The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 05

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 05: Evaluate Framework Uplift with Exiger’s Brandon Daniels and Josh Thiel

This podcast is also available on Itunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: In this episode, we consider Evaluate Framework Uplift. Brandon, what does this phrase mean? And how does it relate to the other letters in the TRADES framework?

Brandon Daniels: Thank you for spending so much time with us on the TRADES framework, Tom. It’s an important development in a rapidly evolving ecosystem of third party and supply chain risk management. We began this journey looking for best practices around third-party and supply chain risk management. We were looking for the core steps that have to be taken in order to appropriately manage your third party risk. And that could be distributor risks, vendor risks, or your supply chain risk.

The urgency of establishing best practices was really felt as we dealt with the constraints of COVID and trying to secure the vaccines and PPE and pharmaceuticals that were needed. The urgency also came about as we saw the German Supply Chain Act starting to gain momentum, as we saw some of the Modern Slavery issues that were talked about before that are really taking root in Australia and are part of this sort of ESG revolution. We were looking for a framework ourselves, and when we realized that there wasn’t a consistent framework that addressed both operational issues, as well as security and sort of compliance risk management issues in the third party and supply chain risk management space, we realized we had to take that first step. We had to do the Indiana Jones and trust that there was a walkway over that chasm.

What we realized was that, we had to go back to basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right?

And so when you think about the journey you’ve been through across the T the R the a and the D, you know, transparency, and then your risk methodology sort of linking to your strategic objectives, as Theresa mentioned, is really a, again, a critical first line of defense function. Then you get into the second line of defense. That’s where you assess your priorities and you ensure mitigation of risk, and that’s where the first and the second line start to bleed together.

But again, going back to basics, what we realized is, the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T R and D are effective, is to have that third line of defense. And that’s what Evaluate Framework Uplift means. It means that you are taking the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?

These are critical questions that everyone needs to ask as they assess the impact that the T, the R, and the D has made to their organization, and especially the D right, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance. Did you accept the right risks? Were those risks tolerable? Were they aligned to your strategic objectives established in the R? Do you have governance that is continuously seeing or understanding whether or not that risk tolerance has been adhered to as you would have established in the T? Right.

So evaluating the framework uplift is that critical part of the risk management function or process that asks: have we achieved an initial goal? And that is the stage at which the maturity model really comes to life in the TRADES Framework because it’s at the point in which you determine whether or not your mitigation and your risk acceptance have met your strategic objectives have actually helped you to defer mitigate risk, that you get to move up a level in your maturity and say, okay, I, I understand my tier one. I understand the risks and my tier one, I really mitigated them, I’m moving to an awakened or a progressive posture. And so the E is really it’s that reflective moment.

It’s in the COSO internal controls framework, it’s in Prisma that helps you to understand IT risk management. It’s in all of these sort of frameworks that have come before us that have established how you manage risks effectively. And I know, you know, Josh, from the field, from literally the heat of battle understanding whether or not your plans have gone to plan, or they have gone astray, is critical, right? I’d love if, unless Tom you’ve got a critical point you want Josh to touch on, I’d love Josh to speak to what evaluate the framework uplift means from an operational perspective.

Josh Thiel: Brendan, thanks so much, and Tom, thanks for having us on today. The best word that I’ve got that I could take away from Brandon’s summary there is that it’s the basics and every great organization has to come back to evaluations. Those are periodic based on a variety of reasons, right? It could be at the end of an operation or a mission. It could be at the end of the cycle, a business cycle. And a lot of the things that are in the environment really dictate how often we come back to the evaluation specifically at the strategic level, right? So regulatory regime, geopolitical landscape changes, crisis like COVID, supplier network massive changes, or even evolving threats, as we’ve seen Colonial Pipelines, and the ransomware attacks become so prevalent.

Maybe we need to go reassess how often we’re doing our evaluations or do an emergency evaluation from both the strategic level for governance and down to the program and tactical levels as well. Evaluation is the basics, and it’s really the end of the cycle. It’s the end of that tRNA as Brandon brought up in the D, but it also is the start of the next phase. You use some of it to inform the next level, and specifically at the strategic level, it’s the governance.

The strategic leaders, the senior leaders established the governance, established the policies, the expectations, they’ve allocated the resources, they understand the costs and they go and see if they’ve got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion. While some of the risks are intangible, reputational, really hard to measure.

Oftentimes the savings impact from SCRM is very, very direct and clear, and it’s easy for the senior leaders to quantify it. A perfect example of that is DOD made a evaluation that the DDIQ vendor screen that we implemented during COVID saved the U.S. Government $500 million of fraudulent procurement as the nation scrambled to purchase anything that might save lives in the battle of COVID. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software, and it was specifically DDIQ based on its performance. So at the strategic level, that’s the focus of the strategic leaders and the governance, and come back and see what has actually worked.

Tom Fox: It sounds like that they’re actually multiple levels. If I could dive into, just for a moment, you talked about the strategic level and the information received from the ongoing monitoring and ongoing evaluations, but it also strikes me that that information that you provide through the ongoing monitoring works at the tactical level as well. That’d be a correct assessment?

Brandon Daniels: Yeah, I completely agree with that. I think that your tactical outcomes, I think although $500 million (and this was a DOD quoted statistic by the way, Tom) is the sum of a number of different tactical decisions in terms of risk management and risk tolerance and essentially willingness to mitigate risks on a day-to-day basis. It is always that when you’re evaluating your framework, when you’re assessing the ability of the program that you’ve implemented to both achieve operational efficiency and risk management gain that you have to look at the technical and tactical efficiency that you’ve achieved on the ground level.

And there’s also a tactical level of evaluating the framework, which is that you need to have those policies, procedures, artifacts that demonstrate what good looks like in terms of metrics, SLAs, and KPIs that you can determine whether or not, maybe $500 million was a great number, or maybe it could have been a billion, right, or maybe in an individual program seeing less than four or five days of delay in your product to market timelines is a great outcome in the context of COVID, but maybe it’s not a great outcome in the context of a vibrant market without any big logistical constraints. Right?

And so the tactical level of evaluating your framework uplift is essentially looking at the individual mitigations that were put in place, the individual outcomes that were put in place, and then having clear and distinct both business and risk management metrics that are contextually bound, and that help you to understand the efficacy of the program.

So there is a tactical level here that has to marry with the strategic and sort of your program or business unit level to make sure that what you’re seeing at the point at which you’re conducting that audit and assurance of the efficacy of the rest of the program actually went back to as Josh said the beginning and understood whether or not the individual metrics that you were achieving helped you to achieve that sum goal that you wanted, or if there were, you know, flaws in the program that should be continuously improved over time. I mean, I think that’s one of the things that that independent reviews and audit and assurance always get a bad rap for is they’re identifying where you can improve. That’s a great thing, right? And that’s another thing about the E — that it’s not just about reflection on the bad, it’s also an opportunity to have that third party perspective on where the good can come from.

Josh Thiel: The only thing I would add is one of the ways I like to think about it is that the tying it to the KPIs is absolutely essential. I also love the program and what you could do with some of the software, and really it allows us to get after what I break into the quantitative and the qualitative analysis. And fortunately, the data collection from the DDIQ platform allows you to easily run yourself, easily, run your vendor ecosystem and the T & R phases.

So you’ve got these baseline, great statistics, hard statistics, what your risks are. And then after your mitigation plans are implemented, you can go back and rerun yourself with the same model, same dashboards, and really be honest with yourself. If your risk truly came down. The interactive nature of them will really allows you to deep dive into, okay, that’s, didn’t go down, let’s drill in and see where the risks still exist.

And that’s where you get into that qualitative section and the quantitative just isn’t enough alone. The qualitative information is critical to answer the why it’s critical to inform the next, the next plan. Why did the plan decrease or increase my risk? And a lot of techniques for this are questionnaires for third parties, internal stakeholder questionnaires, asking your transportation partners down screen clients information, they can be web based so they can just be phone calls for those data points that really inform the effectiveness of your plan and then inform the next set of plans that you need, that you need to take.

Those macro statistics are extremely important, but then it allows you to deep dive into the level that you need to actually make the new plan. And that’s the, devil’s really in the details at that point. A perfect example that and arguably one of the most critical is looking at your new vendor population, for example. If you look at your new vendor population and it reveals that you’ve got a bunch of risks coming in, that’s an indication that you didn’t effectively implement the systems, the protocols in place to set up your vendor population for not bringing in new risks. The best way to stop or decrease your risk and organization is to ensure you screen it out so you don’t bring it in in the first place. That’s just one example of how you can dive into the details, the micro details and the data to really inform the evaluation and the next set of mitigation plans.

Tom Fox: Gentlemen, unfortunately we are near the end of our time for this episode, but I greatly look forward to continuing the conversation.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. Most recently, he was the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance which is a seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.