A

I think the people that truly understand what risk based approach means are then able to use their particular traits, whether it be the passion and the extroversion, whether it be the detail, whether it may be deep subject matter knowledge or just great management skills. Whatever their particular super is, if they've understood that principle and they can apply it, then they can use the rest of their talents to make that happen.

B

Welcome to Supply Chain now the number one voice of Supply chain. Join us as we share critical news, key insights and real supply chain leadership from across the globe, one conversation at a time.

C

Hey, good morning, good afternoon, good evening, wherever you may be. Scott Luden with you here on Supply Chain now. Welcome to today's show, folks. We have got quite the conversation teed up today. Now, as much as I think that the global supply chain industry can teach other sectors. Right. I'm a big believer of that. I certainly think supply chain professionals can learn powerful and actionable and innovative ideas from other industries as well. And that's happened a lot over the course of history. Right? Well, all of that is a big theme of today's show. We're going to be exploring the kyc. You know, we love our acronyms, that is know your customer space. Hey, what is it? What are some of the top challenges and developments there, especially those that are highly relevant to global supply chains? All that and a whole bunch more. So stick around for a great conversation that's going to offer up again actionable insights by the truckload. So let's welcome in our wonderful guest here today. Alex Pillow serves as Senior Director, Partnerships and Acquisitions with Moody's. Now, most folks know Moody's, the global organization that's on a mission to be the leading source of relevant insights on exponential risk. Moody's is also well known for credit ratings, economic research and a whole bunch more. Now Alex has served in a variety of interesting leadership roles for years within the Moody's ecosystem. And currently Alex and his team are focused on business and pricing strategies, growth and partnerships, and a whole bunch more. Now Alex leverages his expertise on end to end kyc. Stay tuned. More on that compliance transformation, preventing financial crime, and a whole bunch more to help fuel organization success around the world. And he hosts a really cool podcast you gotta check out KYC Decoded, which I had a blast joining a little while back. Alex Pillow, great to have you with us here today. How you doing?

A

Yeah, very well, thanks, Scott. And yeah, delighted to be on a show that I listened to throughout my parental leave period when I was trying to get educated on supply chain.

C

Outstanding. Well, we appreciate that. It's great to connect with you. I admire the great work you and your team are doing in your part of the world over in the really big Moody's universe. And you do great work with that podcast. You're about to celebrate your 100th episode, is that right?

A

Creeping up to. Creeping up to. I'm not sure if it will be end of this year or part of the early part of 26, but we're. We're on track.

C

On track. That's right. On track. On time, in full. Well, that's gonna be a great anniversary. We're gonna celebrate with you. We all know how challenging it is to put out great content that's relevant and that helps people on a regular basis. It's a lot of work. And you've got a lot more stuff you do at Moody's beyond the podcast, right?

A

Yeah. I often have to remind people that it's very much the side gig to my gig. Somebody did stop me in the elevator one time, and they recognized my voice and said, oh, you the guy who does the podcast? Yeah, that's me. And they went, is that your whole job? That's so cool. And I was like, oh. Oh, I wish. No, it's. It's something that we've managed to squeeze in after. I did one for a friend, you know, external to the company. And then when they were looking for a host at Moody's, someone said, hey, Alex has done it before, and four years later, we're still going and having a lot of fun doing it. Meet some really, really interesting people, learn a lot from them. And I think you said it's hard to put out great content. It'd be very easy to put out bad content, but to really take the time to make sure that people are going to benefit from it, I think is, well, we're very lucky that we've got a team. We've got a very talented producer, Mark Rundle, we've got some fantastic marketers, got various people within Moody's that have connections that can bring us to great guests. So I'm just the guy that gets to ask the questions.

C

Love it. Well, you do a great job at that, and you got a great team behind you. And you're right, you know, we could get chat GPT involved and crank out all sorts of meh content if I said that right, for my kids, you know, easily. But the human touch, I think, in relevant, consequential content is so important. Supplemented by maybe AI. But anyway, we'll save that Debate for later. Let's talk about. We're going to talk about your role at Moody's. We're going to talk about KYC and, and what it means and, and parallels with global supply chain, a whole bunch more. But I want to start with. You're currently training Alex for a big marathon. Tell us more.

A

Yeah, I've got a marathon in about six weeks. And now up in the city of York, an American friend of mine did say to me, that's so cool you're doing New York. And I went, no, no, no, the original. A small city up in the north of England in about six weeks. I basically had my firstborn child this year and you obviously knew that was coming. So last year I used to do some rugby, some CrossFit, some running races, some high rocks and anything that, you know, I could get some competition from. And this year I knew I wasn't going to be able to do that because, you know, we've got a, another full time job alongside the day job. So I just went, let's have one big race that I'll build towards and can just sort of. There's been lots of training runs at 9pm, 10pm, there was one time at midnight because that was the only time I got that day. But it's been a good thing to just have that slight distraction from the office and have a little bit of me time once, once my son's asleep.

C

Love it. And what is your. I'm not sure how marathons work, but do you have. I know you just want to finish it, which is an accomplishment, but do you have a certain. You want to be in the top 25th percentile or how do you measure like overall performance?

A

Sure. So I have a whiteboard in my garage which has a list of various distances and weight lift, you know, weights that you can lift and different movements where I have certain goals for each of those that I want. Right. Like nothing to do with anyone else in the world doesn't go on any social media or anything like that. It's just if I hit that, then I'm happy and I move on to the next thing because I quite like my variety. So I do have a, a target.

C

It.

A

Running is one of my better things. I'm so it's a reasonably good percentile. But I always say to people go, oh that, oh my God, that's so hard. I'm like, there's a bigger gap from me to the truly elite people, the Kipchoge's of the world, than there is from me. To the average. So it's all relative.

C

It is all relative as everything else in life, it seems. But we, we look forward to pictures, we look forward to hearing about where you place and how you finished and kudos. That's a. Sounds like a great element of your overall health journey and it helps, I bet it helps de stress with the normal stress that comes along with just living life these days, huh?

A

100%. And somebody gave me a tip a couple of years ago. They said quit the headphones. And I was like, really? Like, do you not get bored? And they were like, just quit the headphones. Trust me. So incredible amount gets worked out and, you know, dealt with by the end of a, you know, one or two hour run when you don't have music blasting or.

C

Okay.

A

I occasionally there might be a podcast that's just supply chain now that I need to listen to, but when I don't need to fit that in, then I go out and I'm quite lucky. Where I live outside of, outside of the London area, it's more green space out where I am. So there's plenty of country lanes and just nice scenery when it's not raining. But you have to take your moment.

C

Country lanes, that just sounds like such a paint such a picture. Well, we got a lot to get into, but I'm revisit that country lanes image in my mind regularly. All right, so a lot of folks know Moody's, right? In the news, in the research space, of course, all the ratings and econometrics I'll call it, and a whole bunch more as we, as we look to try to at least in part optimize our risk management, which is so important these days. Of course that's part of the name of the game when it comes to global supply chain. But would you share for those that may be new to Moody's level set with us on the organization and your current role there?

A

Yeah, absolutely. So Moody's, as you say, world famous and over a hundred years of history and credit ratings and really is the brand in that space. But about 17, 18 years ago, they started what they called Moody's analytics. And within that business, which is sort of separate from the ratings agency in a number of ways, lots of compliance training to make sure you don't share the wrong things between each other, etc. We have data, we have analytics, and we have software and we serve different functional areas, different use cases, all sorts, you know, pretty much every industry that you can think of. But the real rallying cry, I guess, for lack of A better term is to be the preeminent provider of what we call integrated risk assessment. And the idea really is that you can't really just think about credit risk in a silo, or supply chain risk in a silo, or financial crime risk in a silo, or cyber risk, or environmental risk, so on and so on and so on. It's all of these things are interconnected. And it's only when you can see the whole picture that you can make the best decisions for your organizations, whoever they may be. So that's the part of Moody's that I'm a part of. Specifically at the moment, as you mentioned in the intro, I'm looking after a small team that we call part chips and Acquisitions, where we look at those that may have some of those risk insights that we might not, or potentially have technology that we might not but need are risk insights, and how can we bring those things together? And of course, if there's one where it makes sense, then we have some wonderful colleagues in our corporate development team that we will say, look, we think we found something, should take a look at this, and vice versa. If they think they found something that could become part of the Moody's family, we're often sort of first gatekeepers to. Because you can kind of figure out if Sang is a good partnership, then it might make sense to maybe explore getting married at some point. No, you have lots and lots of dating, right? You talk to lots of companies, then you maybe go, you know, get in relationships with some of them. But at some point, you might want to get married and make it official.

C

I like it. I like it. And I bet you got some great stories to tell from this current. You've been. You've had a variety of leadership roles, though, as you've kind of worked through your Moody's career, right?

A

Yeah, I mean, I think Moody's has offered some tremendous opportunity. I was part of a company they acquired in 2020, which was a medium sized company, very, very focused on its niche of. Of name screening, where we'd check companies and people for sanctions risk, political risk, and we call adverse media. So things that might be criminally relevant that particularly a bank or a financial services company would need to know, or potentially other types of company that also need to know those things sometimes. So I was in that. And I was always an individual contributor, but would work across a number of departments just because I was a bit of a. I guess, for lack of a better term, I'm a good generalist, or I like to think generalist. But within Moody's, there's so much to do that. Yeah, there's those good generalists. Right. I've had the opportunity to then lead multiple specialist teams and really try and make sure those things come together and, and serve our customers and serve other stakeholders in Moody's as well. So very fortunate for the opportunities they've provided. Certainly in a company that size, it's never down to one team or person. It's a huge team effort.

C

Well, I'm thankful for all the specialists out there and I'm also thankful and equally thankful for all the journalists out there, because you need both. You really need both. And by the way, going back to, as you were describing, the Moody's mission. Holistic risk. Holistic risk. And the cool thing about.

A

I'm going to correct you, Scott. Integrated risk assessment. Otherwise Brandon are going to tell me I did wrong.

C

Oh, okay. Integrated risk assessment. Let me use those right words, but in the way I'm perceiving, how we identify and make visible risk in all of its forms is so critical. And the cool thing is here in the golden age of, of technology, but certainly the golden age of supply chain tech, being able to see around corners and, and see through walls, I'll call it. It's amazing what we're doing and it's amazing what is making the previously invisible visible. And it's really strengthening our decision making, is strengthening our, our ability to mitigate all the risk that just is inherent with doing business, no matter how safe of a business or industry you may be in. And certainly planning, planning, planning much more effectively. So Alex, I gotta ask you though, this kyc.

A

Yes.

C

Right. Know your customer. Now, I bet we've got a chunk of our audience and folks, I'm with you. I wasn't in the know when it comes to kyc. I had to learn from Alex. But I bet we got a chunk of our audience, the smartest audience, solve global supply chain. That's just thinking like, what the heck is kyc? So I want to ask you, what is it and why is it really critical?

A

Yeah, certainly. I mean, the acronym itself, know your customer very much comes out of the financial services, you know, landscape. Right. So they did. If you're going to provide financial services to somebody, you have a number of obligations that you need to meet to make sure that you are allowed to do that by the law. The whole set of processes behind that have been wrapped under this term know your customer or kyc. And it really forms part of the anti money laundering obligations of those financial services companies. The interesting thing is you could also probably just call it third party due diligence, because that's what it is. It is doing the relevant research and, you know, and checking against particular risk types for a given third party. Whether that be a person like you or I applying for a credit card or a mortgage or something like that, or if a, you know, a business going for a. Whether it be a loan, whether they're trying to be a supplier to another company, there's going to be some due diligence. So you can call it kyc, you could call it tpdd, Third Party Due Diligence.

C

Are you gonna get in trouble with Moody's and the powers that be by saying third party due diligence?

A

Well, our preferred phrase these days is third Party Risk management. Tprm, but frankly, I think, you know, I, I like to just call it what it is and then, and then you use the acronyms once you've got some familiarity to save on the keypad strokes. Love it.

C

I love how you think in that regard. You know, cliches become cliches for all the right re. For mostly the right reasons. But sometimes if we start, start and stop with a cliche, we don't get to the root, the accurate meaning, and just what we're talking about. So I appreciate your willingness to break that down. And so most folks will understand why all that's critical, whether you call it KYC or you call it third party due diligence, or you call it third party risk management. But why, in your view, why is all of that, no matter how you define it or call it, why is it especially critical?

A

Ultimately, if you don't truly understand who you're transacting with doing business in any sense of the word, then how do you know that that business was right to do, safe to do, and is business you want to continue to do? Right? Like, it might be that something is against the law, so it's just out you. You can't do it. Something is sanctioned, for instance, given all the geopolitics of the day, can't do it. You just need to know so that you don't get in trouble yourself. It might be that there's something that goes against your firm's values, right? Like, and you'd want to know that, and you need to have done that due diligence to figure that out. And it also might be that you are looking into a company and say, well, we could do the transaction this time, but it doesn't have a lot of long term prospects. And every company only has finite resource, right? So like where do we want to put our, our efforts? So I think there's all those factors that you have to think about. So do you know who you're doing business with? Do you know the risks of doing business with them? And then are you able to manage that at that integrated holistic level that we were talking about? All of those things is, is why I think it's so important and why it's sort of foundational really to, to any business. Because what is a business without its relationships?

C

That's right, Alex, well said. And you're already answering because you're clairvoyant, at least in part. My next question, because a lot of what you just described, when you think of the supply chain ecosystem, we've got to approach it with holistic or integrated risk across the system, every entity, every party. Because you know, those our supply chain ecosystems are only as strong as that proverbial weakest link and whatever we don't know about every entity in that ecosystem. And there's a lot of, you know, we're still making progress with and we still have some big challenges when it comes to full ecosystem visibility. But it's what you don't know that can bite you and shut down supply chain, shut down factories and, and ultimately let down our customers, which we want to always avoid. What parallels do you see from KYC to supply chain management?

A

So I think thing is a supply chain risk management, as my colleagues that specialize in this have been talking about it is it starts with that third party due diligence, right? You are onboarding a supplier or monitoring your existing suppliers for potential risks. And so whether you call it KYC or TPD or tprm, it starts with that, but you just have another set of criteria that are specific to your supplier risks that you're assessing. So like the crossover there is almost a perfect Venn diagram. It's really just about adding on some additional levels of detail for that specific type of supplier or the particular risk level or criticality. The interesting bit then is what you're talking about, right? The, the visibility of the ecosystem or what people have been calling N tier or fourth tier, the supplier suppliers and the chain around that.

C

Right.

A

And really once you've figured that out, to whatever extent you are able, and I'm seeing different approaches across the partner ecosystem that I deal with day to day, some are piecing together customers data with logistics data and doing some wonderful things with probabilistic AI and making connections that you can then Verify at a later date. Others are aggregating questionnaires with permission so that you over time are building up this knowledge graph of who is dealing with who and which ones are shared across, you know, major industry sectors. Seeing all of that. But once you've got the visibility, what, what are you going to do with it? You're going to do the due diligence, you're going to do the kyc, you know, in air quotes on those entities that you think could be critical. So for a supply chain risk professional or a supply chain risk program to be truly effective, it has to have its third party due diligence KYC or supplier due diligence process absolutely nailed. And then really it's just about applying it to whatever level of visibility that you have.

C

And empowering solutions and decisions and what to do. Right. As I have very arguably stated and has been a part of a lot of our conversations here at Supply Chain. Now, as much as we all certainly appreciate the visibility gains that this profession and the world has made over the decades and certainly in recent years, visibility is not good enough because we got to have the answers of what to do. And for our teammate, our teammates need to know what to do. And that's, that's the cool thing that I'm seeing in a lot of technologies out there and it's making our days easier and it's allowing supply chain professionals and other, in other sectors, business professionals be able to spend their time in more fulfilling and more value creating activities, which is exciting. Are you seeing the same, Alex?

A

Yeah, I was going to say I couldn't agree more. And again, there's a similar story playing out on that KYC side where you identify the risk. But then as you say, it's what's the mitigation, what's the pathway? In the past has been really about someone understanding the policies that are written for the organization and or verifying them are going to get some. There's been a sort of level of manual effort and you're still always going to need that human oversight because there are judgment calls to make.

C

Right?

A

But with the modeling that's now available with the compute power, with the dare I say AI because sometimes that term is misused. But with all of these things that are coming together, you can significantly short circuit a lot of that work so that somebody then goes, huh, I've got the visibility, I understand that the risk insights that have been provided and I understand how that applies to our risk appetite as a company and the potential impacts. Now what is my feel for this situation, what knowledge is not in the system, maybe about a relationship at a supplier, supplier or their supplier, et cetera. And what am I going to do about it? Does this one need to be an email? Does this one need to be a phone call? Does this one need to be. We were talking about Slack before we hit record, right, Scott? You know, they're horses for courses. They're 100% are conversations I have in my work where I need to do them face to face. Others I can send a text message, others are something in between. And I'm sure that is the same for listeners in their supply chain roles.

C

That's right. Did you say horses for courses?

A

Horses for courses? Is that a British phrase? I thought that was global.

C

That is so interesting. So if I'm understanding that phrase based on what course or what obstacle or what our target is, we pick the right horse for it, huh?

A

Yeah, exactly. Is it a flat tracker? Is it cross country? Like you know, you pick a different horse.

C

Okay, I'm steal that from you, Alex. Or steal that from the whole European. Yeah, horses for course is cool. Again, I think folks are probably our listeners are, I'm sure kind of connect the dots here. But if there's one particular call out that supply chain professionals can really use from your world in the financial services and in, in that KYC space, what's one thing you think folks supply chain pros should pick up and maybe look at using.

A

So I think again, because I've been getting into this space this year and Moody's is in this space, I just haven't been in it personally till, till January of this year. But when I look at the sort of journey through the last decade or so that I've been working across kyc, the use of third party data and insights paired with orchestration technologies which are changing all the time now, but like just that business logic really of like if A do B, if B do C and so on, that seems to be applied a greater level and greater speed in KYC because that the volumes that they have to check in that profession are so vast that they've had to go that way in supply chain. I do see some of it, but there's still this quite heavy reliance on questionnaires, quite heavy reliance on that. I'm going to send this out and even if that's automated, someone's going to fill it in which is not necessarily automated, then I'm going to bring it back in, then we're going to run it against the risk assessment module and I Think there's still a place for it, but you could probably get a lot further if we embraced a lot of what has already been achieved on the KYC side, at least that's my personal view from working in one space and now trying to apply it to this one. There is so much good data out there. You just have to know how to use it and how to get it. And then there's lots of good technology that I know you talk about all the time on this show, right. And it's not all going to be from one place. But the interesting thing is then how do you orchestrate that technology? Which again is something I've worked in, in kyc, where it genuinely is not rocket science, but it does take some patience and just rolling up your sleeves and going, I'm going to learn how to do this model. But once it's there and you're just iterating, it's so powerful. So, yeah, I'd really encourage supply chain risk professionals, sourcing professionals, procurement professionals, to carve out some time and really dive into this area. Obviously very happy to connect them with people if they want to reach out. You know, because it's not like I've got a, you know, everything in my head. It's often regurgitated from smarter people.

C

We all, we all follow that approach, for sure.

A

Yeah, yeah, yeah, I, I've said if.

C

I come out there, Yeah, I did 20 years, Alex.

A

Well, it's not too bad. But I, I've, I did say to someone the other week, I think if I have one talent, it is literally just aggregating what other people have said into a simplified form.

C

I like that.

A

But like, that's about it.

C

I disagree. Hey, synthesizing data, perspectives, nuggets, you name it, that is a very powerful superpower, especially if you can simplify and take the biggest, most important parts and, and simplistically communicate it out on the other end. So, hey, one, one quick before I shift gears. One thing I heard there, I think that is in a, in a broader, more universal sense is, you know, rework is one of the, one of the seven, nine, ten wastes. I'm not sure where we are now. So you're kind of speaking to the point of if data, the data is already out there, we don't need to rework it, reinvent it, recreate it, replicate it. In many cases we can just use it. Imagine that, and save tons and tons of our very finite resources. Talk about waste. Okay, so let's talk about major headaches. What was a Famous headache powder commercials back in the day could have been Anacin. It could be the goodies powder. I don't know. Anyway, let's talk about some major headaches. We'll figure out the solution later. But when you think of all the financial crimes, yes, corruption and even bad actor risk, which talk about where we're seeing tons of innovation, unfortunately. What recent example have you found to be in? An intriguing one, especially one with supply chain ramifications.

A

I think the one that's really got the zeitgeist at the moment, and I don't see it slowing down, is really around organized crime, focusing on how they can perpetuate fraud at a massive scale. And it makes sense, right? If you think about what at Moody's, we call deep currents, things that are going on in the world that are just are really moving the dial. And if you think about the technology, the automation, the generative AI that can now know you can set, you know, aim and fire it, and it will then start doing things. A fraudster used to have to target something themselves. They had to get on the phone, they had to go and impersonate someone, they had to figure out a way to socially engineer their way into a company or, or target an individual to try and take their funds illegally. Now they can automate a lot of that. So they can either they can make it very complex and very tight and try and make it smarter. Or what we're tending to see, right, is just we can apply a massive multiplier effect, so we can shoot out a million attempts rather than a hundred in a day. And we only have to catch the weakest link to your earlier point to get some sort of payday on it. And there's been examples, right, where you see financial departments being targeted to transfer funds. There was a story last year where somebody deep faked a cfo, got on the, you know, a call or whatever with, with the deep fake to one of their junior team members. And I think it was something like $25 million transferred from the business out to a fraudulent account. And there are many different ways of doing this. Now you pair that with the cyber risk that we're seeing, just hacking at a grand scale again with more tools, more attempts, etc. So you might find that you're seeing fraud tactics being applied to socially engineer their way onto someone's email. So they click the link, they download the malware without knowing, then they're in the system. Now you've got a cyber risk. And if you've got a cyber risk in Your company, it's a problem, but it's also a problem if one of your suppliers has it, which is also a problem if one of their suppliers has it. And we've seen examples of that very recently, particularly in the uk. There's been a lot of stories around various retail chains when that the big story broke. Lots of other companies then also disclose that they've had similar issues, maybe thinking, well, never a bad, you know, this is the best time to share bad news. Somebody else is getting most of the headlines. And that is where I think, you know, I've seen JP Morgan, Infosec, you know, leader did an open letter saying we're no longer going to select vendors on features, we're going to select them on their info security because it's become such an issue. So that pairing of the deep current around fraud attacks and the deep current of cyber risk just being preeminent is something I'd be learned, I'd be spending a lot of time on if I was in supply chain right now.

C

I love how in one of the examples you mentioned, cyber security is all of a sudden the short list requirement as we're selecting suppliers, vendors, you name it, that's as it should be. That's a terrific, terrific.

A

Another example actually of fraud. And this is from a. I've been working with some logistics customers and I listened to one of your shows about freight fraud and they're telling us about their freight fraud and we are in the tens and sometimes hundreds of millions. Right. And I looked at their ky, their processes for onboarding logistics providers and they missed a lot of the basic KYC antifraud controls. Not because this isn't a slight. Right. This just has not been common practice. And to our earlier conversation, what can we learn? Well, there are things that you would do, you'd want to understand who really owns these companies. Do I truly understand the beneficial ownership structure and that data is available, something that we actually spend a lot of time on. So you get that data, you start to understand networks and then you might want to actually verify the identity of potentially even down to the driver level. And that isn't technology that we provide, but we partner with a lot of companies on that so that you can verify the people at the time and biometrically make sure that they are the person they said they are on their document, etc. So that if a cargo load does go missing, you now at least have some recourse.

C

Right.

A

And you have something that you can actually go to police with rather than going, well, it Went and I've got this paperwork, they filled in a questionnaire. Turns out they lied on the questionnaire. What can I do? So, yeah, that, again, that fraud, deep current. Yes, there's the online attacks, but there's also the freight fraud, which is said I, I, I listened to on, on your show or the conversation about on your show.

C

You know, fraud, to your point, exists in so many fashions just across global supply chain. Freight fraud returns. Fraud's a big one. So many different innovative ways about actors are, are making millions, if not billions of dollars. But to your point, you do want to have recourse and you don't want to be like me when my Honda Accord was stolen from my Atlanta condo. And as the police officer arrived and we asked the question, hey, you know what, what's, you know, what do you think would be done? Sir, your car is probably already on a boat heading towards a country where it's going to be, you know, chop shop and be repurposed, no recourse. And then we had to duke it out with insurance to see what they, you know, what they would cover. Now there's a good story, there's a good finish that, that story because actually we found it in the back of a, a doctor's office in metro Atlanta, which is weird. So they just took it for a joy ride. Anyway, the point is you want to have recourse, right?

A

Yes.

C

You want to be able to claw back or hopefully more easily than that, the value or the resources, or you name it. And it's an excellent point you're making, Alex. Let's talk about the ecosystem, the valuable ecosystem that exists when it comes to global stakeholders who fight all of these problems. We're talking about the fraud problems, financial crimes, the corruption, all the geopolitical risk, all the bad actors. We've got regulators, which I can never say without saying, mount up. Sorry, folks. Practitioners, the consultants, the vendors, really the ecosystem of magic makers that help us fight and mitigate the risk posed by all these problems. So who, who is the, let me think of how I want to pose this question to you. Across the ecosystem of superheroes, who is the furthest ahead of the game and why?

A

Sure. I mean, before I jump into the actual answer, one thing I would say, and again, this is me sort of simplifying things for my own mind and hopefully it's helpful is I, I, I've come from a rugby background. Team sport guy.

C

Yeah.

A

So I'm, I very much just think of the bad actors and there's, there's bad act in nation states, right? There's bad actor organized crime, there's bad actor individuals, there's, you know, cyber criminals for hire, there's money launderers for hire. All these folks, I just think of that as the bad team, the baddies, right, like in a very childlike way. And, and then I think all these stakeholders that you've just mentioned as the good team, right, and one that, you know, strive to be part of, And I think 99.9% of the world strives to be part of. The interesting thing is the good team operates by the rules and the bad team basically says, I can do whatever I like. And unfortunately there's no actual referee, right, because there's not a neutral ground. There's the good guys trying to enforce the rules and trying to make it hard for the bad guys to get away with it. But the bad guys are constantly finding another way and another way and innovating away because there's no handbrake. If something goes wrong, no worries, move on to the next one as opposed to on the, on the good team. It's like, oh, that project didn't quite work. Now I've got to justify why we didn't get return on investment, etc. And so sometimes that can, can hold us back. But to answer the question, I just wanted to say that because I don't want it to seem as a criticism, it's more a call to action when I think about this question. Because naturally the regulators have typically waited for there to be a problem, right? There's a problem in the world. It happens a number of times. The private sector and private citizens feel the force of that problem or that challenge. Law enforcement is saying, we're seeing more and more of this. The politicians hear about it. Politicians then say, we need to do something about it. By the time all of this is done and the regulator is asked to like, hey, can you try and do something here? Back to horses. The horse has already bolted, and not just bolted, but it's done 16 laps and it's actually quite tired now and is. And it's on to the next thing. So I think the regulators have that challenge, but I do think it's solvable. The practitioners, the supply chain professionals, the KYC professionals, the people that are trying to comply and do the right thing, well, they might want to do everything, but often the political will of their organizations is to treat these areas as cost centers rather than as growth enablers, which I think is how they should be seen. And so they are not necessarily always Given the resources to get ahead of the problem and instead are stuck in reactive mode and wait for the regulators to make them do it. Consultants obviously speaking to everyone in an ecosystem, if they're doing their job right. So they often have the ideas but no power to do them until they're hired. And then you have the vendors, which is obviously where I sit. So I'm probably biased. The vendors can do a lot more than they are currently employed to do. By which I mean we often have. Technology doesn't get used en masse. It might have a few early adopters or might have people that are, you know, I'll do this, but can I get buy in to do it at global scale? So the vendors have people that don't have to wait for the regulators because they are constantly trying to beat each other. Right. The beauty of, of good competition in a, in a well, well run market. And so I would say that the vendors are furthest ahead on detecting these risks, coming up with ways to mitigate them or at least enable and empower the professionals to enable them. But until the consultants and the practitioners are willing to buy in on that and deploy, kind of goes nowhere. And the solution to all of this in my mind, and we made a documentary about this in 2023 called the Infinite Game, which is we should be thinking about not just what is par for the course, like what is the, I feel like often the regulation is there to try and catch the slow, the laggards, right. And try and move them up to an average. We should actually be set in sort of aspirational regulation of saying we want to see movement in this direction and you can still have a minimum standard, but if you're not showing active signs to move to the very best in class, then that's a problem and you're going to get scrutinized. And that then creates the political environment that I think practitioner with the right ambition can go to their C suite with and say, look, this is what it's going to take. This is. And by the way, those professionals, I'm pretty sure can make the argument of why that's a growth enabler. They just aren't always given the opportunity. Consultants certainly have a role in stringing it all together. And the vendors, rather than being ahead, can then actually be challenged by their buyers to know we need more. Whereas at the moment I feel it's the other way around. The vendors are positioning more and often being told, well, I'd like to, but I can't, I can't get the Buy in to get that done because there isn't a burning platform set by regulator yet. So that's my view.

C

That is a very fascinating view. And I almost can picture a storyboard of all those players as you described and walk through the relationships and who's ahead, who's behind, who's a. How'd you pronounce laggard? Yes, very elegant. I'm gonna start pronouncing it like that.

A

I, I, I'm from the south of England, so I pronounce A as R. And sometimes it, it makes it good and sometimes it makes it sound a bit stupid.

C

I could listen to you read through a telephone book. Alex. Those are still around. All right, Infinite Game. Really quick. Where can folks find that documentary?

A

That's on the Moody's website under for Leadership pieces. It's free 10 minute episode.

C

All right, good stuff, good stuff. And we're going to check out Infinite Game, all those places. And folks, you may notice that Alex Pillow is now channeling Darth Pillow. We had to change up cameras that happen sometimes. So, Alex, I'm just glad you're still with us. You were kind of walking us through the ecosystem. Who's ahead of the game and why? Who's behind? But you also really focused on the clarion call, the call to action that needs to be put out there. So I want to ask you along those lines. What needs to change to best mitigate the risk that all of these issues we've been talking about and plenty of others pose to global business and supply chain ecosystems everywhere? How can we overcome the baddies, as you were calling them earlier?

A

Yeah, my immature fashion. But hopefully it helps, folks. So really, it's literally the title of the documentary that we mentioned, right? The Infinite Game. So that's most people, a lot of people have seen the Simon Sinek Infinite Game YouTube clip and sort of talk through the mindset. There's the actual book and the theory that that's all based on, but it's that mindset shift, right? It's not like there's suddenly one tool out there and you implement that tool and now you're good. It's not some dream hire who's going to come and save the day and do everything. It's more everyone adopting the mindset. For me, that is, I'm not going to implement a program and go, right, that's good. I can now just BAU or business as usual, just kind of sit here, you know, not have to work quite as hard. It's like, no, you got to be up for the challenge every day that you have the baddies, as we call them. Right. Constantly trying to get better. So you better be doing that, too, and not only trying to catch up, but how can you get ahead of them? How can you anticipate where they might go? That's obviously from my KYC world that I've been part of. But if, if I look at it from the supply chain world that I've been learning about, it's very, very similar. It's you in supply chain. It might not be a baddie. Right. It could be a natural disaster. It could be just an unfortunate technical infrastructure problem. It could be that there's a price spike of some particular commodity that is needed by a lot of people, and that was due to something else. So that's why we talk about that integrated risk assessment at Moody's. How can you understand all of those things, whether it be weather events, physical risks, you know, cyber risks and other things we've talked about. But if you have the mindset that you are going to try to anticipate all of these things, you're going to try to continually improve your program every day. You're still going to miss sometimes, you're still going to get beat sometimes, but you're. You're in the fight. Right. So you will just naturally have a lot more wins than you will have if you are waiting for risk to happen or to dip for disruption to hit you. It's really sort of taken that going on offense, I think they call it in, in U.S. team sports. Yeah. So going on offense, I think is literally the best defense. I did watch a lot of American television growing up, so I, I do have some of the lingo down and I think, Scott, both you and I have the same quote on our offices. You shared me yours. Some people might be able to see that white rectangle behind me, that man in the arena quote from Theodore Roosevelt. And the idea of it's the effort and it's the attempt and it's the striving for it that is really what separates the average and the great. And so if everyone aims to be great, I think a lot of baddies will be stopped, a lot of risks that were no one's fault will be mitigated, and you'll have better outcomes for everyone.

C

Well said, Alex. And yes, I was showing you my version of that quote I've got framed and then I broke it in the pre show. So I've got the same man in the arena quote from, from Teddy Roosevelt. And I think it's something that really is a very actionable inspiration and something we can really live and find encouragement in in this very challenging world to, to lead any business in. So look at stuff there. Alex. Hey, you mentioned mindset in part of your response there. And I know you rub elbows with a lot of the global leaders out there that are overcoming all sorts of bad actor led risk and other risks. But what have you found to be kind of a common theme in terms of the critical mindset that these leaders, these business leaders have that really enables them at least in part to overcome these setbacks?

A

Yeah, that's a really good question. I don't know if it's a trick. You get all personality types. I find in the risk world, people that go into risk. I don't think many people grow up and go, I can't wait to go and be a risk professional, you know, compliance risk, anti money laundering risk, fraud risk, supply chain risk. Nobody, everyone we know wants to be a sports star, an astronaut, a pop, you know, a pop star, actor, whatever. That's what they see on tv. So that's what they naturally aspire to. So most people fall into this career in some guys or another and then they get interested and then they get passionate and those are the ones that end up becoming the leaders. And so you find obviously that passion, that desire to master the subject area. But then some people are big extroverts and they're going to talk about it and they're going to be on stage at the conferences and they generally can motivate teams to go to the extra mile and try and take that mindset we talked about. There are others that will be much more across the detail and they'll have deputies that maybe do more of that rallying cry. But what they're doing is trying to build the component parts of the program. Both approaches I think can be successful. The key principle that a lot of the KYC guys apply from the regulations, this is something that I think regulators have got right in certain jurisdictions is they mandate that you must take a risk based approach. Because if you look at all the risks and then you just try to like know when you're a kid and you put your hand on the piano and you go all along all the keys to make that noise. If you try to do that, then chances are you're not actually going to do much very effectively. But if you can identify, these are my highest tricks and I'm going to build a program to knock those down and then I'm going to carve out resource to start looking at the medium and then the low and I'm going to do it in that order, then you are making that best effort that we talked about, having the mindset of, I'm going to do everything I can, but I'm going to marshal the resources whilst advocating for more to do that. So I think the people that truly understand what risk based approach means are then able to use their particular traits, whether it be the passion and the extroversion, whether it be the detail or it may be deep subject matter knowledge or just great management skills. Whatever their particular superpower is, if they've understood that principle and they can apply it, then they can use the rest of their talents to make that happen. And as we said at the start, right, it's a team effort. Like nobody can do risk on their own. It's a network effect. Of all the goodies that we talked about playing together and playing nice, often in the vendor space. That means playing nice with your competitors because sometimes someone needs one part from them and one part from you. And why would you deny them that if it's to serve the greater good?

C

Yes, discernment is something we don't talk about enough. But it is so important as we discern our priorities, discern what we perceive to be potential focus areas and then, and then lean into what will be the focus areas and will be the direction. Because you're to your point, if you try to play every key on that gorgeous grand piano at the same time, it is not going to produce an optimal sound. Just like if we try to do everything, it won't produce optimal results, which is kind of one of the main points you're making. Well said, Alex. Well said. And I will not burden you with my lack of piano playing ability. I really wish I could play the piano man like Billy Joel. That'd be awesome.

A

I was meant to do lessons for a year, but then I failed the very first exam and that was the end of that one when I was a kid.

C

Yeah, you know, we were just talking about. I was at the Change North America event in Columbus, Ohio this week as we're recording this and I was, I was talking with Bart Demonk along with Christine Barnhart and Bart, Bart and Christina. Both supply chain dynamos. But Bart is a big time musician and whenever you interview him, he's got these brilliant, gorgeous guitars back behind him and we got to talking about what AI does and doesn't do and I was like, hey, I haven't seen AI or robots play guitars yet. And really Music. He goes, oh, yeah, they do. It's just not. It's not terrific.

A

And I can't.

C

I'm trying to wrap my head around a robot having the manual dexterity, Right. To play a guitar, which I know all the, you know, lots of humans do. But you don't stop to think about the dexterity required and how. How your fingers got to work in conjunction with your ears. Right. But I guess. I guess bots are doing it. Have you seen any of these box bots playing guitars, Alex?

A

I've not seen those, but I always think, like, the human nervous system is the greatest wonder in the world. And like, so it doesn't surprise me that the musician, those knowledge of music is sort of pointing out the differences. It's. Yeah. There are some things that are probably best left to. To the people still.

C

That's right. Absolutely. I'll spike the football on that point. And it is. It is nothing short of a miracle how all of those senses and how all those talents come together to produce incredible music. All right, let's play the what if game. Alex, are you ready?

A

I'm ready.

C

All right. So if you were a chief compliance officer or a chief operating officer or CSEO CRO, Chief Risk Officer, I guess, these days, what would be a couple of aspects of your approach when it comes to building out your toolkit that your team would use to drive its successful digital transformation? The service levels that can't be interrupted even just because we're transforming. And of course, all the while optimizing all this risk, or at least are optimizing the mitigation of all this risk. I should say that's. This is a billion dollar question. We're gonna get Alex Pillow to wait. Your thoughts?

A

So many thoughts. I think, because there's different approaches, right. It's like the question changes depending on the resource you can get.

C

Right?

A

So first conversation, right. Is ask for more resource than you have with a case of why. Right. Which is we want to enable the growth of the business. You can't do that safely without doing these things. You're going to have risk here, which is going to set you back each time. So let's not do two steps forward, one step back. As we build in whatever areas of sales and marketing. Let's do it together with, you know, all the various risk actors, including supply chain risk involved. And then I'm going to keep having that cadence. Right. With my CEO, my CFO of the board. Then it's back to that mindset, though. I want a team that have that Mindset and if they don't have it, you need to give it to them and if they refuse it, then you need to find a different team. Sound harsh to say, but I think that's, that is what it takes. You've got to be motivated to get the right people. So you've got the right people and you have started to make the case successfully to get the resources you need or in part, and then you phase it. Then I'm thinking about how am I applying my risk based approach. If I understand my risk based approach, I can then define what things I need to build for first. If we're assuming there's an existing system of some sort that's going to run. But I almost want to separate to that. Think about what is my dream system, what is the place I want to get to. That is my new nirvana until it isn't, which is where we get into the continuous improvement and infinite mindset. I'm going to have that thought of what I want and I'm going to mark it down by yes, here's my risk based approach. Here's the things that need to be true for that to be implemented. Once I know what it is I'm trying to do, then obviously you can think about oh, I need this tool or I need that technology, I need this process. But I would start with the data. What data would it take for any tool to be successful at achieving the thing that I'm saying I need to do? What outcome am I trying to get? What data would be required to get that? Because if I don't have the data then we're going to end up doing manual effort. And if I'm doing manual effort where it isn't needed, then I cannot move fast enough to counteract fast moving. Either bad actor risk or natural risks that I don't know, no one's to blame for. So I start with the data, make sure I've understood those, understand, are there tools that that data plays with particularly well and then I'm starting to layer those in, right? And the way I think about it, and again I'm biased because of my KYC background, is that the time I get the best opportunity to get the best data is when I start working with somebody because they want to work with me, ideally because they want money from me or to make money together or something. So if I ask them for information now, this is the best time to get it. I want to make it easier, I want to make it smooth, I want to make it as I want to reduce the clunkiness of getting it for them. But this is the best time that I can get clean data if I've set up that process right. And once you get that clean data and if you can populate what you may be familiar with the term Master Data Management, what is my golden record for whichever entity, location, you know, person, et cetera, what are the golden records that I need? Get the Master Data management correct and as enriched as possible. I now have the opportunity with that Master Data management or golden records to just to draw on that for each of my risk mitigation actions. So I'm not the most knowledgeable person, right? On every type of software out there. I'm trying infinite game, I'm trying to learn as much as I can across this partner ecosystem. I I know the due diligence space really, really well. I could do that in my sleep. The end tier, the fourth tier, the looking around corners chains, I'm learning there's a number of fantastic providers in that space that I'm excited to work with. The scenario planning and you talked about this, the scenario planning and mitigation and even though I'm seeing some cool stuff on how do you simulate and visually simulate what could happen if while we play the what if game, what happens if an earthquake happens there or a flood happens there or you know, God forbid another pandemic strikes somewhere. Those things I don't know as much about, but I know those tools exist. I also know those tools don't do anything unless the data is good. And the best way to get the data to be really, really good is to have a very well thought through collaborated on Master Data Management program with my Chief Data Officer if one exists and if one doesn't. My COO hopefully owns data in some way alongside the CTO and I'm going to work with both those parties and tell them to hire a CDO Chief Data Officer to do that. So yeah, that's how I think I do it. Resource dream scenario. Ensure that my entry point of data is really good. Make sure that my overall Master Data management is at the core of everything. And then I'm layering on technology to each step of the process so that my people get the hopefully the most enjoyable version of their job possible. Because to your point, and I know you make this most shows is you want to give the people the most interesting, intellectually challenging and stimulating work. Because I know we just discussed this, thankfully there are still some things that humans are best at and that's where we want to put them.

C

Yes, Fulfilling. Where were your people get their fulfillment from? What they love to do? Where can we, how can we position them to find the success and to gain their innovations and their ideas and their feedback as we're all seeking to delight our customers and also take care of our suppliers. Well said, Alex. I like your your frameworked thoughts. I would just add you mentioned, you know, weather and calamities. All these things. I think the scariest thing right now that we are our scenario planning that millions of times a day for is tariffs. Oh my gosh. We need we. Can we please get some, some certainty? Please, let's settle things down, please. From me and Alex to all of our government leaders out there. Wow. Okay.

A

There are, there are some cool tools on that. I, you know, I work with too many of the companies to name them because then one gets jealous or whatever. But like there are some very good tools. It's not hard to find. I appreciate they change all the time, but it's cool to see how quickly the technology on the vendor side has sprung to action. No doubt to try and try and help professionals with this.

C

I don't mean this to sound negative in any way, but hey, there is opportunity in every storm. And to your point, no one wastes much time these days in turning out services and products to help us navigate and weather the storms. Even the ones that are completely avoidable in my opinion. But that's another show. Okay, Alex, really appreciate the work you're doing with the podcast. KYC Decoded folks can find it wherever they get their podcast. Let me ask you about one of your favorite recent conversations, Alex, as you approach episode 100.

A

Yeah, absolutely. So we have had the pleasure of having an investigative journalist and author on called Jeff White a few times. Fantastic storyteller, incredible, you know, investigator. And we recently had him on to talk about something called the Buybit heist. Now, most people that are used to shipping goods and things, they might go. Why would I want to know about Bybit, a crypto firm in uae? I'll tell you why. Because according to Jeff, it is potentially the largest theft of all time. And the way that they got in to make the theft happen is they socially engineered fraud, the cybersecurity vendor of the company they attacked. So they went through the supply chain of the company, got into the company via their supply chain, and then they didn't defraud the junior folks. They defrauded the three founders and got them to transfer the equivalent of $1.5 billion out. And the most interesting bit is Jeff's career the last 10, 15 years is really he focused on cybercrime and then he realized that all cybercrime becomes money laundering because otherwise why do you do it? And one of the most prolific cyber criminal groups is from North Korea because the Lazarus group and all of this is on DOJ indictments. And so this is public record from, you know, the DOJ is the most advanced at fighting this stuff. And so if you think about the ramifications, why should we all care? Well, if money is being stolen via supply chain hacks and cyber criminals etc, and then it's being sold off, you know, this crypto is then sold off to organized criminals, etc. We've taken their cut and they go and do the laundering. Meanwhile the take the margin, the profit is going back to a regime that we all don't want to see further build out their weapons program because that creates greater geopolitical instability which again will create more supply chain problems if that was to ever manifest, which hopefully it doesn't. So yeah, I think that was a really fun episode, which sounds weird to use the word fun, but it's just because Jeff's such a good storyteller. We've done two or three other episodes with him on other huge hacks, thefts, etc, so within the hundred he's in there a few times I really recommend, recommend that one. And if you enjoy that I would then look for some of the others we've done with investigative journalists because they are a different breed when it comes to. To storytelling.

C

You're talking about that example of kind of the bad actors finding the weakest links. I haven't shared this story in, in lots and lots of episodes but it was a. I think it was a Cisco with a C. Cisco commercial. Not the. Not Cisco with the s. The food big food behemoth but it was a Cisco commercial around a cyber hacking that started was years ago. And the bad actors, rather than tackling the factory, this manufacturing company head on, what they're able to do is by social media observations over a long period of time they discovered that a lot of these factory employees were part of a bowling league right in the same. And the bad actors were able to hack into the bowling league software that tracked the scores right and probably kept the standings and they're able to use that basic low level, probably low security website to crack the employees credentials in their email at the factory. And long story short, they ended up shutting down the factory line and demanding ransom at all because the team members, you know, were lovely, you know, enjoying their time, they're off work time. Y But in a site that you know, it's all targeted. If, if, if ABC Company is the ultimate target, bad actors are going to find everything, including using a lot of AI tools to uncover wherever the easiest way of demonstrating.

A

Use a password manager. Everyone use a password manager. It makes you not the weakest link and therefore it's not going to be your fault when something happens. One thing I will say, Scott, is also obviously my other favorite episode recently was with your good self. So people should check that out where you're the guest for a change rather than the host. Enjoy it.

C

You and I both. I enjoyed it too. Thank you for pointing that out. I loved your. I love your style in general and a very inquisitive question asker. I hope I delivered hey. To our audience. Hey, check me on that. Would you disagree with you? Go out and check the KYC decoded podcast. You'll find Jeff White and a ton of other episodes. You'll find my recent episode hey, tell me what I got wrong or tell me what you agree with or just give Alex feedback on the great work he's doing. I'm. I know that we all, all of us content creators appreciate that. So y' all check that out. Kyc Dakota, wherever you get your podcast from. Okay, Alex, what a great, wide ranging conversation we've had here today. We went deep in some areas, kept it broad and universal in others, a great mix. I've enjoyed your examples and your perspectives and how you played the what if game and, and how you informed and educated me. But I got to ask you this. Here's the true billion dollar, maybe trillion dollar, these inflationary times question. How can folks connect with you and the Moody's team? Alex?

A

Yeah, absolutely. I mean, the easiest way to get me is just on my LinkedIn profile. I'm on it. I have a couple of colleagues that have access as well, just so we can, you know, get guest ideas, respond to people that listen to the show. And then often it's to connect them to somebody else. Right? They say, I love that guest. Can you make an introduction or hey, you mentioned such and such, you know, white paper or other podcasts can, you know, it's like, yeah, absolutely. Like that's the point of the show, is to provide enough education to get people interested and if they want more, then we can direct them to it. So just hit me up on LinkedIn. Otherwise, you know, Moody's.com start there and then there's a plethora of all the things Moody's does. You'll find it. And then as you say, the podcast is wherever you get your podcast. You know, Moody's Talks is sometimes the prefix and then KYC Decoded is the name. Although we are looking to do more on Supply Chain. So if you have ideas or you want to be a guest, then let me know.

C

Outstanding. Okay. There's lots of folks I want to suggest to you, Alex, but one in particular that came to my mind several times as you were talking about the call to action that we need to really drive home across industry to change so many of these risks that are only get bigger. We got to get Korakoze on your podcast, Alex. So Korai, if you're listening, I'll tell you and Alex would have a fascinating conversation. Alex, you'll appreciate Korakoze tells it like it is. And that's we need a lot more of that here in 2025. Okay, great conversation here today, folks. Terrific. I really enjoyed. I learned from Alex here today as I do from all of our guests. Alex brought it Big thanks to Alex Pillow with Moody's. And again, check out his podcast KYC Decoded or Moody's Talks KYC Decoded. Wherever you get your podcast. Alex, thanks for being here today.

A

Absolutely. My. My pleasure. It's great to be a guest on the show that, as I said I listen to back in March when I was just wanting to know a bit more about Supply Chain. And now, now I'm a fan and subscriber.

C

Oh, man, Alex, your music to my ears. I can't wait to tell my mom that. Hey, to our audience members out there, you got some homework. Alex, as I thought he would, has delivered some very actionable advice and perspective here today. You got to take one thing, just take one thing from the truckload that Alex brought to us. Put it in action, Share it with your team. Do something with it. Deeds, not words. That's how we're changing global supply chain management for the better. And with all of that said Scott Luton, challenging all of our listeners and our viewers out there. Do good, get forward, be the change that's needed. And we will see you next time right back here on Supply Chain Now. Thanks everybody.

B

Join the Supply Chain now community. For more supply chain perspectives, news and innovation, check out supply chain now.com subscribe to Supply Chain now on YouTube and follow and listen to Supply Chain now wherever you get your podcasts.