SCRM Program: Risk Framework Implementation

Issues with Many SCRM Programs

Supply chain management and supply chain risk management (SCRM) have become a greater priority for businesses and government organizations in the last five years, according to Gartner. Despite this increased focus, SCRM programs often fail to produce actionable results that reduce risk to organizations.  

There are two main reasons why SCRM programs fail to achieve their desired results:

• Failure to set up a risk framework specific to the program
• Failure to effectively drive adoption within the organization

In this article, we will explore how organizations can overcome these pitfalls and set up a solid SCRM program using Exiger’s TRADES framework.

[ASSESSMENT | Baseline and Build TPRM/SCRM Resilience and Maturity Today]

Achieving Resilience Through the TRADES Risk Framework

At Exiger, we help clients recognize that in order to achieve the most impactful results, they need to operate against a data-driven framework. We refer to this as the TRADES framework.   

TRADES is Exiger’s proprietary framework for providing supply chain resilience to organizations (government agencies and private sector) at any stage of maturity and maximizing supply chain risk management.

There are six critical elements in the TRADES framework:

• Transparency of the current state
• Risk methodology design
• Assess and prioritize current risks
• Determine mitigation
• Evaluate framework
• Supplier monitoring

Each element can be implemented at the entity, program and strategic levels, which enables both tactical and strategic policies and procedures. This framework further simplifies the SCRM process and recognizes the complexity of effective risk management. To baseline the current state of your program, take our Third Party & Supply Chain Risk Management Maturity Assessment. 

Transparency of the Current State

The starting point of every enterprise risk management process is different, but all are dependent on data. Organizations can leverage all of their existing data across ecosystems like cybersecurity, vulnerability, third-party vendor and service providers, and information systems.

You can categorize data across these spectrums into two:

Internal data: Helps gain visibility into who the suppliers are, their location, and whom they’re associated with and identifies all of your first-tier supplier networks.

External data: Helps gather the information that is otherwise difficult for you to know, but essential for you to understand the risk that your supplier network poses to your organization, and confidently decide what to do about it. 

Risk Methodology Design

At first, it might appear that all SCRM programs should have the same goal: to proactively detect and flag indicators of supplier risk. 

However, narrowing it down to set a context and data-driven supply chain risk management goal will help you prioritize the data, indicators, and risks you want to consider. This will also help you measure effectiveness and show improvement in your supply chain security program.

While defining your goals, some helpful questions to ask include:

• What is our SCRM program designed to do?
• What are the outcomes we’re looking to achieve? 

For this goal-setting initiative, think through whether your risk mitigation steps will help you drive better outcomes for your customers, enable you to be cost-efficient, and help protect national security. Accordingly, some of the example goals you might want to achieve through your supply chain risk management practices can be to:

• Increase financial value for your business’s shareholders
• Attain regulatory compliance and maintain high product quality standards throughout the supply chain life cycle
• Prevent manufacturing disruption due to COVID-19
• Avoid doing business with companies connected to human rights abuses
• Deny foreign adversaries access to critical dual-use technology

Assess and Prioritize Current Risks

Your supply chain threats arise not only from physical procurement but also from the information security aspect. Here’s where your team would be stretching into cybersecurity supply chain risk management (C-SCRM program) to safeguard data in the cloud, trade practices of software development, and so on.

But if your team tries to patch all of the supply chain threats and the vulnerabilities in the associated information and communications technology (ICT), they might miss important risk indicators that could have a serious effect on your regular and cyber supply chain risk management program.  

Hence, this stage of the TRADES framework necessitates assessing and prioritizing two types of risks.

Inherent risks: Risks associated with an entity, like cybersecurity posture, financial health, or environmental, social, and governance (ESG) risk. 

Imposed risks: Risks associated with external entities like natural disasters, pandemics, resource scarcity and catastrophic weather events. 

Lastly, you should also conduct a crown jewel assessment. This metric doesn’t directly extend to your supply chain attacks but instead has more to do with your program and organization. It calls for prioritizing organizational risks such as proprietary technology, trade secrets, employees, research, development, subject matter experts, customer relationships, and other critical assets that will be vital to accomplish your mission.

Determine Mitigation

Mitigation does not mean the remediation of every single risk or a risk-free ecosystem. Risk mitigation means that there is a clear risk tolerance threshold for the kinds of risks you mitigate or not. Your mitigation options can be bucketed into three main categories: treat, tolerate, or terminate.

For instance, you might decide to tolerate some degree of financial risk in your fourth and fifth-tier suppliers because your first-tier supplier would help you manage those risks. But for those same suppliers, you decide that cybersecurity vulnerabilities and human rights abuse issues will not be tolerated at any tier of your supply chain.

Evaluate Framework

This step is all about making sure that the goal statement, risk categories, risk weights and tolerance thresholds that you’ve decided on are working correctly for your program. 

Supplier Monitoring

Continuous supplier risk monitoring helps you to ensure that you are always able to understand the current risk in your organization and take action right at the point where an issue becomes known.

[ASSESSMENT | Baseline and Build TPRM/SCRM Resilience and Maturity Today]

How to Implement the TRADES Framework

A strong third-party and supply chain risk management framework is cyclical. It consistently reevaluates its threats and vulnerabilities and amends the framework to align with the business strategy and risk landscape.

Here is a breakdown of each phase outlined in the TRADES framework.

Stakeholder Engagement

Getting the key members of your organization on board with the goals of your SCRM program is important. Then you’ll have the advocates for the program, champions for funding, manpower or other resources you need to succeed. They can also help you to address and eliminate any roadblocks in your organization. 

Governance and Compliance

Governance principles should serve as the guideline for TRADES implementation. Stakeholders use regulatory standards from the National Institute of Standards and Technology (NIST) and ESG-related factors to assess and understand risk-related decisions.

Integrating Data and Technology for Execution of the TRADES Framework

Many program owners want to rush through the setup of the framework process and fast track to the purchase of tools. Tools and datasets are incredibly impactful but are only as effective as the framework in which they’re used.

Use the framework to identify which data and tools will be the most effective for your specific program. 

Continuous Evaluation

To measure the performance of your supply chain risk management program within the TRADES framework, you need to determine the metrics associated with your program goal and how often to measure them. 

Assessing Program Maturity and Effectiveness

After the framework has been implemented, program owners must measure its impact and effectiveness. This is to help measure the progress over time to share with internal stakeholders, and to identify any gaps or areas for continued improvement. 

Every time you complete a cycle of this TRADES process at the strategic, operational, or tactical levels of your organization, you’re moving your program along the maturity curve. 

Stage 1: Awakened posture

The organization understands its supplier network and has conducted a criticality assessment.

Stage 2: Progressive posture

The organization is successfully managing risk. It has a codified SCRM program with strategy and governance and has illuminated its full sub-tier supplier ecosystem and associated risks.

Stage 3: Proactive posture

The organization has moved beyond managing static risk to conducting continuous monitoring and documented supply chain integrity and resilience improvement. They have metrics that show how effectively their program is operating and measure the impact and outcomes. 

Stage 4: Predictive posture

The organization identifies alternative suppliers for critical components or diversifies the supplier base to mitigate impacts of disruptions or shortages due to imposed factors like sanctions or geoeconomic events.

Build Resilience in Your Organization with Exiger

Many SCRM programs fail but yours doesn’t need to be one of them. Establishing a risk management program based on the six steps of Exiger’s TRADES framework can improve the resilience and security of your organization.

Exiger’s Supply Chain Explorer can further advance your SCRM program by rapidly surfacing critical threats in real-time across your entire supplier ecosystem down to the nth tier in one click.See Exiger’s Supply Chain Explorer in action.