The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 04

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 04: Determine Mitigations with Exiger’s Aaron Narva and Carrie Wibben

This podcast is also available on iTunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: Hello everyone. This is Tom Fox back for our continued exploration of the TRADES framework. In this episode, we take up the letter D for Determined Mitigations. Aaron, who is the framework for and how it can be used?

Aaron Narva: Sure, thanks Tom. The next critical element of the TRADES framework is around determining the mitigation of risk. It’s determining what actions or steps can and should be taken to reach a point where the specific risk of a supplier or a supply chain element are well enough understood and controlled to move forward with a business relationship.

The next critical element of the TRADES framework is around determining the mitigation of risk. It’s determining what actions or steps can and should be taken to reach a point where the specific risk of a supplier or a supply chain element are well enough understood and controlled to move forward with a business relationship.

Aaron Narva, Senior Vice President | Head of Global Markets

Determining mitigation is definitely a delicate balance of all the proceeding elements of the TRADES framework. It’s about understanding the specific impacts that risks can have on your third party population or your supply chain. It’s about taking a risk-based approach. You need to understand your operational bandwidth to take specific mitigation actions and knowing when to accept the minimal risk and move on for the operational benefit.

There are many cases that we talk about when identified risks will not justify any level of mitigation. How companies perform mitigation is really dependent on their maturity level and the specific risks they faced. So at the end, there’s, as we always hear with this, there’s no one size fits all.

The TRADES framework gives every risk management and compliance professional a plan. They can move up the SCRM maturity model curve regardless of where they’re starting to manage their risk. Risk management and compliance professionals seek out and rely on frameworks. We love this sort of map, right? When they’re strategic and clearly laid out it’s better. Plans, maps, strategy, and supporting data can be used to get executive stakeholder buy-in despite limited resources and time to manage competing priorities. They can then drive those budget decisions to invest in critical compliance and risk management tools. With that quick overview, Carrie, I’ll let you introduce the D within our TRADES framework.

Carrie Wibben: Thanks, Aaron. The D is actually my favorite letter in the TRADES framework. As a risk management professional, this is where you get to the heart of the matter from a supply chain risk management standpoint.

The D is actually my favorite letter in the TRADES framework. As a risk management professional, this is where you get to the heart of the matter from a supply chain risk management standpoint.

Carrie Wibben, Senior Vice President, Exiger Federal Solutions

This element is really about problem solving and taking specific actions to remediate risks. The goal is to drive a supply chain ecosystem that’s secure and resilient. The tricky part is doing that without compromising operational efficiency. At this point in the framework, you’ve got your organization’s objectives and risks thresholds pretty well established. Now you’re considering what risks are you willing to accept. What risks can you transfer or segregate or mitigate in some other way? What are the risks that you need to immediately take action on, avoid or remove? That’s kind of the spectrum of mitigation options, of course, a lot of nuance within that spectrum.

This is the step in the process where you’re really separating the wheat from the chaff. Just to emphasize something I hear Aaron talk about often, this really has got to be a risk based approach. There is not a single size that will fit all situations. It really has to be a very broad spectrum of mitigations that you set forth in your plan. You have to factor in timelines and milestones, and that can be messy work. Mitigating risk is not for the faint of heart. It really requires a high degree of both critical and creative thinking and solutioning. That’s why I actually think it’s one of the most challenging elements of supply chain risk management overall.

This is because of two reasons. One is the complexity, ambiguity and constantly evolving nature of these vast sub tier supplier ecosystems. And two, it’s the secondary and tertiary consequences of risk management work. This inevitably includes impacts to upstream and downstream costs. These can impact the schedule as well as operations. This can be one of the most tricky parts to kind of navigate.

Tom Fox: Before we get into a little more detail, let me pitch a question to one or both of you. I really got the sense that determining mitigation works very much on the tactical level. Aaron, I also got the sense that this is a way for a compliance officer, supply chain professional, or whoever’s using this to talk to management about the strategic view and more importantly cost.

You talked about operational bandwidth and you talked about the cost of some of these. Does management and even the board of directors want to know what the risks are? How are we mitigating? And equally importantly, what are our costs? Would that be a fair assessment?

Aaron Narva: When you look, there’s two big costs in these risks programs that we see on the compliance side. There’s identifying the risk. How do we go and identify risks? How do we surface the things that we need to talk about? That’s usually fairly straightforward.

When people have their tools, they can assume it’s going to be a certain amount of risk they’re going to identify and discuss. The challenging and unknown piece of this is the mitigation. You’re never sure what steps you’re going to have to take to mitigate risk. You can plan for it and you can set aside resources for it. At the end of the day, the nature of the supply chain and the nature of actually getting to do business with a counter-party can involve unexpectedly large steps.

You can plan for it and you can set aside resources for it. At the end of the day, the nature of the supply chain and the nature of actually getting to do business with a counter-party can involve unexpectedly large steps.

Aaron Narva, Senior Vice President | Head of Global Markets

There are tools now to get you to a place where you can do that quickly and have more predictability. If you have a supplier, for example, that presents a certain type of risk and you must do business with that supplier, it may involve actually a site visit or different kinds of interviews. It may involve document productions from them which can take time and/or cost money. When you’re justifying this to management, I think it’s appropriate to have a real framework for how you’re going to approach mitigation, but also message that unknown piece of it. Sometimes in order to move forward with business, the cost can be unpredictable.

Tom Fox: Carrie, can you talk about doing work with government clients to determine mitigations on programs your supporting?

Carrie Wibben: I could talk all day on that. Let me give just some examples of how we’re working with our government and our defense industrial based clients. It’s a very recent and encouraging trend line to see the uptake and the willingness to invest in supply chain risk management tools such as ours for our largest defense and aerospace companies.

In my previous governmental position, I tried very hard to get this sort of transition and recognition in these major primes and OEMs. These support multi-billion dollar contracts and deliver our war fighting capabilities. They recognize that they had to take ownership of this problem and we’re finally seeing that happen. Again, I could talk for days on that, but let me answer your question with a couple examples.

We are helping our clients implement this TRADES framework and move up in the supply chain risk management maturity model as quickly as possible. The work we’re doing for the federal government defense industrial base is really focused on America’s most critical supply chains. We’re doing deep supply chain illuminations within critical infrastructure sectors. There are 16 of them designated and overseen by the department of Homeland security. The U.S. Bulk power system we have ultimately illuminated down to the fourth tier despite the entire U.S. Bulk power system having over 6,000 entities. We conducted deep diligence, risk assessed and made that available to our federal clients. There was tremendous insight from that, as you can imagine.

We’ve done illuminations on critical technology sectors like microelectronics and critical minerals, rare earth elements. We do a lot of work for the Department Of Defense on critical acquisition programs and illuminating down to the third, fourth, fifth tier. This includes most critical acquisition programs for our weapon systems and platforms such as the AGM-114 Hellfire missile, the Naval Strike Missile, the Bradley Fighting Vehicle. We actually do a lot of that work for DoD and other agencies.

Exiger also does critical supply chain analysis on critical parts or componentry such as circuit cards or diodes. Additionally, we do hardware and software supply chain mapping, and vulnerability assessments. That’s kind of a very, quick summary of the type of work that we do. The output of all of this supply chain elimination work provides very rich and actionable intelligence.

We’re going beyond the surface level of going deep into that sub tier ecosystem to the third, fourth, fifth tier. We’re also doing diligence and gathering intelligence at that level. Risks — such as adversarial connections, foreign investment and other foreign indicators, cybersecurity risk, supply chain fragility — that were lurking below the surface are suddenly made apparent. The resulting effect can be overwhelming for our clients.

We’re also doing diligence and gathering intelligence at that level. Risks . . . that were lurking below the surface are suddenly made apparent. That can be overwhelming for our clients.

Carrie Wibben, Senior Vice President, Exiger Federal Solutions

Historically, this depth of supply chain transparency has not been available or known by either the federal government or defense industrial base. We are now enabling the awareness around it and that can consequentially be overwhelming for them. Our clients, primarily our federal clients, were getting stuck at stage one of our maturity model. It goes from stage zero reactive posture to stage one awakened posture.

Now we know what’s below the surface and there’s some bad stuff. So what do we do about it? When we peeled back the onion on that, we then tried to understand why they aren’t moving to that next stage. We want to eventually get them to that highly anticipatory posture. We weren’t getting there.

The biggest challenge is a complete lack of adequate resourcing to take the work that we were doing in the earlier stages of TRADES. That is achieving transparency and making sure they were aware of what was going on below the surface level. There weren’t resources available across our federal clients to get into the dirty work of determining what measures take. Without it, it’s difficult to develop that actionable plan. It’s fascinating, I’m sure for you to hear this and see how this translates across markets and sectors.

There’s a common void of adequate resources with our federal clients, defense industrial base, FI’s and Corporates. Risk management professionals can’t effectively manage these risks at the tactical program level, or even strategic level. At Exiger, we’re doing the best we can to help. We’re working in partnership with the government clients, the DIB providers. We’re also trying to coordinate efforts to make use of resources, and drive common tools and solutions to help identify and asses. Most importantly, we want to determine what mitigations are appropriate to strengthen and drive a more resilient posture across America’s most critical supply chains.

There’s a common void of adequate resources with our federal clients, defense industrial base, FI’s and Corporates. Risk management professionals can’t effectively manage these risks at the tactical program level, or even strategic level.

Carrie Wibben, Senior Vice President, Exiger Federal Solutions

We’re doing this by clearly aligning risk insights from our illumination work to specific regulatory compliance and legal requirements, such as FAR and DFAR clauses in our acquisition contracts. That’s one side of the spectrum. We are translating all the risk insights that we identify. Then we are mapping it to that contract language and helping our contracts’ officers understand where they have coverage.

This requires a response from a mitigation standpoint from that prime or sub tier suppliers to the other end of the spectrum. It’s really using our risk insights and then helping to generate referrals for intelligence, counter intelligence and law enforcement agencies. So these insights are based on the threat indicators and the foreign intelligence connections that we see below that surface level. Helping them separate the wheat from the chaff so they drive actionable output.

Tom Fox: Carrie, one of the reasons I enjoy visiting with you so much is your background in government. I really appreciate Exiger in this space because it’s so cutting edge. When I hear you talk I see how this can apply to the private sector, and U.S. public and private corporations. Aaron, what are you doing with your corporate clients around determining mitigations on compliance programs and supply chain risk management?

Aaron Narva: A lot of what Carrie said is super relevant for our compliance clients, too. The criticality of the national security items that Carrie mentioned is driving this faster in the DIB and in government. I think there’s certainly a desire to understand supply chain compliance. For the compliance officer and a non corporate, we’re still watching supply chain risk management and the expanding world of risks. We think it’s around the compliance officer, but it’s also around procurement and some other groups. That’s what is emerging.

Compliance officers are armed with a set of options or tools they utilize for mitigation as the supply chain evolves. A lot of our clients use third-party outreach as a form of mitigation. Whether it’s questionnaires or a recorded call, third parties can provide proof of their controls. This has historically been around corruption, but there’s also sustainability, environmental and cyber risk. Those documents can prove policies and procedures and or certifications.

Some clients, as I said before, will even perform onsite audit in instances of very high risk. COVID has moved to a lot of video calls, which I think is effective. We’re seeing clients use that form of mitigation as a relatively low-cost but intense form of mitigation for high risk. A third form of mitigation is just learning deeper levels of diligence. This is all the way up to and including discrete reputational inquires in instances where it is justified. That can definitely help reveal more of the story.

You might identify a corruption risk on a third party that’s publicly known. Consequently, companies that have had those issues in the past are often less risky because they’ve had to deal with these issues. Contractural clauses, refresh periods, and risk committees are also frequently part of the risk mitigation approach.

I think at the end of the day, our client’s approaches to mitigation are as varied as their business models and the risks that they face. For compliance, they need to access as many mitigation tools as possible. They have these at their fingertips. So as the scope of risks that they’re responsible for expands, in terms of ESG elements such as reputational risk, the pressure to mitigate these risks and do so quickly grows.

I think at the end of the day, our client’s approaches to mitigation are as varied as their business models and the risks that they face. For compliance, they need to access as many mitigation tools as possible.

Aaron Narva, Senior Vice President | Head of Global Markets

Tom Fox: I want to focus on due diligence. I’ve been in this space about 15 years. Due diligence has always been an ubiquitous term. It being a court requirement is one thing I think everyone’s aware of. Yet in 2021 it’s more important than ever. Have you done any mapping of due diligence findings for a client? Carrie, you talked about levels of sub-suppliers. But how can the mapping of due diligence be a useful tool going forward?

Carrie Wibben: I’m happy to go into more detail on that. I think it really helps put a fine point if I talk about an example. One of the critical acquisition programs we’ve done is now turning into a pilot program. This is really fascinating and also helping shape DOD policy. It’s potentially helping shape regulation, those FAR and DFAR causes, and eventually legislation in the space.

We found around a dozen data intelligence findings within a acquisition program. They were pretty significant and high-risk. It presented serious issues for the program from a security and stability perspective. More importantly, we picked up on threat indicators. They indicated there was a serious foreign intelligence threat to the associated critical technology associated with this program over the long-term.

To help turn this into something more actionable, we took an extra step where we mapped all of the findings. After we got the contract we broke it out in sub compartments. These consisted of every FAR and DFARs clauses in some way tied to supply chain. This helps the contract’s officer be able to translate our work and risk insights into their sub tier supply chain. Therefore, we can understand and translate what this means from a contract standpoint, which then drives everything else.

We took that contract and pulled it apart. Afterwards, we bucketed our risk insights to those regulatory requirements in those clauses. This really has helped us to break down and prioritize the next steps from a mitigation standpoint. We were able to bridge the gap and have a risk mitigation conversation with those government officials, program managers or the contracts officer. And now, the pilot part and the really cool part is we are looping in that prime. In my opinion, this is the future. We are looping in who owns that contract or who’s ultimately responsible for delivering this capability to the war fighter.

We are now coordinating to determine the right incentive structure. This is to get the prime contractor to understand which of these FAR and DFARs clauses actually flow down to the sub tier suppliers. What are they willing to do if they’re not threatened by this, but actually embrace it as a partner? Everybody has a clear set of common objectives. The government is willing to pay for this mitigation work for this prime contractor to actually address these issues. It’s not some sunk costs or overhead costs that they have to absorb. There’s actually a bucket of billable hours that they can charge.

Where this is going, Tom, is supply chain risk management becoming an allowable cost when these contractors bid for this work. It will also be rewarded. If you have invested in a supply chain risk management program and tools and can demonstrate proficiency against a set of standards which are now being developed, you now have a competitive advantage over your competition in future acquisitions.

If you have invested in a supply chain risk management program and tools, and you can demonstrate proficiency against a set of standards which are now being developed, you now have a competitive advantage over your competition in future acquisitions.

Carrie Wibben, Senior Vice President, Exiger Federal Solutions

It really boils down to a report called deliver on compromise that we worked when I was in the government to put out. It’s where the rubber is meeting the road against those incentives that are set out in that report. It’s like a combination of carrots and sticks. How do you get the industry? We and the government are on the outside looking in.

Exiger will only be able to get a meaningful result on mitigation if these companies are willing to embrace this instead of being threatened. They need to instead make an investment, partner and agree to information share with the government and providers like us. We are the ones trying to expose and illuminate what’s going on in their own sub tier supplier ecosystem. In conclusion, we do this all in partnership.

As a result, that’s where we’re headed. It’s so exciting. We really are helping to shape the regulatory and legislative landscape in this space in real time. It’s so rewarding and such an amazing opportunity. As something I have a lot of passion for, it’s going to be so cool to see where we are even a year from now. That’s how quickly the space is evolving

Tom Fox: Carrie and Aaron, unfortunately, we are near the end of our time on this episode. From my end, I could probably talk to you guys for hours, but perhaps on another podcast. I wanted to thank you both and look forward to continuing the conversation.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. Most recently, he was the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance which is a seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.