The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 01

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 01: Transparency of the Current State with Exiger’s Skyler Chi and Tim Stone

This podcast is also available on iTunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: This is Tom Fox and our episode today is Transparency of the Current state. Skyler, can you tell me what T stands for in the TRADES acronym?

Skyler Chi: Yeah sure thing, Tom. T stands for transparency of the current state. It’s the first letter in our TRADES acronym. There are six different levels within the framework focused on governance and risk stewardship. Specifically, we are looking for who across the enterprise owns the risk of supply chain and vendor risk management at both a strategic and program levels. This includes how risk is governed.

We’ll talk shortly about those considerations, but first Tim wants to talk about our third level within the transparency of our current state, which is an entity level approach. It’s where an organization has to objectively and accurately note who they’re doing business with at the most foundational level. We can then start to build on that with who they’re doing business with, suppliers’ suppliers, and deeper into the tier of the supply chain.

Tim Stone: Thanks, Skyler. When we talk about T for transparency, it’s all about understanding an organization’s full third party ecosystem. T could also stand for taking stock. At this entity level, which is a granular level, is not about managing risk at this stage. It’s about illuminating a company or an organization’s current state of affairs by identifying vendors within their third-party supplier ecosystem. You can’t assess and manage risk until you know your vendors. You need transparency first and you don’t get this by flipping a switch. One can’t assume they have transparency in their supplier ecosystem. You need to build this out validate it, which is what the first step within the TRADES framework envisions.

It’s about illuminating a company or an organization’s current state of affairs by identifying this vendor and third-party supplier ecosystem. You really can’t assess and manage risk until you know your vendors.

Tim Stone, Senior Director, Supply Chain Risk Management

I’ve worked in financial crime risk management and from that perspective it’s akin to the bedrock step of customer due diligence and know your customer. It can even be one kind of layer beneath that and be ID (Identification) and V (Verification). That’s where a bank collects names and pedigree information about its clients. In the context of supply chain and third-party risk management, you need to confirm the identities in this supplier ecosystem before you can even think about risk rating them, prioritizing risk issues or mitigating risks. It’s just about having clarity of the companies and entities that are within this ecosystem.

What we found is that a lot of the clients are at a somewhat primitive state. Clients will say they have 500 entities that are suppliers for tangible goods and software. After some digging, they may actually have double, triple or maybe half that number. They have lists of clients or lists of vendors and suppliers that are inaccurate. That’s like getting a poor CDD or KYC file in a bank.

One client just admitted that they have really no way to kind of canvas their supplier ecosystem and have a firm understanding of which companies and entities are within that ecosystem. This kind of boils down to just poor information sharing, which impacts big companies, but also small companies as well. You can have different business units within an organization that are using the same vendor for slightly different use cases. All have material financial relationships with the same vendor but this information is siloed. It’s not disseminated. One part of the company can think an entity is a sub tier supplier when in fact it’s a tier one for another part.

We’ve seen in the industry companies commissioning market intelligence reports, but until the companies that you’re doing business are in this ecosystem, you’re really putting the cart before the horse. There’s really no actionable steps to take. This level isn’t a risk management stage, it’s the taking stock of your environment.

So the question then is how to build this initial tier of reliable, validated and de duplicated entities that are mapped to the business units, products and use cases? How does one get this initial transparency? There are two areas that we go to: internal and external supply data elements. A company comes to us and wants to understand and illuminate their supply chain and understand the entities in it. We begin by going on a fact-finding mission. We look at an organization’s contracts and paperwork and engage stakeholders throughout the organization.

The goal is to arrive at this golden source of suppliers and vendors and then map them to the products, business units and use cases across the organization. We can then go beyond that. From direct suppliers to the suppliers of the suppliers, you can look for internal supply data going into the sub tiers. There are a number of resources available or computer hardware, which is ubiquitous and often accompanied by minimum operating specifications, product manuals, or bills of materials.

The goal is to arrive at this golden source of suppliers and vendors and then map them to the products, business units and use cases across the organization.

Tim Stone, Senior Director, Supply Chain Risk Management

That can be a window into hardware and software. From there, it’s a springboard to find original equipment manufacturers and partner companies. You can also look at supplier questionnaires and also responses to requests for proposals that a company has submitted. Once you’ve exhausted these internal supply data elements, then you can tap external supply data. We do this quite often. My team will often leverage external data sources. These can include: public contracting purchasing and spending data, open source and also proprietary databases. We can also get pretty granular federal contracting data that you can bulk pull and then analyze to understand prime to subcontractor supplier relationships.

Another avenue is commerce data which, at Exiger, we built a data environment that can query billions of commerce records. It captures international shipments that are a granular level down to the date of the shipment, goods shipped and weight. Then we can use our analytics environment to interrogate and visualize and analyze that data. A couple more areas of external data about supply chains is software and IT supply chain data. This is so important and timely in light of solar winds, colonial pipeline.

Last week was a supply chain attack at Kaseya. We have tools to scrape the internet for open source evidence of company software usage. By doing so we can understand the entities in a digital supply chain. We can see the nexus or the web of connections between our client and other software vendors. In turn go even deeper into the supply chain, the digital supply chain in that way.

Then there are other avenues such as parts data through open source parts, data aggregators. There’s also doing market research and leveraging regulatory records. This can be a source of information about a company’s material contracts and supplier relationships. That is at the entity level the most granular step for a client that wants to understand, illuminate and manage supply chain and third-party risk. Understanding your supplier ecosystem is the initial bedrock step that needs to be taken. I’ll hand it back to Skyler to talk a little bit about the governance and risk steward aspects of this element of the TRADES framework.

Skyler Chi: Great, thank you, Tim. As we’ve mentioned, T stands for transparency within the TRADES framework and has different levels. Tim spoke about the entity level and illumination of supply chain partners. There are then two other levels of transparency, those at the program and strategic level. They really speak to governance and accountability associated with third party and supply chain risk management reviews. This spills over into how you analyze, stratify and prioritize the kinds of risks identified through the framework. At the strategic level, which is the enterprise-wide level, it’s the first element to assist one in better understanding transparency. It consists of creating and documenting a mission statement and purpose explanation.

As Tim mentioned earlier, oftentimes when we engage with our customers, they believe that they have a certain degree of exposure to X number of vendors or N tier supply chain partners. When we get into their shot, what we see is that there may be three or four times what they originally believed they’re exposed to. One of the primary reasons for the lack of transparency is there is no documentation that allows for them to understand how mature their program is.

One of the primary reasons for the lack of transparency is there is no documentation that allows for them to understand how mature their program is.

Skyler Chi, Associate Director, Global Markets Group

It should really be a high level policy document with broader principles and goals that explains who owns certain risks. What is the governance around those risks owners and risk types? What is the strategy around governance that allows for our clients to create a baseline analysis of their program’s maturity.

Based on that documented internal maturity assessment, there’s a need to continue to establish stakeholder engagement and governance principles. That leads us to a program level approach, the third layer of transparency into a current state. This is the operational level that supports enterprise-wide strategic and policy setting document. When we look into the program level that supports illumination and transparency of supplier ecosystems, the first goal is to develop and maintain more granular sets of policies and procedures that provide guidance. Those policies and procedures should be agreed to by various risk stewards and risk owners, including the businesses that sit within the enterprise.

A key risk owner should be fully bought into the process from inception of the supply chain risk management programs. If an external provider such as Exiger or a partner assisting in the review of third party or supply chain risk management illumination asks who are their tier one suppliers the business knows who owns the risk. They can then determine the right areas and focus of approach when we look into supply chain risk management.

Additionally to identifying key stakeholders, the program level develops a responsible accountable matrix. This is where we’re looking for consultant individuals that maintain an informed posture of supply chain risk management and vendor illumination. Those key stakeholders that sit within that matrix may be key executives, the legal team, s compliance department, or procurement onboarding, for example.

As Tim mentioned earlier, Kaseya was a supply chain injection attack that happened through a zero day exploit. That function really sits within technology and security to immediately cut off access from those malicious threat vectors as they become known. Last, and certainly not least within our program level transparency, is to determine communication and workloads that operate your program. We need to identify data sourcing and right-size technologies that align to your program’s maturity to ensure a single source of truth. This is not only for each one of your vendors and their related supply chains, but also the overall program that you’re now establishing through better understanding of your programs’ transparency.

As we move forward in time, there needs to be continuous evaluation of improvements within the communication and workflow function of our program level review. This could mean periodic refreshes or reviews with key stakeholders and risk owners to better assess macro and micro risks and changes that are not only external to your program, but internal to your enterprise. Ultimately these principles help guide them to make the right risk-related decisions as you move through the TRADES framework.

Ultimately these principles help guide company stakeholders and take the right risk related decisions and actions as you move through the TRADES framework.

Skyler Chi, Associate Director, Global Markets Group

Tom Fox: Gentlemen, unfortunately, we are near the end of our time for this episode. I look forward to continuing the conversation.

Skyler Chi: Great. Thank you so much for your time today, Tom.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance which is a seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.