The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: Part 02

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond 

Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. Over the next six episodes, Compliance Podcast Network’s Tom Fox will be speaking with Exiger’s experts as we go through each layer of the TRADES framework at the tactical, program and strategic levels.

We put a spotlight on transparency into your current state with Skyler Chi and Tim Stone; discuss the risk methodology with Theresa Campobasso and Matt Hayden; assess current risks with Laura Tulchin and Peter Jackson; determine mitigations with Carrie Wibben and Aaron Narva, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel; and end with Brandon Daniels and Erika Peters, who will give a review of supplier monitoring and close us out with an update on how government and critical industry are leading the charge, using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps.

Part 02: Risk Methodology Design with Exiger’s Theresa Campobasso and Matt Hayden

This podcast is also available on iTunes, Spotify, and YouTube.

For further insight, you can also read Tom Fox’s blog post on The Compliance Podcast Network.

Podcast Transcript

Tom Fox: Hello everyone. We continue on our exploration of TRADES and today is Risk Methodology Design. Could you tell us about the overview of this, Theresa?

Theresa Campobasso: Sure. Organizations are often really excited to try and jump right into the assessment after they get their data. They want to jump right into managing the risk and trying to make a difference in their program. But if you skip the step of risk methodology design, you run two big risks with the success of your program.

The first risk is that you may not have customized your program in the correct way. It should be customized based on your industry or your critical assets. Then the other risk is not getting organizational buy-in from your own stakeholders, from your own programs, or even your third parties. You’re working with them without a relevant, tailored, customized, well-thought-out program.

The importance here that we really want to emphasize is that the outcome of your supply chain risk management program or your third-party risk management program is really only going to be as good as your design. It’s very important to do this upfront and to really think through the roadmap, the process, the methodology, and just like Skylar and Tim had mentioned, we want to look at the strategic level, the program level, and the entity level, as we talk about the different kinds of risks and how we want to set up that design and set up that methodology, but it is really important to do that right at the front.

The importance here that we really want to emphasize is that the outcome of your supply chain risk management program or your third-party risk management program is really only going to be as good as your design.

Theresa Campobasso, Senior Account Manager, National Security and Intelligence

When we’re talking about the particular kinds of risks, I had just mentioned the different levels, but let’s talk about that a little bit. At the strategic level, we’ve done the T step of TRADES. We’ve gotten our transparency in our internal and external data. Now we’ve got some decisions to make as an organization about what to do with that and how to best use that to create that roadmap. Then, use that to drive our policies and our guidance throughout the organization. So at the strategic level, that’s really where you are going to have your business, or have your organization really commit to your definition of risk.

That’s going to set the stage for the rest of the things that we’re kind of going to discuss here around risk indicators and criticality. What is the goal of your program? Really defining that. Is the goal of your program to maximize revenue, prevent disruption, safeguard national security, prevent cyber breach or some combination of all of those things? Getting that clarity at the strategic level is going to drive what happens throughout the rest of the process. Then we look at the program level.

We’ve gotten our goals, clarity around our common definition of risk, what the goal of our program is and where we want to focus our effort. Now the universe of possible supply chain and third-party risks is very broad, as you can imagine, and it’s very helpful for organizations now at the program level, to start looking at ways that they can best align the third-party risk management program or supply chain risk management program to their specific needs.

There’s kind of two main ways that we like to do that – the first way is going to be to look externally. That is going to identify, which risks really align to your organization’s industry, maybe your supplier types, and then determining what those risk indicators are to measure those risks that you find to be high priority.

When you want to consider your inherent risks to individual suppliers, you want to consider things like an imposed risk, or what we call a macro risk, something like a geopolitical factor. Then also we want to look internally at your own organization and identify what your critical assets are, and I know Matt’s going to tell us more about that later on. That’s really what you want to do at the program level right as you start. Then finally, at the entity or tactical level, that’s where you’re going to dive into and make some calculations around the very specific individual risks that you have decided that are your priorities.

We can talk about all sorts of specific individual risks, but, I’ve mentioned kind of the two families of those. You’ve got your inherent risks, and then you’ve got your imposed risk. You can really think of those. The inherent risk is going to be the risk that is germane to the entity itself – so maybe it’s financial health or maybe it’s ownership, something like that. It’s own network of suppliers, perhaps. And then the imposed risk is more something that is a factor that’s external to the entity, but still really affects it. So think of things like the COVID-19 pandemic or maybe something like geopolitical, a sanctions issue or some kind of geopolitical instability in the region where maybe your supplier is manufacturing.

I know that was probably a lot to start with, but those are the areas you want to really get clarity on throughout the organization as you first start your program. But before you move on to trying to make any assessments, tailoring it to your particular operational context is going to drive how you want to do that stage A. That’s going to drive how you’re going to assess those risks, determine what is important to your organization and how to mitigate it.

Matt Hayden: Thank you, Tom. Just as Theresa had mentioned, one of the challenges that we come to as security professionals when we look at industries is what are you trying to protect the most? We’ll come to agencies and say, what are your crown jewels? Agencies will turn to us and say that they are in compliance or have met all of the needs that were being asked of them. We have to sit them down and say that they don’t understand what the most disruptive things are. They need to identify what they control or possess, what people on their team will need to mitigate, and what they need to identify as potential risks moving forward. Those are your crown jewels.

So an example may be if you’re a small doctor’s office and you’re looking to have your crown jewel in essence, it’s your patient records. If you’re a multi-billion dollar company, it’s what’s going to cost you a billion dollars a day if it goes away, whether that’s a component of your supply chain that is sensitive, or that’s a specific team member that you can’t live without – those crown jewels are going to be what you look at as a target of where you want to identify what risks are there and those are going to be your short list.

Most people when they hear this, I say that I’m going to do a thousand things and try to look at all of the gamut that could be impactful to those things. No. We’re talking about creating a top 10 or top 20 list of the most disruptive items that could happen or the most sacred items that need to be protected. We’re going to lay that over the top of the risk framework that we’ve identified through the other processes, such as compliance and our external factors.

We would look at this as an exercise that would go all the way up to the board. You would have your board of directors tick off what these particular items are, how they are being protected and/or if they are they being identified as they evolve. That’s that keen “always on” focus that touches on transparency and moves towards excessive and risk where you at least need to know where those risks are.

Lastly, when you’re looking at crown jewels versus your whole organization, we want to make sure that people don’t get caught up in boiling the ocean. It’s something that will cause too much creep and make organizations have challenges. Hitting those top tens or twenties of what you can’t live without and identifying what those particular items need to be protected is truly where the internal risk matrix really needs to kick in.

Hitting those top tens or twenties of what you can’t live without and identifying what those particular items need to be protected is truly where the internal risk matrix really needs to kick in.

Matt Hayden, Deputy Head of GovTech Solutions

Tom Fox: If I could follow up the crown jewel issue, do you find that is one business executives or the people sitting, your clients and customers understand, or is this something that is really new to them and you have to educate them?

Matt Hayden: For those in the cybersecurity lane, it’s been a part of the vernacular for a while. The challenge was when we first started rolling out security solutions, people in the C-suite wanted to know what we had to protect first. No, yes, yes, yes. We’ve got to protect our whole organization, but what do we have to protect first? This was an exercise that was required to determine those priority items that really needed that protection. But when risk officers started seeing what we were doing in the cyber security line, they said, no, no, no, this is organization wide.

Every category of risk needs to be enveloped in this priority process because you can’t have priorities in one risk category and not others. Crown jewels has become a part of the vernacular within C-suites for major corporations. I think as you get into those middle tier corporations, and certainly as you get into small business, there’s usually a challenge in translation, but they get to it pretty quickly.

Tom Fox: Do you find that after they begin this crown jewel assessment or simply kind of a risk ranking assessment, that it really can help evolve into a business efficiency exercise as well?

Matt Hayden: The challenge with risk ratings is that if you interpret crown jewels in that siloed manner, you will try to do a top 100, a top 1000. You include more than what may be at that cutoff. So the first step is traditionally to create a threshold. Like we mentioned earlier, if there’s a billion dollar, multi-billion dollar company, and you set a threshold of what would impact a billion dollars a day of going out the door, that threshold and above is what you focus on from a crown jewels aspect. Whereas a full risk ranking may take into effect the entire agency’s known disclosed aspects of risk and move from there.

The challenge with risk ratings is that if you interpret crown jewels in that siloed manner, you will try to do a top 100, a top 1000. You include more than what may be at that cutoff.

Matt Hayden, Deputy Head of GovTech Solutions

So you do still want to containerize it as those true high priority items and we’ll work from there, but it is something that is becoming a business enterprise and an efficiency aspect. It does lend itself to the larger management conversation. If you do find that you have a top 10 priority list and those items aren’t being made more efficient, it is a tool that is available, but it’s not as intended purpose.

Tom Fox: Theresa, if I could end with a question to you. The R stands for Risk Methodology Design. Does the methodology design allow for flexibilities between organizations, or rather do you tailor it for each client that you’re sitting across the table with? Or is it something else?

Theresa Campobasso: That is a very good question. There are a couple of ways that we want to think about this. Typically, when we’re looking at implementing the risk methodology design, there’s an internal way to do it, where you’re looking at your own organization, in which case you would want to have kind of a ground truth.

That’s exactly what we talked about about that strategic level, getting that organizational buy-in and having everybody decide on that common definition and getting ready to kind of move forward as a team, but when you’re helping clients work through this process, or educating them about things like the crown jewel analysis that Matt just mentioned, you do want to be flexible because you’re going to have to consider the different lenses of risk and the different inherent and imposed risks and their criticality that they’re working on, what their critical assets are.

When you’re helping clients work through this process, or educating them about things like the crown jewel analysis that Matt just mentioned, you do want to be flexible because you’re going to have to consider the different lenses of risk and the different inherent and imposed risks and their criticality that they’re working on, what their critical assets are.

Theresa Campobasso, Senior Account Manager, National Security and Intelligence

You’re going to want to build that flexibility in there so that you can be really responsive, and just like you want to have a really tailored relevant data-driven methodology for you to implement that’s going to work well for your organization, that’s exactly what you want to develop for your clients as well.

Tom Fox: Well, Matt Teresa, we are unfortunately near the end of our time. Frankly, I could talk with you guys for hours on this topic. I look forward to continuing the conversation.

About Tom Fox

Thomas Fox has practiced law in Houston for 30 years. He is an Independent Consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. Tom specializes in bring business solutions to compliance problems. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously division counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division.

Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of Doing Compliance which is a seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and weekly blogger for Compliance Week; a monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership. He is founder of the Compliance Podcast Network.