Third Party Risk Management

How KPMG can help | Getting started | Enhancing third party risk management | Contacts | Insights

Minimise your exposure to risk.

Achieve an enterprise-wide risk management strategy so third-party providers are a source of strength for your business – not a weak link.

Global transactions, regulatory enforcement and the continued focus on operational resilience increasingly compel companies to examine their business relationships in order to assess risk and comply with regulatory mandates.

Increasing dependence on third-party relationships, coupled with increasing regulatory and public oversight, exposes organisations to a host of new and serious risk and compliance issues. With this shift toward third-party driven business models, managing third-party risk has taken on a renewed sense of urgency. Because responsibility for the actions of your third-party affiliates falls on no one but you. So how can you minimise your exposure to financial, legal, regulatory, operational, reputational and governmental risk?

Aside from addressing risk management needs and regulatory requirements, institutions should develop a risk-based program which also incorporates a complimentary suite of preventative and detective controls across the three lines of defence.

Whatever the stage of your relationships, we will show you how to so third-party providers are a source of strength for your business – not a weak link. Our programs and services are designed to help organisations design, implement and manage third-party risk across the end-to-end supplier lifecycle, to maximise efficiency and effectiveness, reduce costs, increase quality, all while helping to improve employee and customer experiences.

In KPMG's experience, organisations will typically go through a 'build, control, anticipate' approach to managing third-party risk, depending on the maturity of their ecosystem. Elements to start working on include the following:

• Assessing risks throughout the supplier lifecycle to provide a holistic, end-to-end view.
• A clearly defined and integrated operating model (procurement, third party risk and business).
• Simplifying and standardising third-party risk management processes including risk assessments, and automating where possible to reduce subjectivity.
• A clearly defined risk appetite statement and associated policies.
• Centralising supplier risk information to provide deeper and interconnected exposures.
• Ongoing communication, engagement and training of the business and supplier risk teams to manage risk.
• Utilisation of a managed service to bring in experience and technology.

For organisations that are further on the third-party risk management journey, more comprehensive steps include the following:

• Aggregating third-party data into a centralised workflow system, and collating third-party data from multiple sources to provide a single source of truth linked to analytics and procurement platforms.
• Implementing tools to continuously monitor third-parties through a structured program to reassess the suitability of third-parties to respond to changes in the market.
• Establishing an integrated third-party governance structure, setting objectives that will help align the supply chain strategy with the overall company strategy.
• Building the third-party relationship, and developing a proactive risk mitigation strategy in a collaborative environment with third-parties.
• Industry participation to ensure the third-parties (performing the same services for multiple organisations) are asked the risk assessment questions just once to reduce the time and effort involved.