Podcast Summary: Integrated Risk Assessment in the Supply Chain
Podcast: Supply Chain Now
Episode: Integrated Risk Assessment in the Supply Chain
Date: November 3, 2025
Host: Scott Luton (C)
Guest: Alex Pillow, Senior Director, Partnerships & Acquisitions at Moody’s (A)
Episode Overview
In this episode, Scott Luton sits down with Alex Pillow from Moody’s to explore risk management through the lens of integrated risk assessment, drawing parallels between KYC (Know Your Customer) in financial services and third-party risk and due diligence in global supply chains. From preventing financial crime and cyber threats to orchestrating technologies for better supplier visibility, Alex shares actionable insights on building resilient, risk-aware organizations. The conversation is candid and wide-ranging, mixing expert advice with practical stories, mindset shifts, and some quintessential British humor.
Key Discussion Points & Insights
1. What is Integrated Risk Assessment? (08:23)
- Moody’s Evolution: Once synonymous with credit ratings, Moody’s now centers its analytics arm on providing “integrated risk assessment,” encompassing not just credit, but financial crime, cyber, environmental, and supply chain risk—and, crucially, how these risks intersect.
- Quote:
"You can't really just think about credit risk in a silo, or supply chain risk in a silo, or financial crime risk in a silo, or cyber risk...All of these things are interconnected. And it's only when you can see the whole picture that you can make the best decisions for your organizations." (A, 08:56)
[10:24] Acquisitions & Partnerships
- Pillow explains his team’s role in identifying technology and insights that Moody’s can integrate, likening the process to relationship-building:
“You talk to lots of companies, then you maybe go...get in relationships with some of them. But at some point, you might want to get married and make it official.” (A, 10:23)
2. Translating KYC from Financial Services to Supply Chains (12:50)
- KYC Defined: Originating in financial services as a part of anti-money laundering, KYC is really “third party due diligence”—research and vetting done before transacting (A, 13:11).
- Supply Chain Parallels:
“Our supply chain ecosystems are only as strong as that proverbial weakest link and whatever we don’t know about every entity...it’s what you don’t know that can bite you.” (C, 16:18)
- Pillow explains that tools and practices from financial KYC (“business logic...if A do B, if B do C,” 22:19) are under-utilized in supply chain onboarding and monitoring, where manual questionnaires still dominate.
3. Advancements in Data, Orchestration & Automation (19:59, 22:19)
- Shift from Visibility to Action: Modern platforms and orchestration allow professionals not just to “see” risk but to know “what to do” about it automatically.
- Quote:
“Visibility is not good enough because we’ve got to have the answers of what to do. And that’s the cool thing I’m seeing in a lot of technologies out there, and it’s making our days easier.” (C, 19:11)
- Lessons from Financial Services:
- High-volume, high-stakes KYC led to automation out of necessity
- Supply chain can accelerate by integrating public and partner data rather than relying on static questionnaires
4. The Evolving Landscape of Financial Crimes and Supply Chain Risk (26:09)
Organized Crime & Cyber Risk
- Tech-enabled Fraud: Automation, generative AI, and deep fakes are fueling massive increases in fraud attempts, especially through weak links in supply chains.
- Example: Deep-faked CFO led to $25 million fraud transfer (A, 28:04)
- Cybercrime is increasingly originating with supply chain vendors, driving companies (e.g., JPMorgan) to prioritize infosec over features when selecting suppliers.
[30:32] Freight Fraud & Practical Controls
- Many logistics companies face “tens and sometimes hundreds of millions” in freight fraud but lack basic KYC controls like beneficial ownership vetting or identity verification at the driver level.
- Quote:
“You want to have recourse...if a cargo load does go missing, now at least you have some recourse. You have something you can go to the police with.” (A, 30:32)
5. The “Good Team” vs. The “Baddies” – Ecosystem Roles & Gaps (32:44)
- The Regulatory Lag: Regulators are often “behind the curve,” responding post-crisis rather than setting proactive, aspirational standards.
- Vendors Lead, Buyers Lag: Solution providers innovate rapidly, but adoption is slow until mandated.
- Quote:
“The vendors can do a lot more than they are currently employed to do...technology doesn’t get used en masse...until the consultants and the practitioners are willing to buy in...it kind of goes nowhere.” (A, 34:39)
- Call for an “Infinite Game” mindset: Not just aiming for compliance minimums, but continual improvement and a growth-enabling view of risk management.
6. Mindset & Leadership in Risk Management (42:48)
- Key Mindset: The best leaders embrace risk as an ongoing game, focusing on continuous improvement, prioritization based on true risk (“risk-based approach”), and team effort.
- Quote:
“The people that truly understand what risk-based approach means are then able to use their particular traits…if they've understood that principle and they can apply it, then they can use the rest of their talents to make that happen.” (A, 44:42)
- Diversity of Approach: Both detail-oriented and extroverted leaders, with a mastery of the subject matter and passion, can thrive—provided they focus on targeting the right risks.
7. Building Your Digital Risk Toolkit (48:35)
- Start with Data: Get high-quality “golden records” at onboarding; Master Data Management is foundational.
- Layer Technology: Once the data foundation exists, integrate tools that leverage it across risk domains.
- Continuous Advocacy: Always advocate for more resources by showing how robust risk management enables growth, not just compliance.
- Favorite quote:
“The best way to get the data to be really, really good is to have a very well thought through collaborated on Master Data Management program...” (A, 50:49)
8. Notable Real-World Example: The Bybit Heist (55:25)
- Story: The largest theft ever, $1.5B, where attackers gained entry via the cybersecurity vendor (i.e., through the supply chain), then socially engineered the three company founders themselves.
- Global Consequences: Shows how supply chain and cyber risk converge, with stolen funds fueling geopolitical threats.
- Quote:
“It is potentially the largest theft of all time...they socially engineered fraud, the cybersecurity vendor…they went through the supply chain...That episode is a reminder that we all need to care.” (A, 55:25)
9. Practical Takeaways & Closing Advice
- Use Password Managers: “Everyone use a password manager. It makes you not the weakest link.” (A, 59:30)
- Innovate Together: Collaboration—even with competitors—may be necessary to serve the “greater good.”
- Stay in the Arena:
“It’s the effort and it’s the attempt and it’s the striving for it that is really what separates the average and the great.” (A, 41:59)
- Advocate for More:
“First conversation, right, is ask for more resource than you have with a case of why...let’s do it together with all the various risk actors, including supply chain risk involved.” (A, 48:43)
Notable Quotes & Memorable Moments
-
On the KYC–Supply Chain Parallel:
“The crossover there is almost a perfect Venn diagram. It’s about adding on some additional levels of detail for that specific type of supplier or the particular risk level or criticality.” (A, 17:10)
-
On Mindset:
“Going on offense, I think, is literally the best defense.” (A, 39:25)
-
On Vendors’ Potential:
“The vendors are furthest ahead on detecting these risks, coming up with ways to mitigate them...but until the consultants and the practitioners are willing to buy in on that and deploy, it kind of goes nowhere.” (A, 34:39)
-
Favorite Britishism:
“Horses for courses. Is that a British phrase? I thought that was global.” (A, 21:30)
Timestamps of Key Segments
- [08:23] Integrated risk assessment at Moody’s
- [10:24] Partnerships, acquisitions, and “dating” companies
- [12:50] KYC explained for supply chain context
- [16:18] Why supplier due diligence matters
- [17:10] Parallels between KYC and supply chain onboarding
- [19:11] From visibility to action: Next-gen tech
- [22:19] Lessons from financial sector—automate, orchestrate
- [26:09] Fraud and cyber risk: “deep currents” and organized crime
- [30:32] Freight fraud—logistics and basic KYC controls
- [32:44] The “team sport” of risk—the good vs. the baddies
- [39:04] “Infinite game” mindset for resilience
- [42:48] Leadership & critical mindsets in risk
- [48:35] Building the risk toolkit: data, tech, and advocacy
- [55:25] Bybit heist—the role of supply chain in cybercrime
- [59:30] Password managers and weakest links
- [62:31] How to connect with Alex and Moody’s
Resources & Where to Find More
- KYC Decoded Podcast ([wherever you get your podcasts] or on the Moody’s website)
- Infinite Game Documentary: Free, 10-minute episode on Moody’s website under leadership
- Connect with Alex Pillow: LinkedIn (search “Alex Pillow Moody’s”)
- Moody’s: https://www.moodys.com
Conclusion
The conversation unpacks the urgent need for integrated, data-driven risk management that bridges KYC best practices and complex supply chain ecosystems. It’s not just about visibility, but action, collaboration, and a continuous, “infinite” pursuit of improvement. Or, as both Alex and Scott advise: Advocate for resources, prioritize intelligently, invest in genuine due diligence (starting with solid master data), and fuel your team’s efforts with the mindset of staying “in the arena.”
“Deeds, not words. That’s how we’re changing global supply chain management for the better.”
— Scott Luton [62:40]
