Global businesses face supply chain disruption, cyber threats, regulatory scrutiny, and growing inflationary pressure. KPMG International’s 2022 Third-Party Risk Management (TPRM) Outlook shows that an average of 38% of businesses report they have experienced significant disruption, monetary loss, or reputational damage because of a third party in the last three years. On a sectoral level, this number ranges from 28% in the financial services sector up to 57% in the automotive sector. A total of 85% of businesses consider TPRM a strategic priority. This has put the necessity of a robust TPRM framework high on the boardroom agenda.
Multinational firms must assess their operational resilience to ensure the third and fourth parties they deal with remain assets rather than liabilities. Potential risks incurred by dealing with third parties include the following:
- Regulatory/compliance risk: an incident at a key third party can lead to regulatory scrutiny, with hefty fines for violating anti-fraud and anti-bribery regulations.
- Operational risk: including business continuity, information security incidents (including data breaches), disaster recovery, physical security, misalignment with ESG, and performance management risks.
- Financial risks: from credit events to unnoticed insolvency issues at critical vendors.
- Reputational risk: spotting adverse media, litigation, and compliance issues at third parties is a key concern.
- Strategic risk: failure to recognize misalignment between a vendor's strategic goals and that of your organization may lead to service disruption. Potential incidents include full-service stoppage, as vendors reconsider their key accounts and business strategy.
- Subcontracting risk: as outsourcing continues to increase, few firms have a clear view on their vendor's subcontractors and the risks these "fourth parties" pose. An outage at a cloud service provider of your vendor could have a direct impact on your day-to-day operations.
- Concentration/portfolio and country risk: a combination of services provided by a vendor could go unnoticed in a disjointed vendor management program. Alternatively, the geographic concentration of vendors in certain countries could rapidly pose risks to your organization if these countries become subject to sanctions.
- Technology/cyber risk: an increasing focus point of a sound TPRM framework and an area in which the board must be involved in setting out a corporate strategy and encouraging management to implement mitigating controls.
- Human rights and sustainability risk: there is increasing regulatory pressure for firms to (a) integrate sustainability into corporate governance and management systems, (b) frame business decisions in terms of human rights, climate and environmental impact, and (c) have in place a comprehensive mitigation processes related to adverse human rights and environmental impacts in their value chains.
A robust TPRM Framework is essential in navigating this landscape. However, as our 2022 TPRM Outlook clearly shows, firms struggle to live up to the challenge. Despite the heightened awareness and a belief TPRM is undervalued, businesses continue to underestimate the complexity of – and need for – a sound TPRM operating model. The challenge of limited resources adds to this compliance puzzle. This lack of resources is compounded by the fact that Governance, Risk, and Compliance ("GRC") tools remain unsatisfactory and burdensome, with 60% of firms reporting their supporting technology does not give them anywhere near the visibility they require to manage third-party risk across the supply chain.
From a legislative point of view, tackling your Third-Party Risk Management can be tricky as firms must navigate a rapidly evolving regulatory environment. These regulatory constraints also vary significantly from sector to sector.
- Financial institutions, for example, have increasingly strict requirements when it comes to outsourcing, with the European Banking Authority (EBA) and the Bank of England Prudential Authority ("PRA") leading the field with their "Guidelines on outsourcing arrangements" and "Outsourcing and third-party risk management supervisory statement", respectively.
- Outside of the financial sector, there is no clear and leading regulation on Third-Party Risk Management, meaning firms must consider how different regulations touch upon their third parties indirectly. In Belgium, this could mean the Belgian Anti-Corruption Legislation, the UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA). The regulatory instances and watchdogs behind these laws continue to impose hefty fines as they hold firms accountable for the activities of their vendors. According to research by Stanford Law School, nearly 90 percent of FCPA matters for example relate to the use of third-party intermediaries .
Looking to the future, a diverse set of regulations are on the horizon, including the European Commission Proposal for a Directive on Corporate Sustainability Due Diligence (2022/0051) and the European Commission draft regulation on Digital Operational Resiliency for financial entities ("DORA").
- Do we have an integrated internal framework in place to support TPRM across the third-party lifecycle? What is the level of maturity of the different components of this framework?
- Do we have a clear view over the underlying objectives of our TPRM actions? What sort of risks are we trying to address?
- How does our concept of third-party risk relate to our broader Enterprise Risk Management principles? Have we defined a third-party risk appetite?
- Are we subject to any regulatory scrutiny of our third-party relationships?
- Is there an inventory in place of all our third-party relationships with their corresponding risk rating?
- Is there an overview available at any time of our third parties' compliance with our organization's requirements?
- Do we have an aggregated view of third-party risk, i.e., are we consolidating and centralizing all TPRM actions?
- Are we considering emerging third-party risks, such as fourth party and concentration risks?
- Do we fully understand how third-party disruption might impact our company now and in the future?
In addition to the questions above for boards, management teams can consider asking the following questions:
- Do we have a view of third-party risk across the lifecycle of our third parties, from onboarding to offboarding?
- How can we avoid operational interruptions and possibly guarantee a smooth running of business?
- How can we identify and consolidate the most important information from an extensive and complex third-party network?
- How can we filter out the business-critical data from unstructured data on the market and derive optimal decisions?
- Do we have a formalized decision on third-party acceptance and onboarding?
- Are we attaching risk ratings or grades of importance to our third parties?
- Do we have enough lead time around potential third-party disruption?
- Do all involved corporate functions "speak the same language" while dealing with disruption?
- Do we have the appropriate tools, processes, organization and governance in place to monitor third-party around the world, whether public or private?
- Is our TPRM linked to our contracting process? Are third-party risks addressed by robust contracts with clear definition of roles and responsibilities?
- Is our TPRM Framework digitally enabled? Is there a need for a TPRM tooling solution? Would this be integrated with our broader Governance, Risk, and Compliance tool?
- Are we periodically re-assessing the risks associated with individual third parties?
- Do we provide the required cross-functional transparency along our value chain to support continuous Third-Party support?
- Can we insure against third-party risks?
- Do we have a risk-based process in place to offboard third parties? Are there pre-defined exit plans in place and are these regularly tested?
1. Ensure the management team has evaluated and addressed the gaps in your organization’s third-party governance process.
2. Explore ways to enhance effectiveness at governing third parties by ensuring the company’s:
- Ability to anticipate supplier disruption;
- Consistent and ongoing access to data for all third-party;
- Consistent cross-functional operating model to identify and mitigate risks in a timely way
- Efficient data acquisition model;
- Ability to define risk metrics and thresholds;
- Robust data analytics;
- Risk monitoring and alerts;
- Workflow processes to facilitate timely risk reviews.
3. Consider technology solutions to uncover insights about our suppliers and evaluate options for mitigating current and future risks.
4. Ensure a frequent testing of crisis management takes place, including business continuity plan testing.
About the Board Leadership Center
KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.
Authors: Jens Moerman, Senior Manager, Risk & Regulatory, and Timon Lesage, Manager, Risk & Regulatory
Connect with us
- Find office locations kpmg.findOfficeLocations
- Social media @ KPMG kpmg.socialMedia
- Third-Party Risk Management outlook 2022 - KPMG Belgium (home.kpmg)
- Stanford Law School, Foreign Corrupt Practices Act Clearinghouse, Statistics, and Analytics
- Proposal for a Directive on corporate sustainability due diligence and annex | European Commission (europa.eu)