Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Today we consider the TRADES Framework uplift evaluation with Brandon Daniels, resident, Global Markets and Josh Thiel, Executive Intern (Former Commander of Special Operations Task Force).
Daniels said the TRADES Framework began with the “basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right? And so, when you think about the journey you’ve been through across the T the R the a and the D, transparency, and then your risk methodology linking to your strategic objectives, is a critical first line of defense function.”
Next is the second line of defense. Here an organization assesses its priorities and ensures mitigation of risk. Through the TRADES Framework, you can blend the first and second lines of defense. Daniels continued, “the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T, R, A and D elements is to next incorporate the third line of defense. That is where the ‘E’ comes in, Evaluate Framework Uplift.
You have to take the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Some of the questions you would ask include “Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?” These are critical questions that everyone needs to ask as they assess the impact that the T, R, A and D has made to their organization, and especially the ‘D’ then, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance.
Theil spoke to the operational perspective, beginning at the strategic level and governance. The strategic leaders, the senior leaders established the governance, establish the policies, the expectations, allocate the resources, determine Return on Investment (ROI) to see if “they got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion.”
While some of the risks are intangible, reputational, they are hard to measure. Oftentimes the savings impact from Supply Chain risk management (SCRM) is very direct and clear, and it’s easy for the senior leaders to quantify it. Theil provided the following example from the Department of Defense (DOD), “where the DOD made an evaluation of vendor screen based on fraudulent procurement during COVID which cost the US Government $500 million. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software” and it was specifically based on Exiger software performance. At the strategic level, that’s the focus of the strategic leader.”
We then drilled down into the tactical level, where the Evaluation Phase is built on real collection of both quantitative and qualitative information. Here Theil explained a “company can easily run itself and its vendor ecosystem in the T and R phases of the maturity model; and then run itself again after the mitigation plans are implemented. By using the same risk models and dashboards, clients can clearly.”
Yet, as with other data analytics solutions in the compliance, risk management and Supply Chain space, quantitative analysis alone is not enough. I would say you must always have the human element involved. Theil phrased it as “Qualitative information is critical to add context and to answer the “why.” Why did the mitigation plan decrease or increase the risk? The tactical quantitative assessment could include techniques like questionnaires for Third Parties, internal stakeholders, transportation partners, and downstream clients.’’ Either way you phrase it, there must be a human evaluation and provision for future plans.
Join us for our concluding episode, when Brandon Daniels and Erika Peters give a review of supplier monitoring and an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Josh Thiel