From TPRM to SCRM: Exiger on the Evolution in Supplier Compliance in COVID – Pillars of Good Compliance w/ Brandon Daniels & Carrie Wibben
Welcome to a special five-part podcast series, sponsored by Exiger, on topics From Third Party Risk Management to Supply Chain Risk Management: Exiger on the Evolution in Supplier Compliance in COVID. Exiger was founded to fight financial crime, fraud and terrorist financing by introducing technology-enabled solutions to the market’s biggest supply chain, risk, investigation, litigation, and compliance challenges. A global authority on risk and compliance, Exiger serves the world’s largest banks, Fortune 1000 companies and government agencies and regulators. Over the next five episodes, we will put a spotlight on Financial Institutions with Tara Loftus and Samar Pratt; focus on corporations with Aaron Narva and George ‘Ren’ McEachern; consider Federal Government and Supply Chains with Carrie Wibben and Vishnu Anatatmula; review the pillars of good compliance with Brandon Daniels and Carrie Wibben; and end with a review of third-party risk management solutions with Erika Peters and Skyler Chi.
In Part 4, we consider the pillars of good compliance with Brandon Daniels and Carrie Wibben. Wibben is a Senior Vice President, National Security & Intelligence, based in Exiger’s McLean office. As the former Deputy Director of the Defense Counterintelligence and Security Agency (DCSA), Carrie joins Exiger following a distinguished career in homeland defense spanning various government agencies – including the US Department of Defense, the Executive Office of the President, and the Special Security Directorate. Brandon Daniels is the President of Global Markets. A regulatory expert and technology practitioner, Brandon brings more than 15 years in senior management across the financial services, life sciences and energy sectors. He has a reputation for technological innovation in regulatory investigations and compliance management.
From Wibben’s perspective, she believes that private sector entities which comprise the defense industrial base are keenly aware of the threat proposed by the weaknesses in their supply chains. However, and perhaps even more importantly, this awareness has not percolated into “middle America” which has been awakened to the concept of supply chain vulnerabilities with the shortage of critical medical supplies across our nation and the massive problem with foreign reliance. Wibben sees the most powerful examples in the medical area to find safe and reliable supply chains for personal protective equipment (PPE) and other medical supplies. The defense industrial base and private industry are really in the same unfortunate posture as the medical sphere. But this experience has led to what Wibben termed “breaking through the noise” of Supply Chain vulnerability.
This has led to what Daniels termed good pillars of compliance. However, from his private sector background he observed in the corporate overhauls stemming from the Sunshine Act, significant federal False Claims Act (FCA) cases and Foreign Corrput Practies Act (FCPA) enforcement actions, from the late ‘90s through the mid-2000s. To now see those pillars of compliance that were developed by those industries come to life in the federal government in the past few months literally in record breaking speed, has been a “phenomenal reflection on where we’ve come in terms of understanding third parties and understanding their critical risk or the component of risk that they play to our operations.”
What Daniels saw in the COVID-19 crisis was the speed with which the federal government had to build a tone and a consistent message around acquisition, and then the ability to acquire sustainable, reliable, viable goods for the use of the American citizen, health professional and others. You heard the first pillar of compliance ring true in COVID in the federal government, and that was that there needs to be senior management commitment. The consistency and the loudness of that message amped up 20 times during COVID. Daniels stated, “You heard leaders in the various forums that are made available to connect industry and government. You heard all of the leaders saying, “Look, we need to get control of our supply chains, our third parties, the risks that we run, by essentially focusing our compliance on fairness of acquisition, on lowest cost viable goods, technically acceptable goods”.”
Then, after that, it was astonishing to watch the other areas fall into place. You saw a dedication of resources and additional responsibility on the frontline acquisition people to take seriously counter-intelligence risk, to take seriously financial crime or financial spread risk, fraud risk. You saw people starting to think critically about how you’re going to risk assess entities.
Even before COVID-19 we saw multiple and sometimes very quick changes from the Trump Administration from OFAC around denied parties and others around trade sanctions. The Department of Justice (DOJ) has issued both a new guidance on compliance programs and updated the FCPA Resource Guide into a 2nd edition. It has even accelerated around the Department of Treasury and the Committee for Foreign Investment in the United States (CFIUS) with the CFIUS reviews that are happening right now. Daniels believes we may be in the “beginning of a constantly iterative cycle. What we first saw was industry really improve and mature reputational risk policies, reputational risk due diligence, regulatory analysis, and compliance standards that met those supervisory or regulatory expectations.”
He added this type of approach is now extending internationally and he pointed to the ban of Huawei technology into their 5G rollout. As you start to see this awareness of the criticality of your supply chain and the awareness of how third parties can impact your environment start to grow in the federal government and then get responses from industry, “what you’re going to see is you’re going to see industry go up another notch. You’re going to see industry have to mature again, industry have to be more expansive, industry have to be more diligent than they have today about the risks that they’re incurring as they look to the providers that they use that are critical to their infrastructure.”