, but it is deceptive given the investigator knows the reporter isn’t external or anonymous. Certain countries may have laws or regulations that answer this question but, importantly, the standards of an E&C investigation–at least in the United States–are not the same as a government-led investigation. Also, many E&C investigators are not licensed attorneys, so there are no “licensed professional” restrictions to consider. So, , do you think it’s okay for an E&C investigator, in rare and previously identified instances, to deceive an interviewee when doing so likely could have a material effect on protecting a reporter from retaliation?
- What’s the biggest area (related to your current role) you are curious about and why?
- What are some of the things you are researching right now? (Could be personal- could be professional, could be vague)
- If there was one thing you could change about the way Compliance is perceived by people outside the profession, what would it be?
- We often hear of the importance of the birds and the bees. But in the compliance world, if you could only pick the attributes of one, which would it be and why?
We hope that you enjoyed this episode and welcome any feedback you may wish to send in to gwicpod@gmail.com.
For those of you in the northern hemisphere, it is the season for beach reads and you may be traveling after a long break. For your time off, you can pick up a copy (or download) “Sending the Elevator Back Down: What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).If you’ve already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?
As always, we are so grateful for all of your support and if you have any feedback or suggestions for our 2021 line up or would just like to reach out and say hello, we always welcome hearing from our listeners.
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
Join the Great Women in Compliance community on LinkedIn here.
Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into the recent SEC enforcement action regarding the SPAC Stable Road Acquisition Corp. and its acquisition of the space technology company Momentus. Some of the issues we consider are:
- What were the underlying facts?
- Were red flags missed, consciously avoided or outright ignored?
- Where was compliance due diligence?
- Bill Ackerman, Pershing Square Tontine Holdings and the proposed Universal Music acquisition?
- Diamond Acquisition Corp and its acquisition of Lordstown Motors.
Resources
Matt in Radical Compliance
The Second Act of SPAC Enforcement
In today’s edition of Daily Compliance News:
The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What are some of the skills a CCO needs to success navigate the compliance waters in any company? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Asha Palmer, CECO at Convercent.
It was Palmer’s consulting business that helped her better understand the true state of the ethics & compliance profession. She began at the beginning but early on saw that compliance was often seen as a back-office function, with siloed systems and multiple stakeholders. She observed companies trying the same things over and over with stale training, unclear objectives of certain processes and procedures. All of this informed her approach to compliance.
Resources
Asha Palmer LinkedIn Profile
Convercent by One Trust
Categories
UK Update on Import Tariffs
The UK’s Department for International Trade updated its guidance on import tariffs. Because of the COVID pandemic, some tariffs and VAT have been removed on certain goods. The Kitchen explores where to go and how to look up if your product qualifies for a duty break and how much duty should you expect to pay.
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
In this episode, I visit with Theresa Campobasso, Senior Account Manager, National Security and Intelligence and Matt Hayden, Deputy Lead of GovTech Solutions (Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) on risk methodology.
It all begins with setting a strong foundation. At the strategic level, you should work to determine business, third-party and resource threat and opportunity landscape to commit to a definition of risk. At the program level, you should work to develop and maintain the risk assessment methodology and ensure that it is tailored to the specific organization. Then set the standardized guidance for how the following two actions will be conducted. First, look externally to identify which risks align to the organization’s industry and supplier types. Determine the underlying risk indicators to measure the supplier risk. Consider both inherent risks to individual suppliers (e.g., supplier financial health) and macro risks (e.g., geopolitical factors, resource shortages, etc.). Second, look internally at the organization by conducting a criticality analysis or “crown jewel assessment” to identify what assets within your organization are essential for mission accomplishment, and ensure risk framework alignment to those prioritized critical assets.
Finally, at the entity or tactical level, you should consider both the internal and external view from the program level and identify the specific inherent and macro risks for each third party. Some macro Supply Chain risks include: Disruption due to geopolitical conditions or natural disaster; COVID-19 Pandemic; Resource Scarcity; Catastrophic weather events, etc.; operational risks, foreign ownership controls and influence; reputational, compliance & regulatory risk; and financial health.
Theresa related, “A Crown Jewel assessment would look at those key elements that are critical to an organizations operation and success.” It would include, (1) “What would be the priority targets during a compromise to disrupt the products or services the organization provide.” (2) It would “set a threshold specific to your industry of what the top 10 items are without trying to boil the ocean for an entire organization using impact of loss as a determining factor.” (3) Finally, you need to “customize the methodology based on critical assets such as people, equipment, proprietary intellectual property, etc.” It would provide you a manner to adjust to risk events or indicators based on the products or services the organization provides.
Join us in our next episode where we discuss how to assess current risks with Laura Tulchin and Peter Jackson.
Resources
Exiger TRADES Framework
Exiger Website
Theresa Campobasso
Matt Hayden
Categories
The Compliance Budget Process
How Do You Prepare An Annual Compliance Budget? (And Ask For More Money)
Budgeting is one of the most important functions in any corporate discipline. Thought leaders do not often talk about this one in conferences and literature. Yet, it’s something that every compliance officer, every CCO, has to do and everyone down the compliance chain. Whether it’s a special project such as a Code of Conduct makeover, major tech upgrade or bringing in an external party to do a comprehensive risk assessment — explore the compliance budgeting process and learn how to plan for such expenses and understand the documentations needed to prepare.
Key points discussed in the episode:
✔️ Determine what your function is responsible for, as it varies at every organization. Identify what resides in your budget and what lives somewhere else?
✔️ Review the guidance. The DOJ’s most recent Evaluation of Corporate Compliance Programs guidance makes it clear that they expect compliance programs to be “adequately resourced and empowered to function effectively.” That means you should budget for enough:
- People to run your program
- Tools to operate and maintain your program
- Resources to make continuous improvements
✔️ Risk assess the program itself – what are the biggest needs? Where do we need more resources? Are we over-resourced in any areas?
- Have internal operations changed?
- Have laws or regs changed – or enforcement ramped up?
- Are there any new risks that we’ve never had before?
✔️Do we have any compliance “messes” or issues that need to be addressed or cleaned up? If so, what will those cost?
✔️ What special projects or improvements are we planning? What do we need to make those projects/improvements successful?
✔️ Benchmarking – look at surveys, talk to other compliance professionals
✔️ Build allies. Talk to anyone who may be able to support or influence your budget. Take the opportunity to explain why you need what you’re asking for and why/how it will help the organization.
✔️ There aren’t any hard and fast rules about budgeting for compliance departments. If you’re under-resourced, it is your job to make enough noise that the C-suite and the board realize what risks underfunding compliance brings to the organization. If nothing else works, use the big guns – worst-case scenarios and how much they could cost.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
Dan Zitting, previously Chief Product Officer, now holds the title of CEO at Galvanize, a software company that helps its clients achieve their goals and objectives. Tom Fox welcomes him back to this week’s show to talk about fraud risks, and what it means for the compliance professional.
A Period of Change
Rapid change during the pandemic is the main catalyst for the increase in fraud. The move to remote work created new susceptibility to cyber fraud. “The pandemic and the news, and noise created around it, created all kinds of new ways for clever social engineers to talk people into doing things they shouldn’t be doing,” Dan explains to Tom. It’s important for GRC professionals to be aware of and ready for change, he adds. We have to realize that change has sped up and will continue to do so in the business environment, regulatory environment, and social justice areas. The rate at which change will increase will be much greater in the future than it has been in the past.
Choosing The Right Technology
Choosing the right technology to support anti-fraud programs is important. GRC professionals have to shift controls and assess risk fast enough to deal with all the changes that are occurring around them. Having the proper technology on hand can help make their jobs easier. “A lot of technology is effectively built around manually filling out forms, and creating workflows between people to capture risk or assess risk or evaluate controls, and that is just far too slow-moving,” Dan remarks. We need to create automation primarily from data and technology that can evaluate very quickly. We also need to be able to leverage machine learning which will help us identify data that we might not have otherwise known.
Fraud as a Bigger Focus & The Importance of Governance
How fraud connects to the broader array of cybersecurity risks makes it a major focus for CEOs and senior executives. Leaders are seeking to learn more and educate themselves on how compliance officials are analyzing and monitoring the risks, something that was not done as often in the past. Interest in governance within the compliance sector is also gaining headway. Dan explains to Tom that organizations need to have overarching governance strategies that dictate how they look at the incoming risks to the business.
Resources
Dan Zitting | LinkedIn | Twitter
Galvanize