Exiger has developed the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. This development is perhaps the most evolutionary step for third-party and Supply Chain Risk Management (respectively “TPRM & SCRM”) since the development of the 5-step life cycle of third-party risk management that I have championed over the past 10 years. Exiger’s TRADES framework & maturity model is a cutting-edge, but actionable, blueprint to build a modern third-party & supply chain risk management program. You can check out my sponsored podcast series on the Exiger TRADES Framework, posting this week each day at 10 AM on Innovation in Compliance.
Over the next three blog posts, I will be discussing each step of the TRADES framework at the tactical, program and strategic levels. In this blog post, I will put a spotlight on transparency into the current state of your third-party risk management programs and discuss the risk methodology. In Part 2, I will consider how assess current risks and how to best determine risk mitigations. In Part 3, I will discuss how to evaluate the TRADES Framework uplift and review of supplier monitoring.
The TRADES Framework is perhaps the most important evolution in a rapidly evolving ecosystem of third party and supply chain risk management. There are a wide variety of risks that could be in your Supply Chain, including both distributor risks and vendor risks. The urgency of establishing best practices in this area was driven home most forcefully during the Coronavirus pandemic as governments at all levels were trying to secure the vaccines, Personal Protective Equipment (PPE) and pharmaceuticals that were needed. There has also been legislative initiatives with such laws as the German Supply Chain Act starting to gain momentum. Of course modern slavery issues that were talked about before as well and the ESG revolution have mandated increased scrutiny as well.
T for Transparency
Tim Stone, Senior Director, Supply Chain Risk Management, related that “T is for “Transparency of Current State”. There are different levels of transparency. He focused on Entity Level where the goal is to identify the full third-party ecosystem. Another way to think about it is “taking stock”. This stage involves illuminating your current state of affairs and identifying your vendor ecosystem.
The next step is how to build this initial tier of reliably accurate, validated, and de-duplicated entities that are mapped to business units, products, and use-case. You want as comprehensive a supplier and third-party ecosystem as possible. So how do you gain this transparency?
The first step is to identify, your internal supply data elements. You need to review your organization’s contracts and other paperwork, as well as engaging stakeholders across an organization in a fact-finding exercise, to arrive at a golden source of suppliers and vendors, and then mapping those entities to the products, business units, and use-cases across the organization. Next you should review external supply data elements.
Skyler Chi, Associate Director, Global Markets Group, said that “Transparency” is also about illuminating risk, which here means identifying the risks posed by the entities in a client’s supply chain. These risks are either inherent or imposed. Determining inherent risk, is where Exiger’s AI-powered due diligence platform, DDIQ, shines. DDIQ finds and categorizes risk information about focal companies and people. The platform searches hundreds of structured (e.g., watchlists) and unstructured (e.g., media) data sources and performs thousands of targeted queries – using proprietary search strings associated with different risk types and specific risky entities – to isolate and categorize risk information about a focal entity.
Next is imposed risk, which is “an aggregate view of a company’s upstream reliance on certain countries, such as China, for its receipt of goods. This extent of a higher risk country’s upstream footprint in a company’s supply chain is indicative of greater risk.” It also includes risk through downstream supply chain risk analysis to isolate where a company’s products are ultimately ending up.
Transparency also speaks to the governance and accountability associated with third-party (TP) and Supply Chain Risk Management (SCRM). There is a Strategic Level and a Program Level. As Skyler related you should create and document a TP&SCRM mission statement and purpose explanation, understand how mature your program is and create a baseline analysis of the program’s maturity. You then develop and maintain policies and procedures, which provide guidance and determine the right risk-area stakeholders and governance forums.
From this point, you should work to determine communication and workflows to operate the TP&SCRM program. This can be done through several steps, including data sourcing and right-sized technology aligned to the TRADES framework to ensure a single source of truth for each third party, supply chain, and overall program; continuous evaluation and improvements of the framework and periodic refreshes or reviews to assess industry/risk changes and best practices. Finally, it would lead to the creation of principles and guidance to help company stakeholders take risk-related decisions and actions.
R for Risk Methodology
Matt Hayden, Deputy Lead of GovTech Solutions ( and Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) said that risk methodology begins with setting a strong foundation. At the strategic level, you should work to determine business, third-party and resource threat and opportunity landscape to commit to a definition of risk.
At the program level, you should work to develop and maintain the risk assessment methodology and ensure that it is tailored to the specific organization. Then set the standardized guidance for how the following two actions will be conducted. First, look externally to identify which risks align to the organization’s industry and supplier types. Determine the underlying risk indicators to measure the supplier risk. Consider both inherent risks to individual suppliers (e.g., supplier financial health) and macro risks (e.g., geopolitical factors, resource shortages, etc.). Second, look internally at the organization by conducting a criticality analysis or “crown jewel assessment” to identify what assets within your organization are essential for mission accomplishment, and ensure risk framework alignment to those prioritized critical assets.
Finally, at the entity or tactical level, you should consider both the internal and external view from the program level and identify the specific inherent and macro risks for each third party. Some macro–Supply Chain risks include: Disruption due to geopolitical conditions or natural disaster; COVID-19 Pandemic; Resource Scarcity; Catastrophic weather events, etc.; operational risks, foreign ownership controls and influence; reputational, compliance & regulatory risk; and financial health.
Theresa Campobasso, Senior Account Manager, National Security and Intelligence related, “A Crown Jewel assessment would look at those key elements that are critical to an organizations operation and success.” It would include, (1) “What would be the priority targets during a compromise to disrupt the products or services the organization provide.” (2) It would “set a threshold specific to your industry of what the top 10 items are without trying to boil the ocean for an entire organization using impact of loss as a determining factor.” (3) Finally, you need to “customize the methodology based on critical assets such as people, equipment, proprietary intellectual property, etc.” It would provide you a manner to adjust to risk events or indicators based on the products or services the organization provides.
Diving more deeply into building out these risk lens, Campobasso explained on the Internal Risk dynamic, after you identify your “Crown Jewels”; you should prioritize them into a Top 10 an and you should “elevate them to the Board agenda for regular review and update to the Board. Moving to External Risks, she said that you should align these risks the goals of your SCRM program by asking such questions as “What is your SCRM program designed to do? Is it meant to help protect national security? Help you to drive better outcomes for your customers? Is it meant to help you deliver cost savings? Do you care more about operational risk and traditional corporate due diligence, or do you care more about counterintelligence concerns or preventing hardware compromise by foreign adversaries? A mix of both?”
From there move to determine context for Inherent risks for your organization and your risk management program as “depending on the goals of your program, some types of risk are more important to you than others.” The next step is to determine context for Macro or Imposed Risks, which are the environmental or jurisdictional risks that could affect your third parties. Campobasso concluded that “At the end of the day, doing the work up front to outline and resolve all of these types of questions will enable the organization to create a tailored, standardized, repeatable methodology to consider risk as it relates to the supplier network as well as the critical assets for the organization. When you start trying to incorporate tools or external data, you can make informed decisions about what types of solutions will be most helpful based on the Risk Methodology that the organization has defined.”
Join me in Part 2 tomorrow, where I consider assessing current risks and determining risk mitigations.