The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 06

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 06: Supplier Monitoring with Exiger’s Brandon Daniels and Erika Peters

This podcast is also available on Itunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: There’s also an S in the TRADES framework and that’s for supplier monitoring. So Erika, if we could start with a question, why is supplier monitoring so critical?

Erika Peters: Hi Tom. I’m so glad we get the chance to talk about supplier monitoring. It’s also known as the ‘S’ or the last part of the TRADES framework. Supplier monitoring is extremely important as it upholds the longterm adherence to the other elements of the framework. It also ensures the evolution of the program over time as the threat and the landscapes similarly evolves and changes. Supplier Monitoring is where the organization benefits from the clear and concise program documented. The data that is gathered on the supplier ecosystem, stakeholder ownership is within a clear risk framework.

What makes supplier monitoring critical is that the organization is no longer trying to cover everything. It helps the organization focus and continuously identify where they need to engage and manage their risks. Organizations should ensure their view of the threatened opportunity landscape is dynamically addressed through monitoring. It will help avoid to be blindsided by any of those new unknown risks based on the changes. This often occurs as a third parties’ strategies or operations change, as well as their contributions to the organization.

Monitoring suppliers in a mature program would also include monitoring some of these external risk factors and using these data points to be proactive. Being in the know will allow you to react faster. Everything comes down to knowing more sooner in order to mitigate the risks faster. As soon as they arise in turn, minimizing the potential business impact and ultimately your bottom line.

I think most understand the importance I’m referring to and want to stay on top of their supplier network. However, they find themselves unable to keep up with the changes. They therefore assess their suppliers or the third party at onboarding and then just place it up on a shelf. Exiger has been very focused on solving this challenge, which is not that dissimilar to what I’ve been working on for years in the Know Your Customer space.

If it’s done right, supplier monitoring allows an organization to be proactive and at times even predictive. But certainly, doing the monitoring will put them ahead of their competitors when reacting to the supplier market. When their competitors are relying on the same third third parties, this knowledge will help our clients position themselves during businesses as usual activities, as well as in a crisis. You’re only as good as the information you have. Supplier monitoring will allow you to have a lot of information at your fingertips, making it so important as part of the TRADES framework.

Tom Fox: Brandon, if I could ask you, how would you suggest implementation of a supplier monitoring program?

Brandon Daniels: Tom, one of the things Erika spoke about is that in the prior part of the framework you would establish a high volume of transparency. It’s established into your supplier network, distributor network, and into those critical third to sixth parties that you need to monitor in this last phase.

You also establish, agree and then evaluate the efficacy of the risk methodology and the risk assessment that you’re conducting on those vendors. Right? Supplier monitoring should be the point where you’re getting to make use of the hard work that you’ve done elsewhere. The implementation should be a constant refresh of data inputs that you created, curated and sourced in order to instigate your supplier monitoring or risk assessment. Just refreshing those data points will just constantly recalibrate, monitor and find those spikes that peak out.

The kinds of risks that we’re talking about are not linear. They are octagonal. You could have a risk in your operational issues. You could have a risk in cyber, legal or in your reputational business dealings. You can have different risks that peak, or you could have the data show that you’re an organization in disarray. You are inherently doing supplier monitoring so as long as you consistently refresh those inputs that you have used in order to initially assess the priorities of risk across your third to even six party ecosystem. You’re using that leg work that you’ve done in the rest of the TRADES framework.

The other item you need in order to implement this stage is a consistent and continuous view of how effective your risk assessment is, right? Because you want to make sure that the risks that you’re looking for are the risks that you want to highlight into the future. It’s in supplier monitoring, making sure that you are essentially testing the things that get left behind, right? Those low risk vendors, those low and medium, those high, those medium risk vendors that sit below a threshold of risk tolerance and making sure that you’ve got the right risk prioritization in place to instigate an alert when you need it.

The other thing about supplier monitoring that’s great, Tom, is it gets rid of this world, the old world of from scratch vendor refresh or from scratch distributor refresh or semi-annual audits. You’re now instigating a refresher and audit based upon a change to the vendor’s details, to the vendor’s information, to the vendor’s risk posture. These routine audits, these big projects, these million dollar projects that we do every year in order to refresh 10,000 out of the 20,000 total vendors that we know we’ve got or to do deep due diligence on 5,000 of them randomly on an audit basis, that used to cost us so much money, we’re now doing that incrementally, turning this into a much lower operational cost for us because now we’re instigating when something changes.

Implementing this appropriately means continuously making sure that you 1) update your data inputs, 2)making sure that you are assessing your risk framework, and 3) ensuring that as long as you don’t have major changes to your risk landscape, that you are allowing the framework to do what it’s meant to do, which is lower the friction of compliance and actually make compliance of business accelerant when you’ve found distributors and third parties and supply chains that are able to deliver for you on time and cost effectively.

Tom Fox: Erika, I was wondering if you might be able to expand on some of the points Brandon raised about not an effective supplier monitoring system, but using the information from your supplier monitoring system effectively.

Erika Peters: Yeah, absolutely. As Brandon and I’ve kind of mentioned it, it’s all about flagging and determining where you need to consider a vendor and actually take action. The foundation of supplier monitoring is directly tied, as Brandon said, to the previous work, and most importantly, the risk methodology and risk tolerance of an organization. Supplier monitoring will not be effective if the risk appetite statement determined during parts of like the R and the, A of the TRADES framework focused on risk methodology design, and assessing the risks are not clearly documented and understood. A large piece of supplier monitoring is having visibility of flags on suppliers, but not necessarily needing to mitigate all the risks that you see or have identified, which should be directly aligned to your risk appetite statement.

For example, if you have some adverse news or profile change, they’re not all equal, and you may decide just to watch a risk trend first. Another example is if you see an accusation towards a third party, that may not be high enough risk to do anything about, but you may want to watch it and see wether it leads to an investigation. Is it going to end up in a charge? Is anyone being prosecuted here? All these different levels of risk a company may agree to accept depending on their risk appetite.

I think that similarly, it’s also the subject of the risk. Is it a third party itself? A CEO? Is it a financial crime or fraud that we’re talking about or something that’s lower risk? So everything goes back to how does the company view risks and what do they care about most and is anything in the monitoring tripping that?

The next thing I would just mention is you have this risk appetite statement and tolerance, but the next step where you really want to go is creating a threshold. Brandon touched on it slightly, but you want to create a line that systematically can help set up some rules or just help the analysts to determine which monitoring flags break the tolerance that you’ve identified and needs to be escalated for reassessment. That threshold determination is a key part of monitoring. You want to identify if you’ve broken that threshold, do you therefore now need to start looking at, do you still want to continue doing business with this vendor, or do you just want to mitigate by refreshing a questionnaire or those types of actions?

That kind of goes back into the TRADES framework. Where we see risk management and procurement programs break down is because there’s too much stuff going on. But what we’re saying is, I previously was a compliance professional, so I’ve definitely been there, and I speak from experience, but the supplier monitoring is how we get out of that situation as we’re affected. Like, especially if it’s effectively implemented, because it helps the teams responsible, derive and focus on what is important and only look at those items, tripping the thresholds.

You know, we do this well and other risk departments, we’ve read it in the news and we’ve been part of it as a consumer, for example, in credit risk, they’ve set up thresholds that if you break that risk tolerance in terms of credit risk, you’re not given a loan. Or in banking, if you have a customer coming in and their money-laundering risk is too high, you don’t get to be banked. And so third party and supplier risk management want to take a similar approach. Finally this part of trades is no different than the others that we spoke about. There must be a feedback loop. Once you have an issue or thresholds surpassed, you want to pick up from that part in the TRADES framework. Take the issue or the new risk, assess it, determine the mitigation, reevaluate, and re-inform the first part of the program, the risk methodology, the risk appetite, constantly tune it and hone it and use this information coming through to do that.

So in summary, to effectively use supplier monitoring, we must create risk thresholds, which fit into that risk appetite of the organization. This is really where the rubber meets the road. We want to review these risks against thresholds, ideally measuring the criticality of a supplier, the inherent risk of the supplier, the macro levels, which impact the supplier. And this will really help reduce those fire drills and keep an organization within the risk appetite, and know, at all times, what’s going on, not when something is blowing up or a risk assessment of an entity needs to be refreshed or dusted off kind of like what Brandon was alluding to.

Brandon Daniels: Yeah, and just to add one piece to this. Because we were talking about how the evaluate framework uplift step is the first time that you get to see in the maturity model , am I ready to move to that next level? The supplier monitoring transforms when you’ve moved all the way up that maturity scale, and you know that you are in a proactive, maybe even predictive forecasting sort of mode. And then you can do cool stuff with supplier monitoring because you’ve mitigated and you’ve accepted the risks that are in your population.

You might have one or two urgent issues that come up but then you can start to say, okay, in 18 months, if geopolitical tensions continue to move the way that they do, can I rely on my supplier network? And you can start to predict where those issues might come up. You can start to avoid the semiconductor crunch or the copper crunch or the resin crunch that we’ve seen occur in these industries across our critical infrastructure. They’re just hindering, major industries, they’re hindering current growth, right?

And so, Tom, this is the point at which you’ve made it through the TRADES Framework, like we’ve talked about and you’ve achieved this sort of iterative improvement in your maturity along TRADES, you can then start to get into a place where this entire risk management function is no longer about risk management, it’s about additive differentiation.

Tom Fox: Brandon, we have a few minutes left, but I was wondering if you might be able to conclude with some other considerations on monitoring your third party ecosystem and supplier network.

Brandon Daniels: I would say that there are a couple of things that I think are specific considerations. One, it’s making sure that you consistently and routinely ensure that the data elements and the information that you have to make decisions are not only refreshed, but are understood, and to make sure that there’s checks and balances, right. So if you asked someone 24 months ago that is in supply chain, are you concerned about cyber risks? In very few industries, would they have said, yes. If you ask them that today, they’d all say yes. And so you have to one ensure that you are considering the evolution of your risk landscape.

And then two, it’s what I was talking about before. You should be constantly trying to achieve a diminimous amount of end state change in your vendor ecosystem. Your monitoring should become 0.1% of your activity on an ongoing basis if you’ve tuned and you’ve honed your vendor ecosystem appropriately. If you’ve got 10,000 vendors, maybe having 10 a week that you do some sort of review on activity around should be your goal because then you reach that level of maturity, where again, that forecasted risk will become a business accelerant.

Those are the two major things that I would leave folks with as they start to think about employing supplier monitoring in the context of third-party and supply chain management.

Tom Fox: Brandon and Erika, unfortunately we are near the end of our time. I greatly look forward to continuing our conversation down the road.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. Most recently, he was the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance which is a seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.