Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program; over the next six episodes, I will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels. We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps. In this concluding episode, I am joined by Brandon Daniels, President, Global Markets and Erika Peters, Managing Director, Global Markets Group Head of Tech Transformation to look at supplier monitoring and provide some concluding remarks.
We began with the oversight and monitoring of suppliers within the vendor ecosystem, which is the final pillar the TRADES framework. Peters noted that it is the pillar which “upholds the long-term adherence to the other elements of the framework and ensures the evolution of the program overtime as the threat landscape similarly evolves and changes.” This means that an organization benefits from the clear concise data gathered on their supplier ecosystem, through stakeholder ownership with a clear risk framework.
As the Department of Justice (DOJ) has consistently made clear in other compliance areas, Peters related that companies “should ensure their view of the risk and opportunity landscape is monitored and dynamically addressed through continuous improvement.” It is more than simply a “risk assessment of a third party, which then is put on a shelf” because risks change and evolve. Both third party and external risk factors must be monitored. It allows you to react faster and “in turn minimizing the potential business impact and ultimately the bottom line.” Ongoing monitoring provides you quick insights, allowing you to be more proactive in risk management than reactive, when you find out that partnership is with a company who has reputational risks associated to it such as its owned by a sanctioned entity, fraud or corruption.
Daniels expanded on this by explaining that if you establish a high volume of transparency into your supplier network or into your distributor network, this would also lead to critical third and fourth and fifth and sixth parties that you need to monitor at this last phase. You will be able to evaluate the efficacy of the risk methodology and the risk assessment that you’re conducting on those vendors. Through the implementation of the TRADES Framework, you will have a “constant refresh of those data inputs that you created, that you curated, that you sourced in order to initially instigate your supplier monitoring, or excuse me, your supplier risk assessment. Just refreshing those data points, essentially will just constantly recalibrate, constantly monitor, constantly find those spikes that peak out to you.”
Increasingly, Daniels believes these types of risk are “not linear. They are octagonal.” He explained that an organization “could have a risk in your operational issues. You could have a risk in cyber, you could have a risk in legal, you could have a risk in reputational business dealings.” The key is that “as long as you consistently refresh those inputs that you have used in order to initially assess the priorities of risk that you have across your third party, fourth party, fifth party, six party ecosystem, then you are inherently doing supplier monitoring.”
This type of continuous review and monitoring allows you insights into the future because “you are essentially testing the things that get left behind. Those low-risk vendors, those medium risk vendors that sit below a threshold of risk tolerance and making sure that you’ve got the right risk prioritization in place to instigate an alert when you need it.” It is also more cost effective as you are able to move away from the costly retrospective two-year down the road audit. Daniels said, “These routine audits, these big projects, these million-dollar projects that we do every year in order to refresh 10,000 out of the 20,000 total vendors that we know we’ve got or to do deep due diligence on 5,000 of them randomly on an audit basis, that used to cost us so much money, we’re now doing that incrementally, turning this into a much lower operational cost for us because now we’re instigating when something changes.”
Finally, implementing this appropriately means continuously making sure that “you 1) update your data inputs, 2) making sure that you are assessing your risk framework, and 3) ensuring that as long as you don’t have major changes to your risk landscape,” you are “lowering the friction of compliance and actually make compliance of business accelerant when you have found third parties and supply chains that are able to deliver for you on time and cost effectively.”
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Erika Peters
Tag: TRADES Framework
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Today we consider the TRADES Framework uplift evaluation with Brandon Daniels, resident, Global Markets and Josh Thiel, Executive Intern (Former Commander of Special Operations Task Force).
Daniels said the TRADES Framework began with the “basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right? And so, when you think about the journey you’ve been through across the T the R the a and the D, transparency, and then your risk methodology linking to your strategic objectives, is a critical first line of defense function.”
Next is the second line of defense. Here an organization assesses its priorities and ensures mitigation of risk. Through the TRADES Framework, you can blend the first and second lines of defense. Daniels continued, “the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T, R, A and D elements is to next incorporate the third line of defense. That is where the ‘E’ comes in, Evaluate Framework Uplift.
You have to take the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Some of the questions you would ask include “Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?” These are critical questions that everyone needs to ask as they assess the impact that the T, R, A and D has made to their organization, and especially the ‘D’ then, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance.
Theil spoke to the operational perspective, beginning at the strategic level and governance. The strategic leaders, the senior leaders established the governance, establish the policies, the expectations, allocate the resources, determine Return on Investment (ROI) to see if “they got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion.”
While some of the risks are intangible, reputational, they are hard to measure. Oftentimes the savings impact from Supply Chain risk management (SCRM) is very direct and clear, and it’s easy for the senior leaders to quantify it. Theil provided the following example from the Department of Defense (DOD), “where the DOD made an evaluation of vendor screen based on fraudulent procurement during COVID which cost the US Government $500 million. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software” and it was specifically based on Exiger software performance. At the strategic level, that’s the focus of the strategic leader.”
We then drilled down into the tactical level, where the Evaluation Phase is built on real collection of both quantitative and qualitative information. Here Theil explained a “company can easily run itself and its vendor ecosystem in the T and R phases of the maturity model; and then run itself again after the mitigation plans are implemented. By using the same risk models and dashboards, clients can clearly.”
Yet, as with other data analytics solutions in the compliance, risk management and Supply Chain space, quantitative analysis alone is not enough. I would say you must always have the human element involved. Theil phrased it as “Qualitative information is critical to add context and to answer the “why.” Why did the mitigation plan decrease or increase the risk? The tactical quantitative assessment could include techniques like questionnaires for Third Parties, internal stakeholders, transportation partners, and downstream clients.’’ Either way you phrase it, there must be a human evaluation and provision for future plans.
Join us for our concluding episode, when Brandon Daniels and Erika Peters give a review of supplier monitoring and an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Josh Thiel
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visited with Carrie Wibben, Senior Vice President, Exiger Federal Solutions and Aaron Narva, Senior Vice President, Head of Corporate Markets on determining risk mitigations.
The next critical element of the TRADES framework is around determining the mitigation of risk—what actions or steps can and should be taken to reach a point where the specific risk of a supplier or supply chain element are well enough understood and controlled to move forward with a business relationship? Narva explained, “Determining mitigations is a delicate balance of all of the preceding elements of the TRADES framework—it’s about understanding the specific impacts that risk can have on the specific parts of your third party population, it’s about taking a risk based approach, and it’s about understanding your operational bandwidth to take specific mitigation actions and knowing when to just accept the minimal risk and move on for the operational benefit.” While most compliance professionals will be comfortable with this approach you always need to remember that no one size that fits all.
Risk management and compliance professionals seek out and rely upon frameworks that are multiple priorities, such an approach can be used to get executive stakeholder buy-in and drive budget decisions to invest in critical compliance and risk management tools and program changes to elevate supply chain risk insights and truly transform the way most organizations perform supply chain management.
Wibben noted, “This element is really about problem solving and taking specific actions to remediate risks ultimately to drive a supply chain ecosystem that is secure and resilient, but without compromising operational efficiency. By this I mean, at this point in the framework, you have set your organization’s objectives and risk thresholds – you have considered what risk are you are willing to accept, what risks can you transfer, segregate, or otherwise mitigate, and what risks you need to immediately take action to remove or avoid altogether.” Moreover, this is the step where you separate the wheat from the chaff. The process has to be driven on a risk-based approach that allows a broad spectrum of mitigations to be used to develop your mitigation plan, to include timelines and milestones to address the supply chain risks that negatively impact the integrity and security of your supply chain.
Mitigating risks requires a high degree of both critical and creative thinking and solutioning. Wibben said, “That’s really why I personally believe that determining mitigations is one of the most challenging elements of Supply Chain Risk Management because of really two primary things, 1) the complexity, and oftentimes, the ambiguity and constantly evolving nature of the sub-tier supplier ecosystem, and then 2) the secondary and tertiary consequences of risk mitigation work, which includes potential impacts to upstream and downstream cost, schedule, and operations.”
I asked Narva about some of the work Exiger is doing with corporate compliance functions to determine mitigations. He said, “on the corporate side, we are seeing many clients utilizing third party outreach as a form of mitigation. Third parties can provide proof of their controls, whether its corruption, environmental or cyber risk with documentation such as policies and procedures and certifications.” In the age of Covid-19, “some clients are performing an on-site audit in instances of very high risk, but we have seen a lot of that activity move to video calls, which interestingly enough, allows clients to do more of this type of risk mitigation. At the end of the day, our clints approaches to mitigation are as varied as their business models and the risks they face.” Such risk mitigation strategies as contractual clauses, refresh periods, and risk committees are also frequently part of the risk mitigation approach, as is deeper levels of diligence, all the way up and including discreet reputational inquiries in instances where it is justified.
Join us tomorrow, where we discuss the step, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel.
Resources
Exiger TRADES Framework
Exiger Website
Aaron Narva
Carrie Wibben
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Laura Tulchin, ESG Solutions Lead and Peter Jackson, ESG Solutions Lead and Peter Jackson – Director of SCRM Data Management & Innovation on assessing your current risks.
According to Jackson, “The A in the TRADES framework stands for “Asses Current Risks. In steps One and Two, you have been planning and preparing your supply chain risk assessment; now it’s time to actually carry it out. The more robust your preparation, the easier this step will be, but don’t be concerned if you find it necessary to go back and forth between this step and the previous stages. Sometimes we have expectations about the data that’s available, or we make assumptions about overall risk, that are quicky disproven as we move to actually assess our risk. When that happens, simply back up and iterate on the planning stage to find another approach. Assessing current risks breaks down into three levels.”
The Strategic Level. Tulchin says you should begin at the Strategic Level in order to “maintain a robust, long-term third-party and supply chain risk management framework, organizations must agree to and document a broad risk appetite statement. Start at the strategic level.” Moreover, “A risk appetite statement is absolutely critical to defining the workflow for you of the outputs of the risk assessment.”
We moved to a risk appetite statement, which Tulchin said, “is going to give you guidelines about what is acceptable risk and what is not. It’s extremely important to put in thresholds and metrics to make the results of the risk assessment actionable – KRIs that tell you when things are moving toward unacceptability and what to do then.” Additionally, “Ultimately, the risk assessment is going to strategically define a workflow for you of the outputs of the risk assessment. Finally, your ”risk assessment methodology should ensure that the risk model meets your business need and risk profile – in other words, align with the way that your organization sees the world.”
The Program Level. Implementing a risk assessment program begins with defining the risk assessment application and prioritization process. From there, organizations need to determine the frequency of risk assessments and establish policies to escalate risk events. Risk thresholds and decision-making processes must be clearly documented.
Jackson said that at this level, “it’s time to buckle down and collect, analyze, and synthesize the data you need to identify your risks and fit them into your risk appetite. Something to keep in mind as you carry out your plan at the program level is that there are both weak points and strong points in any supply chain.” While many aspects of the risk model focus on identifying potential weaknesses or vulnerabilities in a supply chain, the flip side of that analysis is to discover the best and strongest parts of your supply chain as well.
Moreover, the Program Level is “the perfect place to identify what is working well and to investigate why is it working well. Since we use risk as a starting place, we can look at the bottom of the list—the lowest-risk areas—to look for positive practices that can be replicated throughout your supply chain. Program level risk assessment is the right place to drive value creation as well. Although supply chain risk is focused on reducing vulnerabilities, there is also tremendous potential here for discovering efficiencies and creating significant value capture from your supply chain as well.”
Tactical Level. At a tactical level, the risk assessment process should include application, visualization and a vulnerability evaluation. Individual third-party risk assessments, critical supplier assessments as well as supply chain assessments should all be included as part of an organization’s risk assessment application. That risk should then be visualized to depict third-party and supply chain portfolio risk areas and indicators to provide actionable intelligence and allow for the prioritization of investigation and mitigation efforts in an efficient manner. A high-level comprehensive assessment should evaluate overall vulnerabilities across the complete level.
Here implementing the risk assessment may mean different things for different entities based upon criticality. Tulchin related, “certain types of suppliers may be subject to more stringent data collection that leads to a more comprehensive risk model that brings in a large swath of data.” It could also be that you “want to perform a risk assessment within a given supplier relationship. As defined by the risk model design/methodology, tiering with regard to the need to perform micro or single entity risk assessments.” Finally, there “may be certain suppliers, or a certain high-risk jurisdiction, or a certain critical product that require single-focus risk assessments to bring that data into an overall program review.”
Jackson feels the Tactical Level “is the place where you are most likely to discover the need to iterate on your supply chain risk model design. The tactical level is where you can best identify any persistent information gaps or determine the need for data orchestration.” Yet he cautioned, “It’s also important to keep in mind that the outputs of your assessment will be responsive to your risk priorities.” Finally, he emphasized that it is “critical to keep in mind that we aren’t assessing just for the sake of assessing. Especially at the tactical level here, always keep in mind how your organization can use the work that you’re doing and put your outputs to immediate use. If your findings are more strategic in nature, then the changes may be sweeping organizational solutions; if your findings are more tactical, then perhaps they will result in only a small tweak to a specific buying pattern or relationship. As you carry out your risk model plans in this step, always keep in mind a clear path ahead for any given outcome.”
Join us in our next episode, where we discuss determining mitigations with Carrie Wibben and Aaron Narva.
Resources
Exiger TRADES Framework
Exiger Website
Laura Tulchin
Peter Jackson
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
In this episode, I visit with Theresa Campobasso, Senior Account Manager, National Security and Intelligence and Matt Hayden, Deputy Lead of GovTech Solutions (Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) on risk methodology.
It all begins with setting a strong foundation. At the strategic level, you should work to determine business, third-party and resource threat and opportunity landscape to commit to a definition of risk. At the program level, you should work to develop and maintain the risk assessment methodology and ensure that it is tailored to the specific organization. Then set the standardized guidance for how the following two actions will be conducted. First, look externally to identify which risks align to the organization’s industry and supplier types. Determine the underlying risk indicators to measure the supplier risk. Consider both inherent risks to individual suppliers (e.g., supplier financial health) and macro risks (e.g., geopolitical factors, resource shortages, etc.). Second, look internally at the organization by conducting a criticality analysis or “crown jewel assessment” to identify what assets within your organization are essential for mission accomplishment, and ensure risk framework alignment to those prioritized critical assets.
Finally, at the entity or tactical level, you should consider both the internal and external view from the program level and identify the specific inherent and macro risks for each third party. Some macro Supply Chain risks include: Disruption due to geopolitical conditions or natural disaster; COVID-19 Pandemic; Resource Scarcity; Catastrophic weather events, etc.; operational risks, foreign ownership controls and influence; reputational, compliance & regulatory risk; and financial health.
Theresa related, “A Crown Jewel assessment would look at those key elements that are critical to an organizations operation and success.” It would include, (1) “What would be the priority targets during a compromise to disrupt the products or services the organization provide.” (2) It would “set a threshold specific to your industry of what the top 10 items are without trying to boil the ocean for an entire organization using impact of loss as a determining factor.” (3) Finally, you need to “customize the methodology based on critical assets such as people, equipment, proprietary intellectual property, etc.” It would provide you a manner to adjust to risk events or indicators based on the products or services the organization provides.
Join us in our next episode where we discuss how to assess current risks with Laura Tulchin and Peter Jackson.
Resources
Exiger TRADES Framework
Exiger Website
Theresa Campobasso
Matt Hayden
Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Exiger was founded to fight financial crime, fraud and terrorist financing by introducing technology-enabled solutions to the market’s biggest supply chain, risk, investigation, litigation, and compliance challenges. A global authority on risk and compliance, Exiger serves the world’s largest banks, Fortune 1000 companies and government agencies and regulators. In this first episode, we consider transparency with Skyler Chi and Tim Stone.
The TRADES Framework is an important evolution in a rapidly evolving ecosystem of third party and supply chain risk management. There are a wide variety of risks that could be in your Supply Chain, including both distributor risks and vendor risks. The urgency of establishing best practices in this area was driven home most forcefully during the Coronavirus pandemic as governments at all levels were trying to secure the vaccines, Personal Protective Equipment (PPE) and pharmaceuticals that were needed. There has also been legislative initiatives with such laws as the German Supply Chain Act starting to gain momentum. Of course modern slavery issues that were talked about before as well and the ESG revolution.
Tim Stone related that “T is for “Transparency of Current State”. There are different levels of transparency. He focused on Entity Level where the goal is to identify the full third-party ecosystem. Another way to think about it is “taking stock”. This stage involves illuminating your current state of affairs and identifying your vendor ecosystem.
The next step is how to build this initial tier of reliably accurate, validated, and de-duplicated entities that are mapped to business units, products, and use-case. You want as comprehensive a supplier and third-party ecosystem as possible. So how do you gain this transparency?
The first step is to identify, your internal supply data elements. You need to review your organization’s contracts and other paperwork, as well as engaging stakeholders across an organization in a fact-finding exercise, to arrive at a golden source of suppliers and vendors, and then mapping those entities to the products, business units, and use-cases across the organization. Next you should review external supply data elements.
“Transparency” is also about illuminating risk, which here means identifying the risks posed by the entities in a client’s supply chain. These risks are either inherent or imposed. Determining inherent risk, is where Exiger’s AI-powered due diligence platform, DDIQ, shines. DDIQ finds and categorizes risk information about focal companies and people. The platform searches hundreds of structured (e.g., watchlists) and unstructured (e.g., media) data sources and performs thousands of targeted queries – using proprietary search strings associated with different risk types and specific risky entities – to isolate and categorize risk information about a focal entity.
Next is imposed risk, which is “an aggregate view of a company’s upstream reliance on certain countries, such as China, for its receipt of goods. This extent of a higher risk country’s upstream footprint in a company’s supply chain is indicative of greater risk.” It also includes risk through downstream supply chain risk analysis to isolate where a company’s products are ultimately ending up.
Transparency also speaks to the governance and accountability associated with third-party (TP) and Supply Chain Risk Management (SCRM). There is a Strategic Level and a Program Level. As Skyler related you should create and document a TP&SCRM mission statement and purpose explanation, understand how mature your program is and create a baseline analysis of the program’s maturity. You then develop and maintain policies and procedures, which provide guidance and determine the right risk-area stakeholders and governance forums.
From this point, you should work to determine communication and workflows to operate the TP&SCRM program. This can be done through several steps, including data sourcing and right-sized technology aligned to the TRADES framework to ensure a single source of truth for each third party, supply chain, and overall program; continuous evaluation and improvements of the framework and periodic refreshes or reviews to assess industry/risk changes and best practices. Finally, it would lead to the creation of principles and guidance to help company stakeholders take risk-related decisions and actions.
Join us in our next episode, where we discuss the Risk Methodology with Theresa Campobasso and Matt Hayden.
Resources
Exiger TRADES Framework
Exiger Website
Skyler Chi
Tim Stone