Matt Kelly:
Hello everyone and welcome to another episode of Coping through COVID. I am your host Matt Kelly, editor of Radical Compliance. This is a limited podcast series sponsored by NAVEX Global where we talk about corporate compliance and risk management challenges posed or amplified by the COVID-19 crisis. In each episode we take a deep dive into some specific issue, it could be executive communications, cybersecurity, regulatory compliance, supply chain risk. We take a look at those and we talk with a thought leader in that field so compliance and risk officers can better understand the challenges we're facing these days and how to navigate them smartly.
In this episode, we're going to focus on supply chain risks and how they fit into business continuity challenges that COVID-19 is forcing companies to confront. To talk with us about that I'm joined by Sam Abadir. He is director of industry solutions at NAVEX Global and a longtime executive working on risk management issues such as business continuity and supply chain stability. Sam came to NAVEX last year when NAVEX acquired LockPath, a software firm that focused on integrated risk management issues. So we are happy to have him here today. Sam, welcome. Thanks for joining me.
Sam Abadir:
Thanks for having me, Matt. I really appreciate it.
Matt Kelly:
Sure. So, Sam, perhaps first to talk about how difficult supply chain management is right now because COVID is a global problem, so how does that upend the traditional supply chain risk assessments and analysis that companies might try to do? What's really going on today?
Sam Abadir:
Much of a supply chain risk management up to today, up to COVID-19, has dealt with kind of the risks at the moment. Depending on the industry that you're in and what your suppliers are doing, they could have been things like cybersecurity risks, financial risks, quality risks, the ability to deliver on time and some really risk-aware companies were dealing with things like geopolitical risk. In some ways, this pandemic is the ultimate geopolitical risk. The supply chain managers and risk managers have been taught about the financial implications of too much stock in their warehouses and places like that. The days of warehouses full of parts ready to manufacture died a long time ago and lean has been the approach for decades within this area. Risk managers are going to be rethinking all of these things. Geopolitical may become more important, inventory may become more important. People are going to be looking at how they're going to be able to continue operations and not just necessarily minimize the risk of information loss or things like that. And all those other things that I said earlier are still going to be very important pieces of the puzzle. Whether it's cybersecurity, the financial, the quality levels - but that ability to deliver is going to be measured in many different ways from different supply chains.
Matt Kelly:
Tell me a little bit more about that because what strikes me about business continuity and supply chains today where you had said it's the ability to continue. That's what jumps out to me is that there could be a lot of companies that might individually say, "We're ready. We have our cybersecurity, we've got everybody working from home and all of our policies." But if the suppliers are in some state of uncertainty, or your customer's ability to consume is in some way uncertain, or bigger issues like the ports are closed, or I don't know what, you're trying to assess how does my greater ecosystem of business, how does that work and how do I keep it going? And that just strikes me as a fundamentally different challenge than what we're used to here.
Sam Abadir:
It is and it is a different challenge. It's going to be very hard for lots of people and lots of organizations to react to that. I think though that what we're going to start seeing is a lot of companies who are trying to turn their business models into ones that allow them to continue even when things are going bad. And this could be everybody, right? I mean, there are companies out there that today that work on subscription models and those are the companies that have probably been less impacted. Now, of course, they're going to have some of their customers and things like that. But right now they're a little more resilient. Those companies that are waiting on payment for services delivered at the time, and that's a lot of companies, whether it's your hardware store or your barber or your doctor or it's the restaurant on the corner, those are the ones that have been impacted the most right now. And I think that we're going to start seeing a lot of companies try to change how that they come to market to give them a little bit more of a cushion, a little bit more of a buffer to protect themselves from these types of things.
Matt Kelly:
Let's talk a little bit about the analysis that a risk or compliance officer might need to do. And not even so much have a business continuity plan. You should already have the plan, but the disaster's already struck. I'm more interested in the types of response and how you develop a plan from here forward. What are the objectives, what are the metrics, what could you tell us about how to keep going now?
Sam Abadir:
From a business continuity standpoint?
Matt Kelly:
Sure.
Sam Abadir:
Well, I think there's a lot of companies that have business continuity plans, and as a company that has been and somebody who's talked about business continuity to a lot of people, I know for a fact there's a lot of companies that don't. Many of these companies are going to be or have been scrambling for what their business continuity plan is today. And one of the things that a lot of companies realize, and I guess also others don't realize, is your business continuity plan is really about how you respond to an event. How do you respond to events so you can make sure that your constituents, whether they're your employees or your customers or anybody that's near you, stay safe, their life isn't threatened? And then how do we keep a minimum set of operations running for your customers? And that's what business continuity does, right? It's not there to rebuild your entire organization.
Where I think that all those companies that do know a lot about business continuity planning, I think there's a big subset of them that have not taken the next couple of steps. The first one being recovery planning. We've gone through the event and now we're trying to recover our business. And I know, just to put an example to it, I know a banker who was up in the Northeast and one of his banks caught on fire and burned to the ground. Everything was burned to the ground and his immediate recovery plan was to, bring in trailers and power generators that had ATMs on them. And that was step one. That got things up to their minimal level. And they put a little hut there that had a customer service officer that could even help with a loan, or something crazy like that, from a parking lot across the street. That was their initial response plan.
The next step was to bring in trailers. That happened three days later. They brought these trailers in and then they had their restoration plan. And that's the third plan. I don't think there's a lot of companies that have recovery and restoration plans. They just have initial response plans. This bank's restoration plan was to rebuild the old facility with new things that were able to make it nicer, better, fancier than what it was before.
I think there's a lot of companies right now who are going to be thinking about, "Okay, we've got COVID. We're coming." I think there's a lot of people who are hoping, including myself, that we're just weeks away from recovery. I think there's a lot of people who are going to be surprised when the governments around the world give the "it's okay to go outside," order and things aren't starting up as they expected. It's not the same on May 1st as it is on February 1st. And companies that have those recovery plans are going to be the ones that are coming to normal operations better. And the ones that have the recovery restoration plans are going to be the leaders in the future.
Matt Kelly:
Now, let me shift to how companies can find and track the right information about what is going on with their suppliers, with their customers, with their own employees. Because to do that, they need to be collecting relevant data and analyzing it in a prompt and useful way. I'm just wondering, how mature are the systems to do all of that or even the understanding to know I need to collect this type of data for my suppliers so I can make these type of decisions down the road. What would you recommend for people to understand what they should be looking at and to make sure that they're getting that information?
Sam Abadir:
Well, those systems, Matt, have existed for years and in many different forms and some of them are significantly more useful than others. The most prevalent one out there is frankly the least useful and those are spreadsheets. People with spreadsheets don't keep them up to date. They're not able to see the impact of indicators and leading indicators of the actual performance that they're trying to measure. And those indicators, leading indicators, turn into performance indicators. Those things are also your risk indicators, your leading risk indicators, and your key risk indicators. Those are things that are just hard to do in spreadsheets and the people that are trying to do it are trying to do it there and it's, it's very rudimentary.
But collecting metrics from around the organization and reporting them as meaningful and actionable risk-based messages is what the GRC, Governance Risk and Compliance, or IRM, the Integrated Risk Management, platforms were designed to do. And competent risk professionals can make these tools sync, they really can. The metrics come in. Everyone in the company gets this specific message on how their work is impacted, may even get instructions on how to move forward. And all of this happens in real-time. Many of these systems are very capable and mature and obviously, some are less so. But as far as what to measure, that depends on each supplier, right? What is it that they are helping you do and what is it that you need them to do?
Those are the types of things every business is going to have to look at from each of their suppliers individually. How important is that supplier to the organization? If that supplier were not there today, how would that impact the organization? And I think that companies who are just starting out, maybe some government or contractual organization has said, you have to start managing third party risks. They might just put everything into the same bucket and they're really not approaching it in a meaningful way. Those that are serious about that figure out quite quickly that that's not a meaningful way. Tier their vendors, tier their suppliers into the different tiers, look at the processes that they're tied to and apply the thoughts of a third party risk management framework to their program unit.
Matt Kelly:
I've got to say, I was listening to that and I'd been thinking about it, to a certain extent for anti-corruption compliance officers who are listening they have always been thinking risk-based approach. Who are my most corrupt third parties or likely to be corrupt? And I bring my attention most to them. And this is more about which are my most critical suppliers and bring my most attention to them. But fundamentally it's the same exercise. I just swapped in the word critical instead of corrupt. But it's not that foreign of an idea when I roll my eyes sometimes about risk-based approach because we say it so often it almost becomes a cliche but it's not. You just need to know what is the criticality of my suppliers and then bring my attention in due course to each of them. And like you said, I guess tier it out. Am I barking up the right tree with that analysis?
Sam Abadir:
You are and all of your financial professionals are, especially in the retail financial world are going to get that, right? KYC, or know your customer, has been a hot topic and a highly regulated topic for years. And there's a lot of companies out there, a lot of banks out there that are doing a really solid job. There's still a lot of banks out there that are doing a terrible job at that, frankly. But that same concept goes. I mean in a bank, your customers are your suppliers and in any other industry, you have other suppliers.
Matt Kelly:
I wanted to ask a different question about the right way to oversee all of this because I had looked through an old PPT deck that you had done about supply chain risks where it very rapidly looked like the oversight was starting to turn into a cobweb of connecting lines. But every silo is going to wind up trying to do this for their own operations. But then you've got to make sure there's a senior oversight across all silos. And I just wanted to see if you could maybe talk a little bit about, I don't know, the key committee that should be involved or what is the right oversight and governance to make sure the silos don't go dancing to their own tune and we don't do this in a productive way. What's your thought there?
Sam Abadir:
Yeah. The silos actually can create more problems. Especially in big companies, you'll find that the same supplier might work for multiple different silos. And when you have issues with one, they might try to stop payments and things like that. But they'll end up switching everything over to another who has no idea that their work might also still be at risk. That's just the classic example of how silos are actually bad within the organization. But risk management, and I think that a lot of risk managers are going to understand this concept of the three lines of defense. You have that first line of defense. Sometimes instead of calling them silos, I'll call them federated areas where that first line of defense, everybody can still do their own thing, right? We're not trying to take away your autonomy.
In a good risk management world, you're letting everybody manage the things that are important to them and that's kind of your front line type of area. But then you had mentioned this - some sort of oversight. That oversight is generally, in a different way, your second line of defense which is your risk management function. That risk management function helps set the standards across all the different silos, across all the different departments, things like that. Where some of your actionable items of what to do every single day might still live within that first line of defense, that summary level comes all the way up to the second line of defense where it's looking at the business as a whole and then seeing where things are going to be impacted in an integrated manner.
And then, of course, the third line of defense is your internal audit. And I'll tell you what, the last question you asked about these systems and these GRC or the IRM systems, nobody has ever liked internal audit. Nobody's ever been like, "Yay, internal audit's here!" Until you get one of these systems. And when you do that and if your company's organized well and you have a strong three lines of defense, your third line of defense is going to work with the first line of defense on a regular basis. Hey, this is what we're looking at. This is what we're expecting. We're on the same page. This is what we're going to be measuring you against. And the business gets to say, "that's the wrong stuff," or "that's the right stuff." There's not going to be any surprise when it comes in.
The data is generally there. So instead of having to pull your best people out of your organization to gather the data that makes you look good to the internal auditor, you have a system where it's all sitting right there. The internal auditor comes in, they have a longer time to analyze the data. And instead of giving it three ups and three downs and making you look really bad with the three downs, they can give some serious thought to this and say, "This is how your business can improve. What do you think about that?" And from an independent manner. These three tiers of defense help companies become better companies frankly. So it makes you want to say, "Yay, the internal auditor's here." Because I don't think anybody wants to do a bad job. Nobody wants to do a bad job.
Matt Kelly:
No, especially now. All right. Sam, that's all the time we have today but you gave us a lot to think about and addressed a lot of great issues so thank you very much for your time. We really appreciate it.
Sam Abadir:
It was my pleasure. Thank you for having me, Matt.
Matt Kelly:
Again, everybody, that was Sam Abadir, director of industry solutions at NAVEX Global talking with me today about supply chain risk management issues that can arise from the COVID-19 crisis. If you have an idea of what you would like this podcast series to explore, please do let us know. We're happy to hear. Drop me an email at MKelly@radicalcompliance.com and we will see if we can address your points. That is all for this episode of Coping through COVID. I'm Matt Kelly, editor of Radical Compliance. Thank you all for listening. Thank you to NAVEX Global for sponsoring this series, and I hope you'll join us again next time.