Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
In this episode, I visit with Theresa Campobasso, Senior Account Manager, National Security and Intelligence and Matt Hayden, Deputy Lead of GovTech Solutions (Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) on risk methodology.
It all begins with setting a strong foundation. At the strategic level, you should work to determine business, third-party and resource threat and opportunity landscape to commit to a definition of risk. At the program level, you should work to develop and maintain the risk assessment methodology and ensure that it is tailored to the specific organization. Then set the standardized guidance for how the following two actions will be conducted. First, look externally to identify which risks align to the organization’s industry and supplier types. Determine the underlying risk indicators to measure the supplier risk. Consider both inherent risks to individual suppliers (e.g., supplier financial health) and macro risks (e.g., geopolitical factors, resource shortages, etc.). Second, look internally at the organization by conducting a criticality analysis or “crown jewel assessment” to identify what assets within your organization are essential for mission accomplishment, and ensure risk framework alignment to those prioritized critical assets.
Finally, at the entity or tactical level, you should consider both the internal and external view from the program level and identify the specific inherent and macro risks for each third party. Some macro Supply Chain risks include: Disruption due to geopolitical conditions or natural disaster; COVID-19 Pandemic; Resource Scarcity; Catastrophic weather events, etc.; operational risks, foreign ownership controls and influence; reputational, compliance & regulatory risk; and financial health.
Theresa related, “A Crown Jewel assessment would look at those key elements that are critical to an organizations operation and success.” It would include, (1) “What would be the priority targets during a compromise to disrupt the products or services the organization provide.” (2) It would “set a threshold specific to your industry of what the top 10 items are without trying to boil the ocean for an entire organization using impact of loss as a determining factor.” (3) Finally, you need to “customize the methodology based on critical assets such as people, equipment, proprietary intellectual property, etc.” It would provide you a manner to adjust to risk events or indicators based on the products or services the organization provides.
Join us in our next episode where we discuss how to assess current risks with Laura Tulchin and Peter Jackson.
Resources
Exiger TRADES Framework
Exiger Website
Theresa Campobasso
Matt Hayden
The Compliance Budget Process
How Do You Prepare An Annual Compliance Budget? (And Ask For More Money)
Budgeting is one of the most important functions in any corporate discipline. Thought leaders do not often talk about this one in conferences and literature. Yet, it’s something that every compliance officer, every CCO, has to do and everyone down the compliance chain. Whether it’s a special project such as a Code of Conduct makeover, major tech upgrade or bringing in an external party to do a comprehensive risk assessment — explore the compliance budgeting process and learn how to plan for such expenses and understand the documentations needed to prepare.
Key points discussed in the episode:
✔️ Determine what your function is responsible for, as it varies at every organization. Identify what resides in your budget and what lives somewhere else?
✔️ Review the guidance. The DOJ’s most recent Evaluation of Corporate Compliance Programs guidance makes it clear that they expect compliance programs to be “adequately resourced and empowered to function effectively.” That means you should budget for enough:
- People to run your program
- Tools to operate and maintain your program
- Resources to make continuous improvements
✔️ Risk assess the program itself – what are the biggest needs? Where do we need more resources? Are we over-resourced in any areas?
- Have internal operations changed?
- Have laws or regs changed – or enforcement ramped up?
- Are there any new risks that we’ve never had before?
✔️Do we have any compliance “messes” or issues that need to be addressed or cleaned up? If so, what will those cost?
✔️ What special projects or improvements are we planning? What do we need to make those projects/improvements successful?
✔️ Benchmarking – look at surveys, talk to other compliance professionals
✔️ Build allies. Talk to anyone who may be able to support or influence your budget. Take the opportunity to explain why you need what you’re asking for and why/how it will help the organization.
✔️ There aren’t any hard and fast rules about budgeting for compliance departments. If you’re under-resourced, it is your job to make enough noise that the C-suite and the board realize what risks underfunding compliance brings to the organization. If nothing else works, use the big guns – worst-case scenarios and how much they could cost.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

Dan Zitting, previously Chief Product Officer, now holds the title of CEO at Galvanize, a software company that helps its clients achieve their goals and objectives. Tom Fox welcomes him back to this week’s show to talk about fraud risks, and what it means for the compliance professional.
A Period of Change
Rapid change during the pandemic is the main catalyst for the increase in fraud. The move to remote work created new susceptibility to cyber fraud. “The pandemic and the news, and noise created around it, created all kinds of new ways for clever social engineers to talk people into doing things they shouldn’t be doing,” Dan explains to Tom. It’s important for GRC professionals to be aware of and ready for change, he adds. We have to realize that change has sped up and will continue to do so in the business environment, regulatory environment, and social justice areas. The rate at which change will increase will be much greater in the future than it has been in the past.
Choosing The Right Technology
Choosing the right technology to support anti-fraud programs is important. GRC professionals have to shift controls and assess risk fast enough to deal with all the changes that are occurring around them. Having the proper technology on hand can help make their jobs easier. “A lot of technology is effectively built around manually filling out forms, and creating workflows between people to capture risk or assess risk or evaluate controls, and that is just far too slow-moving,” Dan remarks. We need to create automation primarily from data and technology that can evaluate very quickly. We also need to be able to leverage machine learning which will help us identify data that we might not have otherwise known.
Fraud as a Bigger Focus & The Importance of Governance
How fraud connects to the broader array of cybersecurity risks makes it a major focus for CEOs and senior executives. Leaders are seeking to learn more and educate themselves on how compliance officials are analyzing and monitoring the risks, something that was not done as often in the past. Interest in governance within the compliance sector is also gaining headway. Dan explains to Tom that organizations need to have overarching governance strategies that dictate how they look at the incoming risks to the business.
Resources
Dan Zitting | LinkedIn | Twitter
Galvanize
In today’s edition of Daily Compliance News:
- Two Americans convicted of helping smuggle Carlos Ghosn out of Japan were each sentenced. (NYT)
- J&J weighing whether to use bankruptcy laws to shield itself from talc lawsuits. (Reuters)
- For WeWork, the chicken was to come before the egg. (WSJ)
- Ackerman SPAC purchase of Universal Music squashed by SEC. (NYT)
Have you ever worked for a horrible boss? If you are a boss, how do you know that YOU aren’t the horrible boss?
In todays #jammingwithjason #podcast episode we discuss the changes in work mentality and how leadership should change in order to promote a better working environment.
So let’s leave the old broken model of command and control corporate leadership behind and start adopting better leadership style that promote a better work culture, is more authentic, and comes from a place of internal power and love.
Listen in at: http://www.jasonmefford.com/jammingwithjason/

EMIR REFIT & Regulatory Harmonization
In this episode, our team of global transaction reporting experts, Alexis Wiazmitinoff and Nicklas Nilsson discuss changes coming to EMIR REFIT in 2022 and beyond. With the markets moving towards a harmonization of data elements across regulations, how will that provide regulators with a more complete and holistic view of OTC derivatives and improve operational efficiency for financial firms?
About Our Guest Speakers:
Alexis Wiazmitinoff is a Product Leader at CSS, responsible for leading the Global Transaction Reporting (GTR) solution. He is responsible for setting the GTR product roadmap and strategy. He guides the GTR product team during Sales/Pre-Sales engagements, product design/ delivery, thought leadership and takes part in client events. Alexis has 10 years of FinTech experience and a strong background working with traders, portfolio managers and front-to-back office personnel as part of core banking transformation projects on the continent and in the UK. Prior to joining CSS, Alexis product managed London Stock Exchange Group’s EMIR Trade Repository.

Nicklas Nilsson is a Regulatory Specialist at CSS concentrating on global transaction reporting, including SFTR, MiFIR and EMIR. Nicklas is currently in a cross-functional role covering the regulations from analysis to implementation. He has eight years of experience working in the finance industry, including operational experience in fund reporting and regulatory implementation. Prior to joining CSS, Nicklas held positions at Swedbank, SEB and Wahlstedt Sageryd.
FinCen Priorities
The Financial Crimes Enforcement Network (FINCEN) issued a policy on government-wide priorities (“Priorities”) for anti-money laundering (AML) and countering the financing of terrorism (CFT). The Priorities identify and describe the most significant AML/CFT threats that the US is facing – the Kitchen is there to take a closer look at what goes into this recipe.
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Exiger was founded to fight financial crime, fraud and terrorist financing by introducing technology-enabled solutions to the market’s biggest supply chain, risk, investigation, litigation, and compliance challenges. A global authority on risk and compliance, Exiger serves the world’s largest banks, Fortune 1000 companies and government agencies and regulators. In this first episode, we consider transparency with Skyler Chi and Tim Stone.
The TRADES Framework is an important evolution in a rapidly evolving ecosystem of third party and supply chain risk management. There are a wide variety of risks that could be in your Supply Chain, including both distributor risks and vendor risks. The urgency of establishing best practices in this area was driven home most forcefully during the Coronavirus pandemic as governments at all levels were trying to secure the vaccines, Personal Protective Equipment (PPE) and pharmaceuticals that were needed. There has also been legislative initiatives with such laws as the German Supply Chain Act starting to gain momentum. Of course modern slavery issues that were talked about before as well and the ESG revolution.
Tim Stone related that “T is for “Transparency of Current State”. There are different levels of transparency. He focused on Entity Level where the goal is to identify the full third-party ecosystem. Another way to think about it is “taking stock”. This stage involves illuminating your current state of affairs and identifying your vendor ecosystem.
The next step is how to build this initial tier of reliably accurate, validated, and de-duplicated entities that are mapped to business units, products, and use-case. You want as comprehensive a supplier and third-party ecosystem as possible. So how do you gain this transparency?
The first step is to identify, your internal supply data elements. You need to review your organization’s contracts and other paperwork, as well as engaging stakeholders across an organization in a fact-finding exercise, to arrive at a golden source of suppliers and vendors, and then mapping those entities to the products, business units, and use-cases across the organization. Next you should review external supply data elements.
“Transparency” is also about illuminating risk, which here means identifying the risks posed by the entities in a client’s supply chain. These risks are either inherent or imposed. Determining inherent risk, is where Exiger’s AI-powered due diligence platform, DDIQ, shines. DDIQ finds and categorizes risk information about focal companies and people. The platform searches hundreds of structured (e.g., watchlists) and unstructured (e.g., media) data sources and performs thousands of targeted queries – using proprietary search strings associated with different risk types and specific risky entities – to isolate and categorize risk information about a focal entity.
Next is imposed risk, which is “an aggregate view of a company’s upstream reliance on certain countries, such as China, for its receipt of goods. This extent of a higher risk country’s upstream footprint in a company’s supply chain is indicative of greater risk.” It also includes risk through downstream supply chain risk analysis to isolate where a company’s products are ultimately ending up.
Transparency also speaks to the governance and accountability associated with third-party (TP) and Supply Chain Risk Management (SCRM). There is a Strategic Level and a Program Level. As Skyler related you should create and document a TP&SCRM mission statement and purpose explanation, understand how mature your program is and create a baseline analysis of the program’s maturity. You then develop and maintain policies and procedures, which provide guidance and determine the right risk-area stakeholders and governance forums.
From this point, you should work to determine communication and workflows to operate the TP&SCRM program. This can be done through several steps, including data sourcing and right-sized technology aligned to the TRADES framework to ensure a single source of truth for each third party, supply chain, and overall program; continuous evaluation and improvements of the framework and periodic refreshes or reviews to assess industry/risk changes and best practices. Finally, it would lead to the creation of principles and guidance to help company stakeholders take risk-related decisions and actions.
Join us in our next episode, where we discuss the Risk Methodology with Theresa Campobasso and Matt Hayden.
Resources
Exiger TRADES Framework
Exiger Website
Skyler Chi
Tim Stone
Episode 070 – Benjamin Halpert

In this episode of The Ethics Experts, Nick welcomes Benjamin Halpert, head of ethics and compliance at Anheuser-Busch, to the show.
Jason Mefford
In this Episode of the FCPA Compliance Report, I am joined by Jason Mefford, a top thought leader in internal controls. We discuss his podcast Jamming with Jason, his online academy cRisk Academy and a unified theory of risk management. Highlights include:
- Why he began his podcast.
- How professionals consume information and content in 2021.
- Why he founded cRisk Academy.
- Unified risk management.
- What’s new in internal controls.
- The current state of live music.
Resources
Jason Mefford on LinkedIn
Jamming with Jason
cRisk Academy
