TRADES:

A Framework
for Modern
Third-Party and
Supply Chain Risk
Management

G ove r n a n c e . R i s k . C o m p l i a n c e .
 TABLE OF CONTENTS
Introduction: From Niche to Table Stakes in 18 Months..................................................... 2

A Rapidly Emerging Mandate for a New Risk Management Regime................................ 3

The Modern Risk Landscape................................................................................................. 6

Inherent Risks.............................................................................................................................. 7
Imposed Risks.............................................................................................................................. 10

TRADES: The Essential Elements of a Modern Enterprise

Third-Party and Supply Chain Risk Management Framework........................................... 13
Transparency of Current State................................................................................................ 14
Risk Methodology Design......................................................................................................... 15
Assess Current Risks.................................................................................................................. 16
Determine Mitigations................................................................................................................ 17
Evaluate Framework Uplift....................................................................................................... 18
Supplier Monitoring.................................................................................................................... 18

Implementing TRADES with Supporting Operational Methodology................................ 19

The SCRM Maturity Model: Implementing TRADES Framework at Any

Maturity Level to Reach a Reasonable Level of Capability................................................ 21

A Framework for the Future.................................................................................................. 23

FROM NICHE TO TABLE STAKES IN 18 MONTHS

Over the past two years, third-party and and effective COVID-19 vaccine within
supply chain risk have gone from a niche a contained and secure production
area of operational and compliance risk ecosystem that could then be quickly
management to a widely recognized transported and distributed to cities, towns
business mainstay and regulatory mandate and rural communities across the U.S.
for all organizations, gaining traction in
Cyber-attacks, such as SolarWinds and
everyday vernacular.
the Colonial Pipeline hack, elevated
The urgency of the pandemic and ensuing government and business consciousness
effort to maximize the security and scale around the increasing threat posed by the
of the global healthcare supply chain for modern risk landscape. At the same time,
personal protective equipment (PPE), the effects on gas prices resulting from the
ventilators and other emergency medical Colonial Pipeline attack, or the impact on all
supplies, brought with it a heightened major industries stemming from the global
sensitivity to the exposure of an already shortage of semiconductors, have alerted
burdened supply chain to adversarial even the everyday consumer to the role of
or security risks. This awareness was the supply chain in their day-to-day lives.
amplified by the race to develop a safe

2 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
A RAPIDLY EMERGING MANDATE FOR A NEW RISK
MANAGEMENT REGIME
In response to the rapidly shifting It has also led to agencies engaging
landscape and heightened awareness of industry to shore up fragile supply chains;
the supply chain and vendor ecosystem As Commerce Secretary Gina Raimondo
vulnerabilities, the White House, U.S. told Jim Cramer in an interview on
regulators and Congress have rallied CNBC’s “Mad Money,” “We are going to
around the need for a more advanced, get it done. There’s no option… When the
technology-driven and intuitive approach semiconductor supply chain is disrupted,
to securing critical supply chains across the economy is disrupted.”
major industries. Even within the
Raimondo emphasized the pervasive
government itself, and its vast network of
nature that a supply chain shortage can
affiliated contractors and vendors, there is
have on the global market, “They’re in your
an almost unprecedented call to manage
dishwasher, your car, your computer, your
supply chain and third-party cyber
headset, your phone, military equipment.
vulnerabilities, only rivaled by the security
So, yes, we’re going to get it done,”
reforms implemented after 9/11.
describing this disruption as both an
In February 2021, the White House issued economic and national security imperative.
a landmark executive order on America’s
With the American Rescue Plan and
Supply Chains, triggering a 100-day
Consolidated Appropriations Act as
supply chain review and broader one-year
a vehicle, members of Congress are
critical infrastructure sector reviews, and
pushing other industries, including food
calling on stakeholders across industries,
production and agriculture, to strengthen
academia, the nonprofit community,
the supply chain resilience against future
labor, and state and local government to
disruptions. The House Committee on
reinvent the country’s supply chains as
Transportation and Infrastructure has also
resilient, diverse and secure engines of
introduced legislation that incorporates
economic prosperity and national security.
supply chain resilience into the renewed
In tandem with the White House’s push for infrastructure development and
coordinated, national review of major investment, specifically as it relates to
supply chains, U.S. regulators are U.S. ports.
spearheading preliminary assessments of
their respective covered areas as part of a

“
larger push to future-proof the country’s
critical industries. The Department of There is an almost
Energy’s Bulk Power System Request for
Information, for example, solicited input
unprecedented call to
on threats and vulnerabilities as well manage supply chain
as recommendations from energy and and third-party cyber
security stakeholders.
vulnerabilities, only
Congress has also taken up the issue of rivaled by the security
securing the supply chain. For example, the
reforms implemented

”
global shortage of semiconductors has led to
calls for legislators to intervene as Congress after 9/11.
prepares new legislation on the issue.

3

REAL-TIME RISK/
REWARD.
Harness disparate data at speed &
scale with Exiger’s Award-Winning AI
solutions to visualize your full risk picture.
The fragility of our supply chains, and
the associated impact to economic
security, is amplified by an increase in
geopolitical tensions between the U.S. and
its near peer adversaries, the rise of the
cyber mercenaries and increasing global
competition for cutting-edge technology.
In particular, the escalation of geopolitical
tensions and the untenable reliance on
adversarial supply lines has morphed from
an alarm sounded by the U.S. intelligence
community to a government-wide, and
even global ally, cacophony of concerns
around the multiple concomitant threat
vectors posed by our adversaries.
The attacks on America and its allies
are sophisticated and multi-faceted,
engaging in what some would call hybrid
warfare. “Hybrid Threats” are composed
of cyber attacks, physical attacks,
supply disruptions, economic pressure,
espionage, intimidation, and covert
incursions by loosely affiliated extremists.
The hybrid attack is now the modus
operandi of U.S. adversaries, criminals
and terrorists. Looking at one threat
vector in a vacuum, like cyber, has led to
persistent and intractable damage to our
critical infrastructure and essential civilian
industries.
To combat this risk, the U.S. and its allies
have begun to organize different alliances
to reduce adversarial supply into critical
areas of infrastructure and innovation,
like the 5G buildout. The key players in
4 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
this alliance will reform every industry
and would include most of the industrial
nations; this concept has been coined the
Democracy 10 or the Tech 10.
Although inherent to U.S. national and
economic security, this trend is not isolated
to the U.S., our Allied partners and other
foreign governments are also helping to
define the new standard for corporate
responsibility in their own way as it
relates to third-party and supply chain
risk management. The Supply Chain Due
Diligence Act was adopted by the German
Federal Parliament on 11 June 2021 and will
enter into force on 1 January 2023. It aims
to improve the protection of international
human rights and the environment
by setting binding standards for large
companies and their value chains.
As foreign and domestic governments,
regulators, legislators and business leaders
consider the elements and steps required
to secure critical supply chains against
increasing threats, a consensus is forming
around the need for a modern third-
party and supply chain risk management
framework.
Exiger is at the forefront of this effort,
working closely with multiple government
entities and corporate entities to not only
navigate supply chain and third-party
risk events that have underscored the
need for immediate action, but to also
help consider and create a framework for
continuous monitoring and mitigation of
risks within this area.
In an effort to encourage further dialogue,
coordination and adoption of a robust,
new risk management regime, Exiger has
drawn on its deep and broad experience
and advanced technology solutions to
develop a proactive and adaptable third-
party and supply chain risk management
framework as well as progressive model
to track organization’s programmatic
maturity over time.
SNOWBALLING REGULATIONS TRANSFORM SCRM
Federal Security Enhancements (2017 - 2022)

AUGUST 18, 2017 | link
FDA Reathorization Act of
2017 (FDRA)
FDA was required to review and
update processes and standards
of domestic and foreign medical
device establishments.
JULY 23, 2018 | link
Foreign Investment Risk Review
Modernization Act of 2018 (CFIUS/
FIRRMA)
House and Senate agree on consensus
version FIRRMA, which would expand the
authority of CFIUS to review certain foreign
investments vulnerable to exploitation.
AUGUST 13, 2018 | link
John S. McCain National Defense
Authorization Act (NDAA) for Fiscal Year 2019
Section 889(a) (1) (B) prohibits U.S. government
contracts with entities that use telecommunications
equipment or services produced by Huawei
Technologies Company and ZTE Corporation, and
others.

AUGUST 13, 2018 | link
CFIUS/FIRRMA
The President signs into law the Foreign Investment
Risk Review Modernization Act of 2018 (FIRRMA).
It strengthens and modernizes the Committee on
Foreign Investment in the United States (CFIUS),
a multi-agency government body chaired by the
Secretary of the Treasury that reviews foreign
investment for national security considerations.
DECEMBER 21, 2018 | link
Secure Technology Act
By amending Title 41, Public
Contracts, Congress bolstered
the U.S. government’s acquisition
oversight for critical information
and communications technologies
(ICT) and created the Federal
Acquisition Security Council.
MAY 15, 2019 | link
Executive Order: Securing the
Information Communications
Technology and Services Supply Chain
Authorized import regulations to protect
against foreign adversaries who use
ICT “to commit malicious cyber enabled
actions, including economic and industrial
espionage.”

DECEMBER 20, 2019 | link

National Defense Authorization Act (NDAA) Amendments
Section 224 - Requiring Defense
Microelectronics Products and Services
Meet Trusted Standards: The NDAA
instructs DOD to ensure by January 1, 2023
that microelectronics purchased by DOD
meet supply chain and operation security
standards.
Section 845 - Modernization of Acquisition
Processes to Ensure Integrity of Industrial
Base: Orders the DOD to streamline and
digitize the existing approach for identifying
and mitigating risks to the defense
industrial base by creating a continuous
model that uses digital tools, technologies
and approaches designed to ensure the
accessibility of data to key decision-makers.
Section 847 - Mitigating Risks Related
to Foreign Ownership, Control, or
Influence (FOCI) of DOD Contractors and
Subcontractors: Requires prospective DOD
contractors or subcontractors to disclose
beneficial ownership and whether they are
under foreign ownership.
Sec. 889 (A): Prohibits the government
from obtaining (through a contract or other
instrument) prohibited telecoms, certain
telecommunications equipment (including
video surveillance equipment) or services
produced by the following covered entities
and their subsidiaries and affiliates.
Sec. 889 (B): Prohibits the government
from contracting with any entity that uses
certain telecommunications equipment or
services produced by the entities listed in
the statute: Huawei Technologies Company,
ZTE Corporation, Hangzhou Hikvision
Digital Technology Company, Dahua
Technology Company. The government also
cannot contract with an entity that uses
covered telecommunications equipment
or services as a substantial or essential
component of any system or as critical
technology as part of any system.
Sec. 1260(I) and (J) - Provisions Related to
Chinese Telecommunications Companies:
Sec. 1260I prohibits the Secretary of
Commerce from removing Huawei from the
Entity List unless certified by the Secretary.
Sec. 1260J, the NDAA instructs the President
to submit to Congress an annual report on
the compliance of ZTE with the Superseding
Settlement Agreement.
Sec. 1648, 1657, 6307 - Provisions
Aimed at Improving Cybersecurity in
the Defense Space: Directs the DOD
to develop a framework to enhance
cybersecurity, the secretaries of the
military departments to each appoint an
independent Principal Cyber Advisor, and
the Intelligence Community must consider
their infrastructure, equipment and services
when entering into an intelligence-sharing
agreement with a foreign government or
entity.
Sec 1711 - Pilot Program on Strengthening
Manufacturing in the Defense Industrial
Base: Directs the creation of a pilot
program to support small and medium-
sized manufacturing companies that
produce “emerging defense and
commercial technologies.” 

JANUARY 7, 2020 | link FEBRUARY 13, 2020 | link MAY 1, 2020 | link
National Counterintelligence Strategy for the United Amendments to CFIUS/ Executive Order 13920:
States of America 2020-2022 FIRRMA Securing the United
States Bulk Power
Presents a new perspective on how to effectively address foreign U.S. Treasury Department
updated CFIUS’s authority to System
intelligence threats as a nation. There are 5 strategic objectives: (1)
protect the nation’s critical infrastructure, (2) reduce threats to key include filing requirements Authorized the federal
U.S. supply chains, (3) counter the exploitation of the U.S. economy, for certain investments in TID government to work with
(4) defend American democracy against foreign influence, and (5) businesses. the energy industry to
counter foreign intelligence cyber and technical operations. secure America’s BPS.

5
 SNOWBALLING REGULATIONS TRANSFORM SCRM
Federal Security Enhancements (2017 - 2022)

AUGUST 6, 2020 | link SEPTEMBER 9, 2020 | link

Executive Order: Ensuring Essential Medicines, Medical
Countermeasures, and Critical Inputs Are Made in the
United States
Calls for the Secretary of HHS to identify and mitigate vulnerabilities.
It also authorized the U.S. to negotiate with countries to increase
site inspections of regulated facilities.
Department of Defense Directive 5000.01:
The Defense Acquisition System
Security, cybersecurity, and protection of critical technologies at
all phases of acquisition are the foundation for uncompromised
delivery and sustainment of warfighting capability.

SEPTEMBER 30, 2020 | link OCTOBER 15, 2020 | link

Executive Order 13953: Addressing the Threat to the
Domestic Supply Chain From Reliance on Critical Minerals
from Foreign Adversaries
The EO implements the recommendations from Executive Branch
efforts pursuant to EO 13817 of Dec 20, 2017 “A Federal Strategy to
Ensure Reliable Supplies of Critical Materials.” This includes minimizing
undue reliance of critical minerals from foreign adversaries by
assigning the Secretary of the Interior and the Secretary of State to
submit reports, prioritizing and securing the domestic supply chain
and strengthening local processing capabilities.
National Strategy for Critical & Emerging
Technologies
Defines Critical & Emerging Technologies (C&ET) as those
technologies that have been identified and assessed by the
National Security Council to be critical to the US national
security advantage. The US will continue to lead the world
in C&ET by implementing two necessary pillars of success:
promoting the National Security Innovation Base (NSIB),
and protecting our Technology Advantage.

February 24, 2021 | link April 21, 2021 | link

Executive Order on America’s Supply Chains
Establishes need for “resilient, diverse, and secure supply chains to ensure
our economic prosperity and national security.” Highlights specific risks
including pandemics, cyberattacks, and reduced critical manufacturing
capacity. It also commissioned a series of studies and reports on supply
chain risks related to semi-conductors, critical minerals, defense industrial
base, ICT, energy sector and more.
Uyghur Forced Labor Prevention Act
This bill imposes various restrictions related to China’s
Xinjiang Uyghur Autonomous Region, including by
prohibiting certain imports from Xinjiang and imposing
sanctions on those responsible for human rights
violations there.

May 12, 2021 | link
Executive Order on Improving
the Nation’s Cybersecurity
Establishes need for Federal
Government to identify, deter,
protect against, detect, and respond
to “persistent and increasingly
sophisticated malicious cyber
campaigns.”
July 22, 2021 | link October 26, 2021 | link
National Supply Chain Database Act China Telecom (Americas)
of 2021 Corporation Order on
This bill requires the National Institute of Revocation and Termination
Standards and Technology to establish and The FCC adopts an order ending China
maintain a National Supply Chain Database Telecom (Americas) Corporation’s
to assist with minimizing disruptions to the ability to provide domestic interstate
U.S. supply chain through an assessment of and international telecommunications
U.S. manufacturers’ capabilities.  services within the United States. 

December 12, 2021 | link March 01, 2022 | link

Ocean Shipping Reform Act of 2021
This bill, which passed House in December 2021, revises
provisions related to ocean shipping policies and is designed
to support the growth and development of U.S. exports and
promote reciprocal trade in the common carriage of goods
by water in the foreign commerce of the United States.
Strengthening American Cybersecurity Act of 2022
This bill, which passed Sentate in March, addresses cybersecurity
threats against critical infrastructure and the federal government. The
Cybersecurity and Infrastructure Security Agency (CISA) must perform
ongoing and continuous assessments of federal risk posture. The bill
requires reporting and other actions to address cybersecurity incidents.

6 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
THE MODERN RISK LANDSCAPE
Today’s third-party and supply chain risk landscape represents the convergence of both
imposed and inherent factors that, when combined, amplify the challenges organizations
must manage to effectively protect their operations, proprietary information and private
data, and secure their vendor and supply ecosystem.

INHERENT RISK IMPOSED RISK

Reputational, Supply Chain

Financial Macroenvironmental
Criminal and Operational
Health Risk Threats
Regulatory Risk Challenges

Foreign Ownership,
Control and Influence Operational Risk
(“FOCI”)

INHERENT RISKS
The prevalence of external attacks on the supply chain and the traditional regulatory
regime perpetuate the belief that the vast majority of threats come from external factors,
largely outside the control of any one organization. A great deal of third-party and
supply chain risks, however, are inherent to the vendors in their ecosystem, which should
effectively incentivize organizations to take charge of these areas where they have greater
insight into threats and greater control over outcomes.
Inherent risk in a vendor can be divided into four categories: financial health; foreign
ownership, control and influence (FOCI); reputational, criminal and regulatory,
and operational risk. Each category combines to form an organization’s functional
environment. In a threat landscape where organizations across nearly every industry and
area of government are exposed to daily external attacks, management of their functional
environment and a proactive stance on inherent risk is one of the greatest defenses
against third-party and supply chain risk that can be deployed.

7
 Four Areas of Inherent Risk and Exemplar Data Elements that Form an
Organization’s Functional Environment:
Financial Health Risk
A vendor’s financial management can
either build or erode at its ability to deliver
as contracted—or to weather its own
supply chain disruption or volatility. How
an organization manages solvency, liquidity,
operational efficiency and cyclical risk are
central to its ability to regulate overall financial
health and are critical to performance.
Unstable payment performance, debt
ratios, single contract dependence, a lack
of funding sources, layoffs, facility closures,
analyst downgrades and certain profitability
measures are red flags for increased
financial risk. By collecting and analyzing
indicators from financial data, such as
commercial credit scores, self-reported
revenue, stock and financial reporting,
bankruptcies and filings, organizations can
create a financial stability composite that
offers clearer insight into financial health.
8 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
Foreign Ownership, Control and
Influence (“FOCI”) Risk
Organizations often have low visibility
into the presence of foreign ownership,
control, and influence in their supply chain
and vendor ecosystem, and they therefore
struggle to manage it. The existence and
impact of FOCI risk is often difficult to
quantify due to opaque or intentionally
obfuscated ventures, or the failure to track
recent or latent M&A activity that can be
executed through special purpose vehicles
or complex funding arrangements. Also, the
foreign influence aspect of FOCI risk can
be exerted through partnerships with state-
owned entities, businesses ties to indirect
state-ownership, foreign adversarial reliance,
or foreign operational dependence, leading
to a more amorphous category of risk.
Organizations can monitor this risk;
however, by tracking key inputs, such
as locations tied to business partners,
corporate records, ownership records,
transaction news, foreign revenue
exposure as well as relevant information
on dominating markets, customers and
suppliers for their immediate vendor
population. Organizations can also mitigate
FOCI risk in their vendor ecosystem by
diversifying their supply based upon key
metrics including the percentage of foreign
investment, the hiring of foreign key
personnel, the percentage of foreign R&D
or manufacturing locations, or the use of
foreign data centers.
The use of FOCI data to determine
jurisdictional dependency in commercial
supply chains is invaluable. Understanding
where funding sources, manufacturing
capabilities or logistics operators are
subject to disruption based upon regional
disasters, climate changes, geopolitical
tensions or adversarial interests is critical
to supply chain risk management and the
FOCI location identification provides an
organization with a complete picture of a
vendor’s jurisdictional footprint.
Reputational, Criminal and
Regulatory Risk
Compliance, including oversight and
monitoring of reputational, criminal and
regulatory risk, serves as the frontline
for fortifying a vendor ecosystem and
interceding where said risk can infect
an organization’s operational delivery or
brand reputation. Proactive identification
and proper handling of misconduct and
ethics violations in a vendor ecosystem
can help secure the organization against
reverberating reputational impacts, such
as those seen in the Xinjiang human
rights abuses and alleged Pegatron labor
violations. Furthermore, careful attention
to and continuous monitoring of adverse
media, criminal records, suspensions,
debarments, defective pricing, regulatory
enforcement actions, sanctions lists, import/
export violations, False Claims Act violations
or other antitrust concerns, contract fraud
or the presence of conflict minerals in the
supply chain is essential to effective supply
chain and third-party risk management.
Operational Risk
Organizations may be unknowingly
exposing themselves to greater third-party
and supply chain risk by shortsightedly
focusing on compliance or jurisdictional
risk. The various aspects of operational
risk – ranging from the resilience of a
vendor’s manufacturing infrastructure,
to their cybersecurity hygiene to the
management of human capital – should
be addressed by a modern third-party and
supply chain risk management framework.
The cyber landscape is increasingly
the preferred setting for supply chain
strikes as recent headline-grabbing
attacks have demonstrated. In today’s
sophisticated cyber threat landscape, it’s
imperative that organizations develop and
maintain a technology and cybersecurity
infrastructure that guards against attacks
targeting their third-party managed
systems and infrastructure.
An effective cybersecurity program will
include a broad range of security controls
that span across people, process, and
technology considerations. Many security
controls can be measured in an automated
and repeatable way. Some security
controls are not easily measured but can
be surfaced by other data collection and
analysis methodologies. Key factors when
measuring cybersecurity posture include
validation that proper cybersecurity
controls are in place, confirming proper
configuration of existing controls,
addressing vulnerabilities in cybersecurity
controls and continuous assessment of
additional indicators of cybersecurity
risk. IT disruptions, connectivity issues,
incidents involving the loss of critical
9
 ESG: Expanding the
Aperture of Risk
FOCI
Foreign Ownership,
Control & Influence
As regulation and FH Risk
commitments around Financial
ESG performance
Health Risk
grow, ESG risk is
a critical part of
third party and
supply chain risk OR
management Operational
Risk
information or personally identifiable
information, reliance on unsecure
networks or systems, IT implementation
failures and operations security and
information security violations are all
indications of a weak technology and
cybersecurity infrastructure.
A cybersecurity posture assessment can
measure cyber defenses holistically across
a broad range of technical and operational
considerations. A formalized approach to
the cybersecurity posture assessment can
help organizations measure incremental
improvements over time to their vendor
cybersecurity program. Automated
cybersecurity posture assessment
is beneficial to ensure proper cyber
protections are in place to protect both
corporate and partner ecosystems.
10 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
Environmental
Controversies
Diversity and
Inclusion
ESG
Safe Labor
Environmental, Practices
Social &
Governance Risk
Modern
Slavery
RCR
Reputational,
Criminal &
Sound
Regulatory Risk
Governance
Poor management and retention of
human capital may increase risk exposure.
Organizations should track external
factors such as industrial unrest, labor
disputes and limited access to a capable
workforce in certain delivery jurisdictions,
as well as regulate factors internal to the
vendor, such mass layoffs, work stoppage,
human rights violations, human trafficking
and worker’s health and safety to limit
their own third-party and supply chain
risk. These indicators should be used to
identify entities within an organization’s
vendor ecosystem and supply chain that
may be involved with human rights abuses
and adverse labor practices.
Organizations can better regulate their own
internal human capital through enhanced
personnel vetting and security measures.
In the case of software development,
for instance, every individual involved
in the development process should be
considered a potential threat vector. Many
cybersecurity training and awareness
programs are check-box, or bare minimum
exercises (as opposed to threat-based),
and therefore not effective over time.
Combining realistic, cost-efficient, and
effective training with a thorough,
predictive insider-threat program based on
behavioral indicators of personnel risk can
identify potential software integrity issues
before they become true vulnerabilities.

IMPOSED RISKS
Outside of risk factors germane to a vendor’s internal operations and the inherent risk
environment, a vendor ecosystem must navigate the larger external threat landscape, which
today is laden with imposed, macro, risk. An informed, transparent and proactive posture
will help organizations identify and mitigate the risk imposed on their vendor ecosystem
and limit the regulatory, legal, reputational and business operations consequences
associated with recent breakdowns in third-party and supply chain environments.

Macroenvironmental Threats Economic Movements

The larger macroenvironment within
which major multinational corporations
and government entities operate in
today presents a variety of external risk
factors that are largely unpredictable and
uncontrollable, including environmental
disruptions, geopolitical threats and
economic movements. A modern third-
party and supply chain risk management
framework must therefore anticipate these
risk factors through regular tracking and
pre-planned mitigation tactics.
Geopolitical Threats
Many organizations, particularly
multinational corporations, financial
institutions and government entities,
are well acquainted with the persistent,
yet unpredictable, risk presented by
geopolitical and regulatory shifts.
This includes obvious threats and
blatant attacks in the form of industrial
espionage and acts of terrorism as well
as peripheral dynamics that increase risk,
such as fluctuations in regional politics,
changes in local government, interstate
conflicts, border delays and territorial
disputes along trade routes.
Sudden and dramatic movements in
the global economy may also expose
supply chains and vendor environments
to unanticipated risk. Unexpected
fluctuations, such as demand shocks,
economic instability and inflationary
changes, as well as mounting political
tensions culminating in changes to
trade policy, economic sanctions, trade
wars and trade restrictions, may lead
to operational disruptions and changes
in suppliers and distribution routes, all
exposing organizations to greater risk.
Environmental Disruption
Although often overlooked in today’s
corporate risk management infrastructure,
environmental disruptions pose an
increasingly serious threat to operational
continuity, security and financial health.
Hurricane season annually in the Gulf
Coast and Easter Seaboard of the
US tends to be more active, drawing
concern that already strained supply lines
might break if subject to devastating
storms. Extreme weather events, natural
disasters, man-made risks, such as
electrical fires or nuclear events, and

11
 pandemics can all affect an organization’s
supply chain and vendor ecosystem
as much as traditional threats like
cyberattacks or foreign influence.
Macro-risk data, and even synthetic
disruption data, can be used to creative
a predictive or probabilistic view of
risk. This can be done on a wide array
of risk types, including, but not limited
to, geopolitical risks or natural disasters.
Additional concentrations of natural
disasters, such as earthquakes, tsunamis,
and eruptions, can also be tracked and
plotted across the known operational
footprint of a supplier group to indicate
impact and severity of the disruption
against specific suppliers in the affected
regions as illustrated in the example below.
Natural Disaster Severity Based on Historical
Predicted Path of Typhoons in the South China Sea
Supply Chain Operational Challenges
“
Clear insight into supply chain operations
is fundamental to an organization’s risk
management. Careful attention across
the supply chain must be paid to areas
of unexpected but present risk, including
product quality and design, manufacturing
and supply, and transport and distribution.
12 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
Product Quality and Design
Poor product quality and assembly
as well as the presence of R&D cost
overruns and counterfeit or non-
MILSPEC parts are not only indicators of
greater supply chain risk but may also
result in system or parts performance
failure. Counterfeit and other product
risks can be illuminated using
sophisticated counterfeit risk analysis
algorithms that measure the likelihood of
a part being targeted by counterfeiters
through considering, among other
factors, previous instances of counterfeit
activity from a manufacturer, product
and technology type, historical supply
chain shortages, product longevity
in the market, product recalls and
price discrepancies. For instance, in
the COVID-19 response effort, one of
the most reliable indicators of future
product performance and quality was
the performance of past products;
namely, the existence of product recalls
for companies that were provided
emergency use authorization for
COVID testing or treatment products.
Organizations should implement product
stability metrics that incorporate
product availability tenure, product
sales and use analytics, product efficacy
statistics, product recall indicators,
product maintenance and support
guarantees, product versioning and
performance, compatibility rigidity,
product life metrics and more.
Clear insight into
supply chain operations
is fundamental to an
organization’s risk
management.
”

INTRODUCING
Exiger launches first ever single-click
supply chain risk detection platform
REQUEST FREE EARLY ACCESS TRIAL
Product oversight, when applicable,
should also extend to the presence of
conflict minerals within the supply chain,
which can result in ethics violations,
import / export violations, government
contract fraud and regulatory
enforcement actions. Exposure to
conflict minerals can also indicate
substandard materials in a supply chain.
The presence of conflict minerals (gold,
tantalum, tin, and tungsten) should
be illuminated using a combination of
open sources, government records and
structured data sets.
Manufacturing and Supply
General manufacturing and the supply
that feeds that process may be exposed
to undue risk in the form of material
shortages, production delays, extended
lead times, inventory issues, capacity
incidents, equipment downtime and
shortages in parts and spares. Process
and operational structures such as sole
source dependency and outsourcing
may also be indicative of greater supply
chain risk exposure.
Transport and Distribution
Organizations are incredibly reliant on
a stable transportation and distribution
network and are therefore wide open
to attacks or disruptions within that
network. A secure transportation
network, shipment accuracy and
delivery performance must be ensured
by an organization’s supply chain risk
management framework.
The collection and analysis of data
on partners, affiliated personnel and
other supply chain indicators can drive
greater understanding and mitigation
of supply chain risk. This includes the
identification of addresses and locations
where business is conducted, corporate
family information (immediate parent,
ultimate parent, subsidiaries, etc.),
affiliated company relationships
(suppliers, primes, prior business
dealings and subcontractors), affilated
individual relationships (management
team, board of directors and
shareholders) and risk-informed market
and business intelligence.
13
 TRADES: THE ESSENTIAL ELEMENTS OF A MODERN
ENTERPRISE THIRD-PARTY AND SUPPLY CHAIN RISK
MANAGEMENT FRAMEWORK
Today’s dynamic threat landscape,
including inherent and imposed risk,
is a quickly exploding mandate that
demands an actionable risk management
framework. Organizations must embrace a
much more considerate approach to third-
party and supply chain risk that provides
consistent measures and workable tools,
engages all responsible stakeholder
groups and provides a roadmap for
tactical, programmatic and strategic
implementation.
What
14 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
To guide this exercise, Exiger has
developed TRADES—a propriety
framework that allows organizations
to achieve supply chain resilience and
optimize risk management at any phase
of maturity. There are six critical pillars to
constructing the TRADES framework, each
representing a different implementation
lens at the tactical, program and strategic
levels. This framework simplifies the third-
party and supply chain risk management
process and reflects the complexity and
evolving nature of today’s threat landscape.
How
Where
 TRADES: TRANSPARENCY OF CURRENT STATE
The TRADES Framework begins with transparency. Today, many supply
chain vulnerabilities arise through a lack of transparency within the
third, fourth, or nth party in an organization’s network. To mitigate this
risk, organizations must establish a clear baseline and starting point
from which they gain a complete picture of their supply chain and
vendor ecosystem and can build a risk management framework from the
ground up.

Tactical Level Transparency within the vendor ecosystem

At a tactical level, organizations must
establish internal, third-party and
supply chain transparency. Within the
organization’s own operations this means
clear, accountable insights into spending,
product demand and dependencies,
business unit provider engagement,
availability, resources, product supply and
inventory. This should also include the
establishment of relevant risk stewards
for every risk type, including information
security, legal and privacy, financial health
and reputational risk.
requires a coordinated outreach and
dialogue with third-party vendors and the
collection and organization of all related
information. Compiling completed vendor
questionnaires, Requests for Proposals
received, and contractual documentation
will provide an interim basis on which
an organization can build out, via
independent and direct data sourcing, a
clear map of their supply dependencies.
Lastly, utilizing an accurate third-party
roster, organizations can iteratively
identify supplier tiers by leveraging a
combination of internal and external
supply chain data.

Leveraging Internal Supply Data Elements
Often, organizations maintain a set of materials
that can provide insight into a supply chain if
properly mined. For instance, in many cases
hardware is provided with minimum operating
specifications or product manuals that reveal
minimum requirements or warrantees that can
provide a window into the software, chip sets,
materials suppliers, testing partners and OEMs its
underlying provider is definitively leveraging. The
data in this segment of internal supply chain data
can include, but is not limited to:
1. Product SKUs, BOMs, and OEM supplier sourcing
lists;
2. Risk disposition or mitigation data;
3. Product manuals and maintenance requirements;
4. Minimum product operating systems;
5. Logistics, shipping, and facility tracking information;
6. Vendor questionnaires and rating methodology; and
7. Vendor screening results.
Incorporating External Supply Chain Data
Elements
After the primary, secondary and, potentially,
tertiary tiers of a supply chain are exhausted
using internal data, the three data types that
provide a comprehensive site picture across a
supply base are: 1) Federal/Public Contracting,
Purchasing, and Spend Data; 2) Open Source &
Product Data; and 3) Commerce, Shipping, and
Logistics Data. These three source areas can be
used together to recursively create a complete
supply map for any vendor in your population,
including software supply relationships.
Starting with an initial tier of vendors, your third
parties, entities can execute five steps at each
successive tier to identify the critical supply
chains that have a high probability of affecting
their supply or operational performance.

15
 By continuously leveraging the
Comprehensive
Vendor Roster at three source areas organizations
Current Tier can illuminate the supply paths
Inherent or Imposed Vendor Product
Risk Analysis Criticality Map
that are critical and identify pinch
points, supplier dependence,
supply overlap and critical
Vendor Product Vendor Product risk indicators that can affect
Sourcing & Supply Prioritization by Risk an organization’s regulatory
Buildout or Criticality obligations or reputation.

Program Level stakeholders and governance forums, as

Creating and maintaining transparency
at a program level starts with a baseline
analysis of the program’s maturity – or
lack thereof. From there, companies
should develop and maintain policies and
procedures with actionable guidance on
how to measure and track indicators of
transparency over time. Organizations
should identify appropriate risk area
well as the communication and workflows
necessary for program operation.
Strategic Level
At the highest, strategic level, a living
document should set forth a mission
statement and purpose explanation for
the organization’s third-party and supply
chain risk management program.

TRADES: RISK METHODOLOGY DESIGN

With a clearer picture of the organization’s vendors ecosystem and
supply chain and the risks each present, organizations can then go about
designing and implementing an appropriate risk methodology.

Tactical Level complexity and jurisdictional ownership.

The strength of the compliance regime and
The risk methodology must address
financial health must also be assessed by
macro and micro risk as well as products
the risk methodology design. Reputation,
or services risk. At a macro supply chain
compliance and regulatory risk indicators
level, organizations should be monitoring
include financial crime compliance, human
for imposed risk indicators such as
rights violations, and environmental, social
disruption, scarcity, security and the
governance. Indicators of financial health
availability of alternatives.
include credit stability, delinquencies,
The third-party and supply chain risk employee count and revenue.
management framework must also address
Finally, the risk methodology design should
micro or inherent risks. This includes
account for product and service risk with
operational risks, such as cybersecurity and
a higher criticality rating given to those
industry safety and facility certification,
products and supplies that are “must-haves.”
as well as FOCI risks, such as corporate

16 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
 Program Level
The risk methodology should track and
monitor all the sub risks aligned to the
organization’s industry and third-party
types. The program should determine
underlying risk indicators to measures
third-party risk and include evaluation of
critical third parties.
TRADES: ASSESS CURRENT RISKS
With an accurate representation of the program’s maturity and a
thoughtfully designed risk methodology, organizations can proceed to
assess their current risk landscape.
Tactical Level
At a tactical level, the risk assessment
process should include application,
visualization and a vulnerability evaluation.
Individual third-party risk assessments,
critical supplier assessments as well as
supply chain assessments should all be
included as part of an organization’s risk
assessment application. That risk should
then be visualized to depict third-party
and supply chain portfolio risk areas
and indicators to provide actionable
intelligence and allow for the prioritization
of investigation and mitigation efforts
in an efficient manner. A high-level
comprehensive assessment should evaluate
overall vulnerabilities across the complete
third-party and supply chain ecosystem.
`Strategic Level
An agreed upon definition of risk and
an expressed business, third-party
and resource threat and opportunity
landscape should inform an organization’s
long-term third-party and supply chain
risk management framework.
Program Level
Implementing a risk assessment
program begins with defining the risk
assessment application and prioritization
process. From there, organizations
need to determine the frequency of
risk assessments and establish policies
to escalate risk events. Risk thresholds
and decision-making processes must be
clearly documented.
Strategic Level
To maintain a robust, long-term third-
party and supply chain risk management
framework, organizations must agree to and
document a broad risk appetite statement.
17
 TRADES: DETERMINE MITIGATIONS
It’s not enough to merely identify and monitor risks. Organizations
must also have a plan to quickly address and resolve risks in real time
as they’re uncovered in the supply chain and vendor ecosystem.

Tactical Level must address program improvement

areas appropriate to the program’s goals
Organizations must outline third-party
and evaluate their programs based on
level mitigation and risk acceptance
the organization’s risk appetite. A clearly
decisions. This may include identifying
defined risk acceptance process will help
alternative vendors, engaging with
organizations operationalize this step.
suppliers directly to avoid disruption and
maintaining reviews of risk acceptance
and appropriate tolerance.
Strategic Level
Organizations should strive to construct
Program Level the third-party and supply chain risk
management program that optimizes
In order to install mitigating measures
supply chain security and mitigates
into the third-party and supply chain risk
loss without compromising operational
management framework, organizations
efficiency. This will look different for every
should provide clear guidance on
organization but should achieve the shared
escalation paths of unmitigated risks.
goals of minimizing undue risk and avoiding
They should also create governance
costly attacks, operational disruptions and
to document risks, mitigation paths,
regulatory or legal violations.
and track milestones and timelines
throughout remediation. Organizations

18 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
 TRADES: EVALUATE FRAMEWORK UPLIFT
Once tolerable risk acceptance and appropriate mitigation measures
have been defined, organizations need to quantify the uplift necessary
for implementation.

Tactical Level Program Level

Organizations can effectively evaluate
framework uplift by deploying third-party
questionnaires enhancements, increasing
third-party engagement and reassessing
new entity level risks and associated risk
indicators when mitigations have been put
in place. This is also an area where the
traditional third line of defense, audit and
assurance, can play a key role in assessing
the efficacy and appropriateness of
mitigation efforts.
After mitigation options are raised,
organizations need to identify the
necessary third-party and supply
chain risk management program uplift
requirements, such as governance, data,
resources, risks and training.
Strategic Level
In order to ensure continued adherence
and compliance with mitigation and risk
acceptance decisions, organizations
should consider an independent review
with a best-in-class provider or an internal
audit team.

TRADES: SUPPLIER MONITORING

Oversight and monitoring of suppliers within the vendor ecosystem
is the final pillar of a modern third-party and supply chain risk
management framework, and one that upholds long-term adherence to
the other elements of the framework and ensures the evolution of the
program overtime as the threat landscape similarly evolves and changes.

Tactical Level Program Level

Third-party and supply chain risk indicators
should be continuously monitored, allowing
organizations to stay on top of risk and
proactively identify changes that may be
required in risk evaluation.
Implementing a supplier monitoring
program includes carving out standards,
documenting third-party and supply chain
monitoring, as well as refreshing policies
and procedures.

Strategic Level
Organizations should ensure their view of
the threat and opportunity landscape is
monitored and dynamically addressed.

19
 IMPLEMENTING TRADES WITH SUPPORTING
OPERATIONAL METHODOLOGY
Every element of the framework should work in sync with one another and be
updated and reevaluated on a regular basis. A strong third-party and supply chain risk
management framework depends on a supportive operational methodology that allows
for continuous, real-time amendments that align with evolving business strategy and
changes in the risk landscape.
The update methodology has six key touchpoints: framework evaluation; stakeholder
engagement; governance principles; compliance management; data / IT; and execution.

FRAMEWORK
EVALUATION
Building off the initial third-party and
supply chain risk management framework,
an organization’s TRADES should be
continuously evaluated and assessed for
effectiveness and updated when necessary
based on changes in the regulatory regime,
geopolitical landscape, supplier network
and other evolving threats.
STAKEHOLDER
ENGAGEMENT
Stakeholder engagement should be
triggered by framework evaluation.
Appropriate stakeholder engagement
is essential to third-party and supply
chain risk management for proper
implementation, oversight and compliance.
Organizations should identify stakeholders
as part of a Responsible, Accountable,
Consulted, Informed (RACI) matrix;
relevant stakeholders will likely include key
executives and business leaders from legal,
compliance, procurement, onboarding,
operations, technology and security.

20 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
 GOVERNANCE
PRINCIPLES
Governance principles should serve as
the blueprint for TRADES implementation
and updates. Governance principles help
organizations stakeholders assess risk,
and understand risk related decisions and
appropriate actions. These principles may
need to be revisited on a periodic basis as
part of the third-party and supply chain
risk management process.
COMPLIANCE
MANAGEMENT
Overall third-party and supply chain
compliance ensures the TRADES
Framework is being applied consistently
and effectively across the enterprise.
The integration of ongoing compliance
functions and the oversight of the
TRADES Framework keeps third-party
and supply chain risk management aligned
with industry and operational standards.
DATA
AND IT
Data sourcing and right sized technology
must be aligned to the TRADES
framework to ensure a single source of
truth for each third-party, the supply chain
and the overall risk management program.
WHERE ALL DUE
DILIGENCE BEGINS.
automated due diligence platform
illuminates affiliated entities & people, enabling
comprehensive & continuous analysis fast and
for a fraction of the cost.
EXECUTION
The execution team responsible for
implementing the TRADES Framework
plays a central role in implementing
the framework across the organization.
Including, but not limited to, the
maintenance of the supplier mapping
and risk identification systems, training
of the stakeholder groups on the critical
evaluation criterion for vendor risk,
conducting check and challenge sessions
with business lines and ensuring effective
adherence to agreed mitigation or risk
acceptance decisions.
REFRESH
AND REPEAT
The update methodology should serve
as underlying operational model for
maintaining and refreshing the TRADES
Framework. The process will repeat or pick
up where it left off as part of an iterative
cycle of proactive, engaged decision
making that anticipates risk and mitigation
needs before violations and vulnerabilities
materialize.
21
 THE SCRM MATURITY MODEL: IMPLEMENTING
TRADES FRAMEWORK AT ANY MATURITY LEVEL TO
REACH A REASONABLE LEVEL OF CAPABILITY
TRADES is a framework for organizations hoping to achieve a long-term proactive or
predictive posture and stay ahead of threats and vulnerabilities while minimizing third-
party and supply chain risk management gaps. As companies embrace and implement
TRADES, they should progress along the third-party and supply chain risk management
Maturity Model, beginning with a reactive posture – where many companies find
themselves today – and progressing towards an anticipatory / predictive posture – the
end goal and gold standard of modern third-party and supply chain risk management.
The objective of the Maturity Model is to achieve a consistent, documented and proactive
governance framework supported by validated and continuously refreshed data. This
five-stage model establishes procedures and policies at tactical and strategic levels that
are enabled by decision-ready data.

T R A D E S
ƒ Predictive models and a dynamic TRADES framework
ƒ Criticality monitoring of critical sources of supply
Stage 4: Managed
Anticipatory/ ƒ High risk disruption events modeled for each critical region (e.g., Predicted
climate/weather events, pandemic/public health event, political unrest
Predictive Monitored
events, etc.) and impact assessed
Posture
ƒ Alternative sources of supply identified to minimize disruption and
migration plans developed
ƒ Risk appetite known, established RACI governance and continuous
program improvement model
Stage 3:
ƒ Sub-tier supplier ecosystem risk effectively mitigated, integrity
Proactive
restored, continuous monitoring activated to ensure resiliency
Posture
ƒ Micro-level entity risk across the entire supplier ecosystem is identified
through continuous monitoring and mitigated in real-time
ƒ Established strategy and governance
ƒ Tier 1 supplied ecosystem risk effectively mitigated, integrity restored, Tailored
Stage 2:
continuous monitoring activated to ensure resiliency Plan
Progressive
ƒ Sub-tier supplier ecosystem illuminated, and associated risk known and
Posture
mitigation plans developed for high-risk entities within sub-tier supplier
ecosystem
ƒ Risk owners and risk types known
ƒ Tier 1 supplier ecosystem illuminated and associated risk known
Stage 1:
ƒ Criticality assessment conducted, critical sources of supply identified
Awakened
and geographically mapped
Posture
ƒ Mitigation plans developed for high-risk entities within Tier 1 supplier
ecosystem
Find your
ƒ Fragmented program, with lack of strategy, governance, risk owners start point
Stage 0: and risk types
Reactive ƒ Largely unaware of supplier ecosystem or associated risk
Posture ƒ Risk identification is ad hoc/episodic and typically in response to
significant disruption that has occured

From Awareness to Action: The 5-Stage Maturity Model Maturity Level

22 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
STAGE 0: REACTIVE POSTURE
Maturity Level: T R A D E S
Many organizations begin their third-
party and supply chain risk management
journey in a reactive posture. They may
have a fragmented risk management
program that lacks strategy, governance,
risk owners and clearly defined risk types.
These organizations may be largely
unaware of their supplier ecosystem, and
visibility of multi-tier upstream supply risks
across the entirety of the risk taxonomy
is typically poor. Operational, Financial
Health, FOCI, and reputational, criminal
and regulatory risk identification may be
ad hoc or episodic and typically arises in
response to significant disruptions. In Stage
0 organizations, risk is stove-piped, lacking
enterprise awareness and mitigation.
STAGE 1: AWAKENED POSTURE
Maturity Level: T R A D E S
Larger organizations with a global footprint
may have already had firsthand experience
with threats and attacks or the regulatory
mandate to take a slightly more engaged
posture towards their third-party and
supply chain risk management. These
organizations likely fall within Stage 1, an
awakened posture. Stage 1 organizations
have defined risk owners and known risk
types. Their tier 1 supplier or third-party
ecosystem may be illuminated, and aspects
of associated risk may be quantified.
Criticality assessments have been
conducted and critical sources of supply
have been identified and geographically
mapped. These organizations have
developed mitigation plans for high-
risk entities within their tier 1 supplier
ecosystem. And across the enterprise, there
is relative awareness of supply chain risk
management and efficiency as operations,
compliance, risk and security divisions align
to the same risk picture.
STAGE 2: PROGRESSIVE
POSTURE
Maturity Level: T R A D E S
Following an awakened posture,
organizations should evolve to Stage 2,
a progressive posture, with established
strategy and governance internal to the
organization and external for the vendor
ecosystem. Stage 2 organizations will have
their tier 1 supplier ecosystem effectively
mitigated. Supply chain integrity has been
preliminarily enhanced and continuous
monitoring is in place and active to ensure
resiliency. Also, the sub-tier supplier
ecosystem will be illuminated, and
associated risk identified.
STAGE 3: PROACTIVE POSTURE
Maturity Level: T R A D E S
A truly mature third-party and supply
chain risk management framework will be
proactive in identifying and mitigating risk.
Stage 3 organizations will have a known
risk appetite. They will have established a
RACI governance structure and a model
for continuous program improvement.
The risk identified in the sub-tier supplier
ecosystem risk will be effectively mitigated
or accepted. Supply chain integrity will be
restored and continuous monitoring is in
place and active to ensure resiliency. Across
the entire supplier ecosystem, micro-level
entity risk is identified through continuous
monitoring and mitigated in near real-time,
ensuring these organizations are prepared
for risk at the earliest stages and in its most
nascent forms.
23
 STAGE 4: ANTICIPATORY /
PREDICTIVE POSTURE
Maturity Level: T R A D E S
The final stage and ideal end state for a
modern third-party and supply chain risk
management framework in the Maturity
Model is an anticipatory or predictive
posture. Organizations at this stage will
have predictive models in place and will
deploy criticality monitoring of critical
sources of supply. High risk disruption
events are modeled for each critical
region – from climate to public health
and political unrest – and their impact
assessed. Alternative sources of supply are
already identified to minimize disruption
and migration plans are developed and
ready for deployment.

A FRAMEWORK FOR THE FUTURE

In today’s challenging and rapidly evolving
threat landscape, organizations are
quickly realizing that their operational
risks don’t stop at their doorstep. Just as
organizations have developed policies
and processes around their people, their
technology, their finances and their
operations, vendors and supply chains have
become integral to their ability to deliver
uncompromised products and services.
This realization, coupled with heightened
government scrutiny, is ushering a new
wave of compliance and an urgent push
to incorporate robust risk management
practices throughout organizations’ supply
chains and vendor ecosystems.
As government and organizations embark
on a coordinated effort to rethink and
rebuild supply chains and secure vendor
ecosystems for resiliency, security and
economic prosperity, coordination,
standardization and iteration will be crucial
to applying lessons learned and reacting in
real time to emerging and evolving risks.
Exiger’s TRADES Framework and Maturity
Model offers organizations across any
industry and at any scale or level of
sophistication a clear and actionable
blueprint to build a modern third-party and
supply chain risk management program.

“ We were able to change the game on supply chain using commercially

available tools, and one of them for the trusted capital program is called
Exiger DDIQ. We run the companies through, and we can look at their
financials for anything on the company, from who is working on the board,
to where their financing has come from, legal issues etc.
Pentagon Briefing 2020
”
Under Secretary of Defense for Acquisition and Sustainment &
Chief Information Security Officer for DoD Acquisition and Sustainment

> Hear from the team who ‘changed the game in supply chain’

24 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
ABOUT EXIGER
Exiger is a global risk, compliance and technology-enabled
AI and data analytics company that delivers innovative
solutions dating back to our founding in 2013. Blending
cutting-edge technology with Exiger professionals’
deep subject matter expertise, Exiger arms government
agencies, financial institutions and multinational
corporations with the practical expertise and technology
solutions necessary to inform supply chain contracting
and security decisions, prevent breaches in compliance,
proactively identify and mitigate risk, systematize risk
mitigation processes, and monitor ongoing mission
activities with active alerts.
In a time when every headline is about a new threat to
our global economy, industry and government need to
understand their supply chain exposure at the speed of
relevancy. Exiger is helping companies find and navigate
those risks in a digestible and immediately actionable way.
Designed to drive transformational change in how entities
are vetted at an unprecedented scale, Exiger’s DDIQ has
conducted due diligence on tens of millions of entities
across the world’s largest financial institutions, corporates,
and government agencies; including over 90 companies
in the Fortune 250. In 2020, Exiger achieved triple-digit
percentage technology revenue growth, scaling to 700
employees worldwide and 10 offices around the world.
ABOUT DDIQ
All of our illumination and vetting starts with our flagship
product DDIQ. DDIQ is an award-winning, industry-first
AI powered research solution that combines emerging
technologies to operationalize the analysis of near real-
time data to in support of risk management processes and
decisions. Exiger’s DDIQ is purpose-built to automatically
identify risks associated with foreign ownership, control,
and influence (FOCI); finance and operational health,
fraud, waste, and abuse; and potential criminal, regulatory,
and reputational risk in its acquisition programs, supply
chains, and critical technology and infrastructure sectors.
DDIQ AI reads, understands, and analyzes content with
the same approach and cognitive reasoning as skilled
multifunction human analyst teams, but with greater
scale and in a fraction of the time. DDIQ’s AI scale and
speed allows clients to focus their time and expertise on
targeted, critical and imminent issues. Exiger’s platform
also provides your team direct virtual access to our
multi-functional analyst team. Exiger’s customized User
Interface, Dashboards, and Risk Models, all supported
by the Exiger team, ensure analysts, product managers,
and executives have a comprehensive SCRM solution
to conduct consistent due diligence that accelerates
the analytic process of turning open source data into
actionable intelligence.
Exiger has demonstrated performance as the solution
of choice for critical Department of Defense (DOD)
Acquisition mission partners across the DOD Enterprise
and has been battle-tested in the Joint Acquisition Task
Force (JATF) created to respond to the COVID-19 crisis.
Exiger’s DDIQ AI-based automated vetting and continuous
monitoring platform is the SCRM standard as agencies
work to comply with Executive Orders and Congressional
expectations. Working in partnership with the Federal
Government across enterprise contracts provides Exiger
unequaled insight into current and evolving strategic
SCRM standards, which we integrate into the DDIQ
software solution for direct benefit to commercial clients.
ABOUT SUPPLY CHAIN
EXPLORER
Supply Chain Explorer is Exiger’s proprietary real-time
supply chain risk detection SaaS platform that empowers
companies and government agencies to rapidly surface,
understand and mitigate critical threats to their immediate
and extended supplier networks.
Purpose-built in response to market and client
demand, Supply Chain Explorer was developed in close
collaboration with some of the largest corporations and
critical government agencies. It allows users to visualize,
prioritize and escalate high risk relationships. A modular
three-in-one solution, Supply Chain Explorer discovers
supplier networks across digital footprints, global shipping
data and contract awards data in a centralized application,
delivering unparalleled transparency into supplier risk for
government agencies and critical infrastructure sectors,
including the Defense Industrial Base.
Supply Chain Explorer draws on an aggregated blend of
internal and external open data sets, including over 31
million direct unstructured and structured data sources,
1.3 billion contract records, 7 billion source records of
supply chain installations, and 16.8 million unique supply
chains. This solution also provides a comprehensive view
into supply chain risk across 50 different categories and
subcategories, including sanctions, trade embargoes,
enforcement, state owned flags, cyber, modern slavery,
and adverse media. The platform will ultimately include
other macro risks, such as disruption for raw materials,
natural disasters and more.
Data from Supply Chain Explorer is available in a
streamlined, user-friendly interface, removing the noise
and complexities that come with traditional manual
due diligence and risk identification methods. The most
sophisticated technology of its kind, Supply Chain Explorer
leverages cutting-edge artificial intelligence and natural
language processing backed by a hyper scaling database
infrastructure.
25
 The Exiger Advantage: Tangible & Proven Results

Established in 2013 by Award-Winning AI Powered by Exiger’s

investigations leaders to fight Threat Finance, Risk and CI Experts
financial crime, fraud, and We are leading and disrupting the market with
terrorism financing. We began our People + Tech solutions to identify, validate
by leading the court-appointed and analyze global risk indicators. Our AI
global Monitorship of HSBC; technology drives transformational changes in
the largest corporate how entities are vetted at unprecedented scale.
monitorship in history.

Exiger by the Numbers

95% 850+
false positive & clients worldwide
noise reduction

1,000s 93%
data sources already fuzzy matching,
10 offices
ingested, including premium deduplication &
across the globe. data sources, open web, deep entity resolution
Partnerships with an web, & watchlists.
extensive network of
on-the-ground international resources.
Professionals fluent in 35+ languages. 700+
employees in 7+ years. 100+ data scientists.

Experienced Team of Top Law Enforcement

and Security Veterans
✓ FBI Agents ✓ Chief Compliance
✓ DoD Executives Officers
✓ Intel Analysts ✓ Investigative
Researchers
✓ Compliance
Technology Leaders ✓ Banking Executives
✓ General Counsels
Maintaining industrial health for the financial
sector, governments and multi-national
Trusted by U.S. Regulators
corporations
US Department of Justice | Office of the
Comptroller of the Currency | Federal Reserve ✓ Over 30 of the World’s Top 50 Banks
Bank and more ✓ Over 150 of the Fortune 1000
✓ Over a Dozen Government Agencies and
Regulators

26 | TRADES: A Framework for Modern Third-Party and Supply Chain Risk Management
 For more information, contact:
Brandon Daniels Carrie Wibben
President President,
bdaniels@exiger.com Exiger Government Solutions
cwibben@exiger.com

Erika Peters
Managing Director,
Global Head of TPRM & SCRM
epeters@exiger.com

Vancouver | San Antonio | Toronto | Silver Spring (DC Metro) | McLean | New York
London | Bucharest | Singapore | Sydney

www.exiger.com