Time for action

As the economic recovery picks up speed, third-party risk management (TPRM) is more important than ever before. Faced with supply chain disruption, cyber threats and growing inflationary pressure, global businesses are assessing their operational resilience and reviewing their dependence on third and fourth parties.

KPMG International's new research — which surveyed 1,263 senior TPRM professionals across six sectors and 16 countries worldwide — reveals that TPRM is a strategic priority for 85 percent of businesses, up from 77 percent before the outbreak of the pandemic. Nonetheless, the outlook for TPRM presents no shortage of challenges.

TPRM leaders need to make a step change

Our findings demonstrate the need for TPRM leaders to make a step change in their operating models and their approach to third-party risk. This need will likely only grow as supply chains and ecosystems continue to expand and the risk presented by fourth parties creates further complexity. Strong leadership and TPRM practitioners working closely with the business – reflecting the priorities that business partners themselves set for third-parties – is key.

Our recommendations, which we set out in Section 3, are designed to support a business environment in which TPRM remains high on the boardroom and management agenda throughout the pandemic recovery. Recognising the need for action, while cognisant that there is no quick fix to the challenges faced by TPRM executives, we outline below depending on your program's maturity a number of focus areas you can explore to drive enhancements to your program.

Key third-party risk survey findings

1 Third-party incidents are disrupting the business and damaging reputation

Weaknesses in the TPRM operating model, leading to missed opportunities to mitigate risk are proving to be a major problem for businesses worldwide. Three in four (73 percent) respondents experienced at least one significant disruption caused by a third-party within the last 3 years.

2 Businesses underestimate the need for a sound TPRM program, resulting in insufficient budgets

Practitioners are held back by limited budgets that see them prioritising tactical initiatives over strategic improvements. Six in 10 (61 percent) believe TPRM is undervalued considering its enterprise-critical role. If businesses understood the full complexity of a sound TPRM program, rather than narrowing in on its individual components, they could support larger budgets while benefiting from efficiencies around operational resilience, cyber security and fraud.

3 Technology is not yet fulfilling its promise

Respondents expect to use technology to automate or support 58 percent of TPRM tasks within 3 years, which will free them to focus on activities that require human review and interaction. However, 59 percent are frustrated by the lack of visibility that their technology gives them around third-party risk.

4 The challenge of limited resources is here to stay

TPRM programs are continuing to evolve while teams contend with a growing workload. Digital tools will help shoulder the burden, but TPRM's remit is expanding across all risks, domains and types of third-parties. The number of businesses assessing all third-parties for environmental risk, for example, is expected to reach 30 percent within 3 years. A risk-based approach, allocating resources to highest risk arrangements would be preferable.

5 Most businesses struggle to maintain a fit-for-purpose TPRM operating model

Respondents largely accept that it was luck, rather than their TPRM programs, which helped them avoid a major third-party incident during the COVID-19 pandemic. In turn, 77 percent believe that overhauling the operating model is overdue.


Download the report

Focus areas to explore to drive TPRM program enhancements

In the early or medium stage of maturity

The imperative for organisations at an early or medium stage of maturity is to establish a program that allows you to manage third-parties appropriately. Below are some of the must-haves when it comes to a viable TPRM program.

  • Pre-contract to due diligence
  • Risk-based approach
  • Ongoing monitoring
  • Program governance.

In the more advanced stages of maturity

Organisations that are at a more advanced stage of TPRM maturity, whose programs are well-established and fully operational, should focus now on optimising the program. It is often cost pressures and frustrations around the time taken to complete assessments that drive this need. Optimising an advanced TPRM program generally focuses on the following areas.

  • automation
  • risk-based approach
  • off-boarding and disengagement
  • service delivery model
  • management of fourth-parties and affiliates.

Connect with us

If you have any questions please contact us.

Related services

Related insights