Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visited with Carrie Wibben, Senior Vice President, Exiger Federal Solutions   and Aaron Narva, Senior Vice President, Head of Corporate Markets on determining risk mitigations.

The next critical element of the TRADES framework is around determining the mitigation of risk—what actions or steps can and should be taken to reach a point where the specific risk of a supplier or supply chain element are well enough understood and controlled to move forward with a business relationship? Narva explained, “Determining mitigations is a delicate balance of all of the preceding elements of the TRADES framework—it’s about understanding the specific impacts that risk can have on the specific parts of your third party population, it’s about taking a risk based approach, and it’s about understanding your operational bandwidth to take specific mitigation actions and knowing when to just accept the minimal risk and move on for the operational benefit.” While most compliance professionals will be comfortable with this approach you always need to remember that no one size that fits all.

Risk management and compliance professionals seek out and rely upon frameworks that are multiple priorities, such an approach can be used to get executive stakeholder buy-in and drive budget decisions to invest in critical compliance and risk management tools and program changes to elevate supply chain risk insights and truly transform the way most organizations perform supply chain management.

Wibben noted, “This element is really about problem solving and taking specific actions to remediate risks ultimately to drive a supply chain ecosystem that is secure and resilient, but without compromising operational efficiency.  By this I mean, at this point in the framework, you have set your organization’s objectives and risk thresholds – you have considered what risk are you are willing to accept, what risks can you transfer, segregate, or otherwise mitigate, and what risks you need to immediately take action to remove or avoid altogether.” Moreover, this is the step where you separate the wheat from the chaff. The process has to be driven on a risk-based approach that allows a broad spectrum of mitigations to be used to develop your mitigation plan, to include timelines and milestones to address the supply chain risks that negatively impact the integrity and security of your supply chain.

Mitigating risks requires a high degree of both critical and creative thinking and solutioning.  Wibben said, “That’s really why I personally believe that determining mitigations is one of the most challenging elements of Supply Chain Risk Management because of really two primary things, 1) the complexity, and oftentimes, the ambiguity and constantly evolving nature of the sub-tier supplier ecosystem, and then 2) the secondary and tertiary consequences of risk mitigation work, which includes potential impacts to upstream and downstream cost, schedule, and operations.”

I asked Narva about some of the work Exiger is doing with corporate compliance functions to determine mitigations. He said, “on the corporate side, we are seeing many clients utilizing third party outreach as a form of mitigation. Third parties can provide proof of their controls, whether its corruption, environmental or cyber risk with documentation such as policies and procedures and certifications.” In the age of Covid-19, “some clients are performing an on-site audit in instances of very high risk, but we have seen a lot of that activity move to video calls, which interestingly enough, allows clients to do more of this type of risk mitigation. At the end of the day, our clints approaches to mitigation are as varied as their business models and the risks they face.” Such risk mitigation strategies as contractual clauses, refresh periods, and risk committees are also frequently part of the risk mitigation approach, as is deeper levels of diligence, all the way up and including discreet reputational inquiries in instances where it is justified.

Join us tomorrow, where we discuss the step, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel.

Resources

Exiger TRADES Framework

Exiger Website

Aaron Narva

Carrie Wibben