Exiger has developed the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. This development is perhaps the most evolutionary step for third-party and Supply Chain Risk Management (respectively “TPRM & SCRM”) since the development of the 5-step life cycle of third-party risk management that I have championed over the past 10 years. Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. You can check out the sponsored podcast series on the Exiger TRADES Framework, posting this week each day at 10 AM on Innovation in Compliance. In this concluding Part 3, I discuss how to evaluate the TRADES Framework uplift and review of supplier monitoring.
Evaluate Framework Uplift
Brandon Daniels, President, Global Markets said the TRADES Framework began with the “basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right? And so, when you think about the journey you’ve been through across the T the R the a and the D, transparency, and then your risk methodology linking to your strategic objectives, is a critical first line of defense function.”
Next is the second line of defense. Here an organization assesses its priorities and ensures mitigation of risk. Through the TRADES Framework, you can blend the first and second lines of defense. Daniels continued, “the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T, R, A and D elements is to next incorporate the third line of defense. That is where the ‘E’ comes in, Evaluate Framework Uplift.
You have to take the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Some of the questions you would ask include “Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?” These are critical questions that everyone needs to ask as they assess the impact that the T, R, A and D has made to their organization, and especially the ‘D’ then, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance.
Josh Thiel, Executive Intern (Former Commander of Special Operations Task Force) spoke to the operational perspective, beginning at the strategic level and governance. The strategic leaders, the senior leaders established the governance, establish the policies, the expectations, allocate the resources, determine Return on Investment (ROI) to see if “they got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion.”
While some of the risks are intangible, reputational, they are hard to measure. Oftentimes the savings impact from Supply Chain risk management (SCRM) is very direct and clear, and it’s easy for the senior leaders to quantify it. Theil provided the following example from the Department of Defense (DOD), “where the DOD made an evaluation of vendor screen based on fraudulent procurement during COVID which cost the US Government $500 million. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software” and it was specifically based on Exiger software performance. At the strategic level, that’s the focus of the strategic leader.”
We then drilled down into the tactical level, where the Evaluation Phase is built on real collection of both quantitative and qualitative information. Here Theil explained a “company can easily run itself and its vendor ecosystem in the T and R phases of the maturity model; and then run itself again after the mitigation plans are implemented. By using the same risk models and dashboards, clients can clearly.”
Yet, as with other data analytics solutions in the compliance, risk management and Supply Chain space, quantitative analysis alone is not enough. I would say you must always have the human element involved. Theil phrased it as “Qualitative information is critical to add context and to answer the “why.” Why did the mitigation plan decrease or increase the risk? The tactical quantitative assessment could include techniques like questionnaires for Third Parties, internal stakeholders, transportation partners, and downstream clients.’’ Either way you phrase it, there must be a human evaluation and provision for future plans.
We conclude with a review of supplier monitoring and an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps. Erika Peters, Managing Director, Global Markets Group Head of Tech Transformation began with the oversight and monitoring of suppliers within the vendor ecosystem, which is the final pillar the TRADES framework. Peters noted that it is the pillar which “upholds the long-term adherence to the other elements of the framework and ensures the evolution of the program overtime as the threat landscape similarly evolves and changes.” This means that an organization benefits from the clear concise data gathered on their supplier ecosystem, through stakeholder ownership with a clear risk framework.
As the Department of Justice (DOJ) has consistently made clear in other compliance areas, Peters related that companies “should ensure their view of the risk and opportunity landscape is monitored and dynamically addressed through continuous improvement.” It is more than simply a “risk assessment of a third party, which then is put on a shelf” because risks change and evolve. Both third party and external risk factors must be monitored. It allows you to react faster and “in turn minimizing the potential business impact and ultimately the bottom line.” Ongoing monitoring provides you quick insights, allowing you to be more proactive in risk management than reactive, when you find out that partnership is with a company who has reputational risks associated to it such as its owned by a sanctioned entity, fraud or corruption.
Daniels expanded on this by explaining that if you establish a high volume of transparency into your supplier network or into your distributor network, this would also lead to critical third and fourth and fifth and sixth parties that you need to monitor at this last phase. You will be able to evaluate the efficacy of the risk methodology and the risk assessment that you’re conducting on those vendors. Through the implementation of the TRADES Framework, you will have a “constant refresh of those data inputs that you created, that you curated, that you sourced in order to initially instigate your supplier monitoring, or excuse me, your supplier risk assessment. Just refreshing those data points, essentially will just constantly recalibrate, constantly monitor, constantly find those spikes that peak out to you.”
Increasingly, Daniels believes these types of risk are “not linear. They are octagonal.” He explained that an organization “could have a risk in your operational issues. You could have a risk in cyber, you could have a risk in legal, you could have a risk in reputational business dealings.” The key is that “as long as you consistently refresh those inputs that you have used in order to initially assess the priorities of risk that you have across your third party, fourth party, fifth party, six party ecosystem, then you are inherently doing supplier monitoring.”
This type of continuous review and monitoring allows you insights into the future because “you are essentially testing the things that get left behind. Those low-risk vendors, those medium risk vendors that sit below a threshold of risk tolerance and making sure that you’ve got the right risk prioritization in place to instigate an alert when you need it.” It is also more cost effective as you are able to move away from the costly retrospective two-year down the road audit. Daniels said, “These routine audits, these big projects, these million-dollar projects that we do every year in order to refresh 10,000 out of the 20,000 total vendors that we know we’ve got or to do deep due diligence on 5,000 of them randomly on an audit basis, that used to cost us so much money, we’re now doing that incrementally, turning this into a much lower operational cost for us because now we’re instigating when something changes.”
Finally, implementing this appropriately means continuously making sure that “you 1) update your data inputs, 2) making sure that you are assessing your risk framework, and 3) ensuring that as long as you don’t have major changes to your risk landscape,” you are “lowering the friction of compliance and actually make compliance of business accelerant when you have found third parties and supply chains that are able to deliver for you on time and cost effectively.”