The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 03

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 03: Assess Current Risks with Exiger’s Laura Tulchin and Peter Jackson

This podcast is also available on iTunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: Number three in the TRADES framework is Assess current risks. Peter, what can you tell us about the A in the TRADES acronym?

Peter Jackson: Tom, until this point, we’ve been talking about planning and preparing your supply chain risk program. Now, it’s time to carry out the plan.

So we’ve discussed transparency, we’ve prepared our methodology and now we’re going to put this preparatory step into motion. The more robust your preparation, the easier this step will be. Don’t be concerned if you find it necessary to go back and forth between this step and the other stages. Sometimes we have expectations about the data that’s available or we make assumptions about overall risk. Those are quickly disproven as we move to actually assess our risk. When that happens, you can simply back up and iterate on the planning stages to find another approach.

The more robust your preparation, the easier this step will be. Don’t be concerned if you find it necessary to go back and forth between this step and the other stages.

Peter Jackson, Director, SCRM Data Management & Innovation

This will be especially true if your SCRM program is less mature or less robust. You might need to iterate as you gather results from this step and see what actually comes out of your methodology. Matt and Theresa talked about our final SCRM assessment, as these crown jewels, but no plan is perfect. If you find yourself going back to revise your plan, think of it as adding in a couple more diamonds of reviews. Let’s move to the actual risk.

Laura Tulchin: Yeah, thanks Peter. Thinking about how this really works in practice and what assessing the current risks means. We always advise to really start at the strategic level and really assess current risks. We need to understand what the outputs of that will pertain.

When we see a risk appetite statement as absolutely critical to defining the workflow, that comes out of the risk assessment. Designing this risk appetite statement might be part of the previous step as discussed by Theresa and Matt. It might also be informed out of what actually comes out of the risk assessment.

Tom Fox: So how do you use that risk appetite statement, Laura?

Laura Tulchin: Yeah, exactly. The risk appetite statement will give you guidelines about what is acceptable risk and what is not. It’s important to put in thresholds in metrics to make the review and results of the risk assessment actionable. You want to put in key risk indicators (KRIs) to tell you when things are moving toward risk unacceptability and then what to do. So ultimately the risk assessment and the risk appetite statement are going to strategically define a workflow for you.

It’s really important to put in thresholds in metrics to make the review and the results of the risk assessment actually actionable.

Laura Tulchin, Director, ESG Solutions Lead

This should ensure that the risk model is meeting your actual business needs and your risk profile. In other words, really align with the way that your organization sees the world. This assessment of the risks is going to be responsive to the framework design above. As Peter said, the outputs and iteration between the methodology and what is being risk assessed may require iterations. That is absolutely fine. It should be part of the expectation of using the risk methodology and the assessment of current risks.

Tom Fox: So how do you put the risk assessment in practice at the program level?

Peter Jackson: At the program level, we collect, analyze and synthesize the data that we need to identify the risks that we have and fit them into our risk appetite. Something to keep in mind as we carry out the plan at the program level is that there are both weak and strong points in any supply chain.

We were looking for companies for one customer with a very specific capability to repair the circuit card and chip. We found was that it wasn’t enough to just find companies that were being used by this program. It perhaps should have been replaced or had some risks to be mitigated. We also found some companies that were doing things the right way. They had a really well-diversified set of capabilities and a diversified supply chain. They were also able to elevate those particular companies and then find characteristics about them. We could then suggest to our customer and say ‘find more companies like that.’

In other words, we weren’t only finding risks in the supply chain. We were finding strengths and learning how to replicate those trends across the program. At the program level, that’s the right place.

The program level is also the perfect place to identify value creation. We can identify inefficiencies in the supply chain that we might be able to correct, or adjust. We can also find places where we might have a weak spot that we can work around. Although the supply chain risk is focused on reducing vulnerabilities, there’s also tremendous potential for discovering efficiencies and creating significant value.

Although the supply chain risk is focused on reducing vulnerabilities, there’s also tremendous potential here for discovering efficiencies and creating significant value.

Peter Jackson, Director, SCRM Data Management & Innovation

Tom Fox: If I could follow up on that point, I think many business executives, compliance professionals and others have really focused on the changing nature of risk in their supply chain because of the pandemic. Does this format, or does this part of the TRADES framework have the flexibility to reassess? Not so much at a moment’s notice, but when you have a significant event such as the COVID-19 global pandemic?

Peter Jackson: One of the things people should be thinking about are ways that we can adjust our previous framework. What are the data that we’re actually seeing here? What are the things we can actually identify? When you’re in the planning stage, you’re definitely looking at from an academic standpoint. You have your sense of the universe and your own assumptions about your supply chain and where the risks are.

But when you’re at this level, you’re actually faced with the data that you have available to you. And like you said, sometimes you’re faced with an outlier situation that doesn’t fit in with your model. This is the perfect place to identify going back to your model. You can take the data and say that this is the data that I actually know. It’s not what risks would I like to identify. It’s being realistic about what risks can I actually identify. What do I actually have the data to support? What are the arguments I can actually make based on the observations that I can actually provide here?

Tom Fox: One of the biggest concerns I hear from business executives is when a framework doesn’t have flexibility. Is the TRADES framework locked into that? And then does it have the flexibility at the tactical level?

Laura Tulchin: Absolutely Tom, and that’s a really fair concern that we hear from our customers as well. As Peter was describing, we do see this ability to adapt and iterate as part of the framework itself. It’s built into the framework. We understand that implementing the risk assessment may mean different things for different entities or different parts of your busines based upon supply chain criticality, especially at a tactical level.

We understand that implementing the risk assessment may mean different things for different entities or different parts of your business based upon supply chain criticality, especially at a tactical level.

Laura Tulchin, Director, ESG Solutions Lead

There may be certain types of suppliers that are subject to more stringent data collection. This leads to a more comprehensive risk model, like bringing in larger swaths of data or more enhanced due diligence. And that might be really just due to some inherent criticality that that supplier has within a supply chain. With that in mind, you might actually want to perform a full risk assessment within a given supplier relationship.

This is defined by the risk model design as described by Matt and Theresa. It really speaks to how you tear your universe in terms of criticality and your population of suppliers. There might be certain suppliers, jurisdictions, industries or certain products that are especially critical or pose risk. A product provision-wise or really geopolitically in any way may logistically require single focus risk assessments to bring that data into an overall program review.

We very much understand that type of tiering or flexibility, or even iteration terms of assessing criticality is necessary to businesses when actually applying this framework in the real world. We see it as a built-in and inherent to implementing this framework and giving that sense of flexibility and understanding from a criticality perspective. Not all suppliers are created equal at a tactical level.

Peter Jackson: It’s also the place where you’re most likely to discover the need to iterate on your supply chain risk model design. The tactical level is where you can best identify any persistent information gaps or determine the need for data orchestration. It’s also important to keep in mind that outputs of your assessment are going to be responsive to your risk priorities. If you care most about foreign ownership and control of your suppliers, your outputs will reflect a focus on ownership and foreign investment.

It’s also important to keep in mind the outputs of your assessment are going to be responsive to your risk priorities.

Peter Jackson, Director, SCRM Data Management & Innovation

On the other hand, if you’re most concerned about counterfeit and spoofing activity, your outputs should focus on source provenance and authenticity markers. This is something that Exiger has considered quite closely in the past couple of years. We’ve moved from working largely in the banking and compliance industries with a lot of finance markers into more of a government dominated space. It’s where a lot of the concerns reflect traditional counter-intelligence markers instead of financial intelligence. That’s something that Exiger has been working on significantly as we move from finance sector compliance frameworks and develop more defense, aerospace and government sector compliance and risk management frameworks. We’ve had to modify how we look at the supply chain risks and the things that we’re capturing.

As we do that, we’re picking up new sources and reaching out to different data models. We’re also identifying new places where we can gather information so that our outputs are responsive to the risk model that we’ve developed. And finally, it’s critical to keep in mind, we aren’t just assessing for the sake of assessment. It’s always important to keep in mind how the organization can use it and put our outputs to immediate use.

If our findings are more strategic in nature, the changes that we find may be more sweeping organizational solutions. If our findings are more tactical, maybe the result will mean a small tweak to a specific client pattern or relationship. As you carry out your risk model plans in this step, always keep in mind an action plan for any given outcome.

Tom Fox: Laura, I hope you were expecting an ESG question because I’m not going to visit you without posing at least one.. I want to focus on a phrase Peter used, which is source provenance and authenticity markers. It’s critical from the U.S. government perspective, but it’s also critical in the ESG world, particularly around environmental and sustainability. Does the TRADES framework have the flexibility to work in the ESG world as well?

Laura Tulchin: Oh, absolutely. We really see those traits framework as applying to all areas of supply chain risk and assessing current risks, design of the framework and the risk assessment methodology. It should really align to the way that an organization understands risk and its business model. Increasingly we’re seeing ESG as a critical area of risk within supplier populations that organizations are increasingly focused on in terms of making sure that their supply chain is both safe and also resilient. We certainly see this TRADES framework as applicable in the ESG space.

Couldn’t agree with you more with regard to the comment and the importance of source provenance. I think that it ultimately comes down to real good governance around the supplier population within an organization and being able to ensure that there’s good governance within suppliers themselves. So certainly a lot about applicability there.

I think that it ultimately comes down to real good governance around the supplier population within an organization and being able to ensure that there’s good governance within suppliers themselves.

Laura Tulchin, Director, ESG Solutions Lead

Tom Fox: Laura and Peter. Unfortunately we are near the end of this episode, but I wanted to thank you both. And I greatly look forward to continuing this conversation. Thank you so much, Tom.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. Recently, he was the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance, the seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance which was published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.