From TPRM to SCRM: Exiger on the Evolution in Supplier Compliance in COVID – Third-Party Party Risk Management Solutions w/ Erika Peters & Skyler Chi
Welcome to a special five-part podcast series, sponsored by Exiger, on topics From Third Party Risk Management to Supply Chain Risk Management: Exiger on the Evolution in Supplier Compliance in COVID. Exiger was founded to fight financial crime, fraud and terrorist financing by introducing technology-enabled solutions to the market’s biggest supply chain, risk, investigation, litigation, and compliance challenges. A global authority on risk and compliance, Exiger serves the world’s largest banks, Fortune 1000 companies and government agencies and regulators. Over the next five episodes, we will put a spotlight on Financial Institutions with Tara Loftus and Samar Pratt; focus on corporations with Aaron Narva and George ‘Ren’ McEachern; consider Federal Government and Supply Chains with Carrie Wibben and Vishnu Anantatmula; review the pillars of good compliance with Brandon Daniels and Carrie Wibben; and end with a review of third-party risk management solutions with Erika Peters and Skyler Chi.
Today, Part 5, we conclude with a review of third-party risk management solutions with Erika Peters and Skyler Chi. Peters is an Associate Managing Director based in Exiger’s New York office, where she focuses on the firm’s financial crime compliance and assurance practices. Chi is an Associate Director based in Exiger’s New York office. With nearly ten years of forensic accounting and investigative experience he leverages world-class technology (e.g., SQL, Python, Tableau, natural language processing and machine learning) in order to aid in financial investigations and government clients in bank/investment statement reviews and analyses, data analysis efforts, large document analyses, and extensive e-mail reviews.
We began with some of the top challenges in third-party and supply chain risk management. Peters started with the complex risk environment which all companies face in understanding their nuanced third-party risk. Peters emphasized that it is more than simply laws and regulations companies need to be aware of. Now they must focus on their reputational risks and raising the bars to an even higher standard and maybe the local law where they are outsourcing or using their third parties. It is this overall complexity which Peters sees a key risk.
Next is knowing basically what you do not know. In the area of third parties, this means sub-suppliers or other lower tier parties. This means looking if your third-party risk is tailored to your company, then really deep diving into the due diligence activity, which is really increasing every day as the world changes and our customer standards change. Peters noted, “you need to cover that adequately. There are more sources, which investigators need to uncover and look for unknown risks. It is more than manually reviewing the company documents, their ownership structures, those owner’s networks. On top of that is the primary research coupled with the open source research to verify what the third parties have provided you is extremely difficult to overcome and in a quick manner. All of this can be very burdensome and with globalization, it’s adding on the research multiplied with navigating the complexity of the global data. It just really increases the chances of missing something.”
Peters concluded that by putting her auditor hat on to emphasize all of the above really does not count unless it is combined with a really strong audit trail of all the information reviewed, discounted, escalated, and being able to document that well. If the regulators ever come knocking, you must be able to show that you have a strong third-party supply chain risk management program, which is really what our consumers and everyone is requiring at this point.
I turned to Chi to consider some of the solutions to the issues Peters raised. He noted that there has been a serious evolution involving the available technologies, primarily spearheaded by some of our biggest regulatory institutions. Both the Office of the Comptroller of the Currency (OCC) and the Federal Reserve (Fed) have issued guidance to adopt technology quickly through both the private and public sectors. Chi believes “these regulatory notices have really allowed for the record breaking speed of adoption, the platforms and solutions that we see today include specifically for third-party risk management and Supply Chain risk automated due diligence solutions that allow for the rapid assessment of third-party and supply chain risk and adjudication of that risk by your people. Most of the solutions have currently evolved to platforms which include automated intelligence that identify, consolidate entities across databases and open source records into a single entities of course.” As Peters noted, Chi reiterated that these solutions have audit trails, which he termed “hardened and immutable”.
Chi then turned to what he termed “solutions of path”. By this he means solutions which have leveraged ad hoc datasets that have always existed, quickly assessing and identifying every component source within a product. This means down to a tier four, tier three supplier, eventually find the entities on which the raw metals are traded. From there, you can map risks on to that network: i.e. are these supplier’s supplier sanctioned? Are they on watch lists? Are they potentially state-owned entities that can provide an opportunity to be a threat vector or adversarial nation?
We concluded with a discussion that companies are determining that customers and targets they are looking to acquire and form business relationships with need to have appropriate mitigating controls. Chi noted, “This allows a business to maintain a healthy portfolio of vendors and customers, and a clean business known for conducting a rigorous review of their portfolios and relationships with embedded operational resilience that allows for increased organizational value. It leads to the additional generation of that goodwill and less reputational risk. The bottom line is that if you see bad actors have identified a weakness in your process, you can get remove them as a risk. Technology can transform the compliance function from a historical cost center into a value center, something that is making you and your firm stronger in today’s world through the generation of less reputational issues that increase goodwill.”