[00:00:00] Speaker A: Hi everyone. Today we're going to learn how you can use generative AI and large language models to manage your supplier risk. I'm your host, Bill Coffin and this is the Ethicast.
In our increasingly interconnected business world, organizational supply chains have become multi layered supply webs. As a result, the task of managing supply chain due diligence has become more important and more challenging than ever. But what if you could use generative AI and large language models to analyze things like program assessment data to accurately extrapolate your total universe of inherent and residual risk?
With us today to talk about this is Craig Moss, Executive Vice President of Measurement at Ethisphere and and a director at the Digital Supply Chain Institute and the Cyber Readiness Institute. He is also on the board for the association of Professional Social Compliance Auditors. Craig is a prolific thought leader, public speaker and author on the subjects of value chain holistic risk assessment and AI. His most recent byline with the Dow Jones Risk Journal is Using AI to Manage Supply Chain Risk, which explains how generative AI, when applied to program maturity data and ESG assessment data, provide ENC teams with an hourglass shaped funnel through which supplier risk suddenly becomes a whole lot more manageable. Craig, welcome back to the Ethicast. It's great to have you here once again.
[00:01:31] Speaker B: Bill, it's great to be back with you. I love doing the Ethicast with you.
[00:01:36] Speaker A: So how can program maturity assessment data be used to find risk patterns that enable organizations to really harness the power of generative AI so that they can manage a much bigger scale of inherent and residual risk, especially when within their supply chain?
[00:01:50] Speaker B: Yeah, Bill, I mean the, as you saw in the article, that's really what it's all about. And historically what companies do is they use a funnel approach.
So in the, the figures that I use in the article, just so everybody has a picture, is imagine that you have 10,000 suppliers and that you need to do some kind of more in depth due diligence on them. And the due diligence could be related to social, environmental, corruption, cybersecurity, data privacy. The idea is that you need to figure out who do we do more due diligence on? And what companies do now is they use this kind of funnel. So they funnel it down and they use what I'll call inherent risk data to narrow the funnel down to those that they're going to do that more in depth due diligence on.
And in doing that there is a lot of inherent risk data out there now.
And one of the things that AI and Generative AI in particular have done is they've made it easier to collect and analyze inherent risk data. So you have all these sources and you can go into a large language model or and be able to look at that from an inherent risk standpoint. But what that's doing is it's still creating that funnel.
What we are are focused on now is how do you turn that funnel into an hourglass. And the way to do that is by collecting the right data at the narrow part of the funnel so that more in depth due diligence really needs to be focused on residual risk.
And by that I'm thinking about not only it's really looking at the program maturity that a company has.
What are the policies they have, what are the training that they run, have they done their own internal risk assessment? What is the kind of monitoring that takes place? All of these things are critical to understand.
And if you collect that good kind of program maturity, you're then able to look at inherent risk. You're able to look at the program maturity and then the residual risk is like what's left over. So you could have a really high risk supplier but with a really mature program and the risk is relatively low. The leftover or residual risk.
What we're thinking about here is though, with Gen AI and large language models, how do you take that data and then extrapolate it back out so that you're able to then look at predictive analytics on the 10,000. So you go from the 10,000 down to 100, but then you use gen AI to be able to look at patterns and behavior and be able to make predictive predictions about the behavior of the 10,000.
[00:04:41] Speaker A: In your article you write that the most powerful, incredible results from generative AI and large language models come from this combination of quantitative data and qualitative intelligence. I was wondering if you could expand on this, especially around how that approach might also inform an organization's overall approach to a more holistic compliance and ESG program.
[00:05:02] Speaker B: Yeah, yeah, it's really a key point. So if you think about looking at program maturity, that's typically going to give you some kind of quantitative data. There's going to be some kind of maturity assessment that takes place and that's going to create a maturity scale so you'll have some quantitative data on that company's maturity compared to a broader global set of companies, all that kind of benchmark data that you can get. So once you have that data, that's the quantitative piece. Beyond that, what we believe is you want to start to feed in proprietary qualitative data. So what if you had somebody talk to that company, so the company's completed that self assessment or the assessment and come up with the program maturity data. Whether it's self assessment or whether it's something done independently by an independent party, they come up with that program maturity data.
But then if you start to feed in observations and other data from talking to that company, that's where the expert opinion comes in. So you're taking quantitative, but also qualitative. What did the expert think when they talked to them? If the expert was on site, what were some of the observations that they had?
Putting together that qualitative and quantitative data, which is all private, into a large language model and pulling in additional public data sources is really where the magic happens. And that's where you're able then to start to be able to do predictive analytics on the larger supply chain. So you go back to the 10,000 and you look at those patterns of what did these hundred do? What were the patterns of good behavior, what were the patterns of weaker behavior or weaker programs? And then you start to apply it to look at similar companies in your overall supply chain. So that's really one of the key things I think is internally having that private data that is both qualitative and quantitative and then blending that in with available public data.
[00:07:05] Speaker A: So given what you just explained, can you give some examples on how that approach you just described can help companies manage a wide spectrum of compliance and ESG risk?
[00:07:14] Speaker B: Yeah. So you know, Bill, in the work that we do at Ethisphere, one of the things that we focus on is what I call holistic compliance and ESG assessment. So we look holistically across 10 different risk topics. So if you think about you're a multinational or you're a private equity firm buying companies, looking across those risk topics, everything from anti corruption, conflict of interest, social and human rights environment, but also things like data privacy, cybersecurity, protection of intellectual property. All of these are risk topics that are in that whole spectrum of what I call holistic risks, compliance and ESG risks.
What you can start to do then is you start to look at the inherent risk of across those different topics, the program maturity as it's applied to those different topics, and then the residual risk. So suddenly you're able to look at a company in a much more holistic way to say this company has a very immature environmental sustainability program.
However, it's a really, really low risk to them. Maybe they're in the software industry or Something like that. It's really low risk.
That gives us a logic as to why we don't need to spend more time and energy on that topic. However, that same company might only have a medium level data privacy or cybersecurity or IP protection program and that could be a really high inherent risk to them. So therefore the logic is let's focus on that.
Take that to the next step with using of Gen AI to be able to start to look at that, but then take the data from that one organization and be able to look to see what other organizations do I work with that are similar to this company and then to see what could we do to try to drive improvement in the broader set. The other thing that really excites me about using Gen AI is scalable remediation.
So if we look at all the supply chain due diligence, the laws, the regulations, they typically require an organization to not only to know what is going on, but to do something about it, to remediate, to try to drive improvement. So if you think again, going back to the 10,000, you got 10,000 suppliers out there and you find that in that hundred, that one of the weaknesses that you see there is related to a lack of training in internally training and communications is one of the drivers that's driving up the residual risk.
So suddenly you're able then to not only do something for those hundred, but you then would be able to start to extrapolate to say that that is probably a likely area of weakness across the 10,000 in these different segments.
So then you take the next step and you can say, well which risk topic is most relevant to those? So you say for this group we should be focused on data privacy. For this group we should be focused on social and human rights.
Go the next step and use Gen AI and say, well, where are they located?
What's the jurisdiction?
Are there any specific regulations in those jurisdictions that we should be aware of? For those companies, the next thing is what does that company do for me?
Are they a manufacturer, are they a logistics provider, are they a data center? What do they actually do? You're then able to start to create communications going out to those targeted segments based on where they are, what their risks are and what they do for you?
These are the kind of things that I think are really exciting because you know, my whole philosophy in my career has been measure and improve.
Program maturity assessment is a great measurement tool. Without it, you can't really get beyond this idea of an inherent risk to really get an inherent residual risk.
So you use that. But then from there, if you start to think about how do we try to drive improvement, what's the transition from measurement to improvement? And that to me is where things get really exciting. You also, as a company would be able to do things internally. So what if you look and you say, you know, based on what we're seeing out there, we actually should update our code of conduct, our supplier code of conduct.
Maybe it's in the human rights area, maybe it's in the conflict of interest area. But you see that you have enough data using the Gen AI to be able to see what the patterns are, you then could say, I'm going to update my supplier code of conduct. I'm going to send out a communication to all 10,000 suppliers with the updated code explaining why we updated it, and again giving them some guidance on how we want them to try to meet our expectations.
So these are all things where it's really, really effective. But it only works if you get the right data at the narrow part of that funnel. Without that, you're still just doing a better job of analyzing the narrow part of the funnel.
So that, to me is where things get really exciting, is how do you start to then use this to really, really drive improvement?
[00:12:39] Speaker A: Craig, thanks for stopping by and sharing your insights on this topic. I know our audience has gotten a lot out of this series, so we really appreciate your efforts here.
[00:12:46] Speaker B: Thanks so much, Bill. It's been a pleasure and I look forward to the next time.
[00:12:51] Speaker A: To read Craig's article Using AI to Manage Supply Chain Risk, please visit the Dow Jones risk
[email protected] it's the latest in a series of articles that Craig has published, and all of them are deeply informative. We'll leave a link to Craig's article in the Show Notes for this episode.
Likewise, be sure to check out Craig's other Ethicast episodes in this series, which includes leveraging residual risk data to go beyond reporting and don't sleep on supply chain social compliance audits. We'll also provide the links for those episodes in this episode. Show Notes to learn how AI is transforming the state of the art in ethics and compliance. Visit ethisphere.com to get your free copy of our report AI in Ethics and Compliance Risk to Manage Risk Tool to Leverage, which features an overview of AI regulatory trends, AI governance best practices, and compelling use cases from ENC leaders at Cargill, Palo Alto Networks and Verisk. Thanks for joining us. We hope you've enjoyed the show. For new episodes each week, be sure to subscribe to us on YouTube, Apple Podcasts and Spotify. And if you have not Already, please follow ETHASphere on LinkedIn to learn more about how we help organizations measure and improve their ethics and compliance programs. And together, we can make the world a better place by advancing business integrity. That's all for now, but until next time, remember, strong ethics is good business.
