Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity.
Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program; over the next six episodes, I will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels. We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps. In this concluding episode, I am joined by Brandon Daniels, President, Global Markets and Erika Peters, Managing Director, Global Markets Group Head of Tech Transformation to look at supplier monitoring and provide some concluding remarks.
We began with the oversight and monitoring of suppliers within the vendor ecosystem, which is the final pillar the TRADES framework. Peters noted that it is the pillar which “upholds the long-term adherence to the other elements of the framework and ensures the evolution of the program overtime as the threat landscape similarly evolves and changes.” This means that an organization benefits from the clear concise data gathered on their supplier ecosystem, through stakeholder ownership with a clear risk framework.
As the Department of Justice (DOJ) has consistently made clear in other compliance areas, Peters related that companies “should ensure their view of the risk and opportunity landscape is monitored and dynamically addressed through continuous improvement.” It is more than simply a “risk assessment of a third party, which then is put on a shelf” because risks change and evolve. Both third party and external risk factors must be monitored. It allows you to react faster and “in turn minimizing the potential business impact and ultimately the bottom line.” Ongoing monitoring provides you quick insights, allowing you to be more proactive in risk management than reactive, when you find out that partnership is with a company who has reputational risks associated to it such as its owned by a sanctioned entity, fraud or corruption.
Daniels expanded on this by explaining that if you establish a high volume of transparency into your supplier network or into your distributor network, this would also lead to critical third and fourth and fifth and sixth parties that you need to monitor at this last phase. You will be able to evaluate the efficacy of the risk methodology and the risk assessment that you’re conducting on those vendors. Through the implementation of the TRADES Framework, you will have a “constant refresh of those data inputs that you created, that you curated, that you sourced in order to initially instigate your supplier monitoring, or excuse me, your supplier risk assessment. Just refreshing those data points, essentially will just constantly recalibrate, constantly monitor, constantly find those spikes that peak out to you.”
Increasingly, Daniels believes these types of risk are “not linear. They are octagonal.” He explained that an organization “could have a risk in your operational issues. You could have a risk in cyber, you could have a risk in legal, you could have a risk in reputational business dealings.” The key is that “as long as you consistently refresh those inputs that you have used in order to initially assess the priorities of risk that you have across your third party, fourth party, fifth party, six party ecosystem, then you are inherently doing supplier monitoring.”
This type of continuous review and monitoring allows you insights into the future because “you are essentially testing the things that get left behind. Those low-risk vendors, those medium risk vendors that sit below a threshold of risk tolerance and making sure that you’ve got the right risk prioritization in place to instigate an alert when you need it.” It is also more cost effective as you are able to move away from the costly retrospective two-year down the road audit. Daniels said, “These routine audits, these big projects, these million-dollar projects that we do every year in order to refresh 10,000 out of the 20,000 total vendors that we know we’ve got or to do deep due diligence on 5,000 of them randomly on an audit basis, that used to cost us so much money, we’re now doing that incrementally, turning this into a much lower operational cost for us because now we’re instigating when something changes.”
Finally, implementing this appropriately means continuously making sure that “you 1) update your data inputs, 2) making sure that you are assessing your risk framework, and 3) ensuring that as long as you don’t have major changes to your risk landscape,” you are “lowering the friction of compliance and actually make compliance of business accelerant when you have found third parties and supply chains that are able to deliver for you on time and cost effectively.”
Exiger TRADES Framework