From awareness to action: Elevating third-party risk From awareness to action: Elevating third-party risk From awareness to action: Elevating third-party risk

Canadian companies have long been expanding their outsourcing and partnering ecosystems to generate efficiencies, access capabilities and grow their businesses. However, many organizations are now seeing the flip-side of this expansion, as a myriad of underlying risks has emerged, particularly during the pandemic.
 
Our latest research, capturing the sentiments and actions of Canadian senior Third-Party Risk Management (TPRM) leaders across six major industry sectors, indicates that 78 percent of these leaders believe inefficiencies in their TPRM programs are exposing them to reputational risk. In fact, 69 percent say they have had at least one major disruption, monetary loss or reputational damage as a direct result of a third party within the last three years.

Here, drawing on key findings from this research and our visibility into the Canadian third-party risk landscape, we present five key elements Canadian organizations should implement to enhance their TPRM programs and further strengthen their risk resilience.

Elevate TPRM to the C-suite

“Tone at the top” is critical to the success of an organization’s ability to collectively manage third-party risks. A company’s leadership should drive and be regularly updated on the TPRM landscape, driving the appropriate amount of attention and budget to third-party risk.

Build an overarching TPRM operating model

Organizations need to establish and continuously upgrade a formal TPRM operating model that enables them to manage and monitor risk holistically and continuously. Appropriate resources, including people skills, competencies and technology enablement, should be allocated to effectively and efficiently deliver the program.

Establish 360-degree visibility

To keep their business functioning, companies need to get full oversight of all their third parties and the risks that come with each of them. This can help expose broader risks that might not be visible at a single-departmental level.

Prepare for material scenarios

Organizations should perform regular, detailed scenario planning to become more risk resilient, asking questions such as “How will I continue to serve my current customers and grow my business if this scenario materializes?” and “What do I need to do in the current market to secure my sources, ensure my supply, and preserve and grow my business?”

Collaborate with competitors

A “coopetition” model would allow a sector to develop a single, valuable viewpoint—a shared source of visibility where multiple companies can see what’s happening with a given vendor. This could help minimize the time required for onboarding, enhance continuous monitoring, and reduce resource requirements.

The global pandemic has highlighted significant gaps in TPRM programs, as many companies found themselves unable to provide uninterrupted services due to challenges with their suppliers and partners.

Remote and hybrid work has increased companies’ reliance on technology and data-sharing with vendors, exposing them to greater cyber security and data breach risks. Many organizations have also felt the sting of rampant counterfeiting that arose during the pandemic, unknowingly letting fraudulent inputs into their supply chains, which significantly damaged their core products and/or services, and in turn, their reputation.

Three quarters (74 percent) of Canadian TPRM leaders express growing concerns about the value they are getting from their third-party contracts, and 59 percent believe they have been overbilled by a third party at least once during the last year.

While Canadian organizations do recognize that thirty-party management is not just a cost centre - it is a strategic growth enabler - many businesses are still overlooking the critical aspect of strategically managing their outsourcing ecosystem.

Has your organization experienced a significant supply chain disruption, monetary loss or reputational damage as a result of a third party within the last three years?

The more companies rely on third and fourth parties, the more their exposure to associated risks will persist, if not increase. Canadian organizations need to make it a priority to strengthen their end-to-end TPRM value chain, focusing on strategy, operating model(s), governance, risk assessment and resourcing, including people and technology.

65% of Canadian TPRM leaders say it was luck that helped them avoid a major third-party incident during the pandemic.

Leaders are aware of this need, our findings indicate: Almost nine in 10 (88 percent) say that they urgently need to improve how they identify and assess third and fourth parties in their supply chain and the broader ecosystem. Now is the time to convert this awareness to action.

In fact, we see this trend around the world. When comparing results of KPMG International’s 2020 Third Party Risk Management Outlook to the 2022 findings, there has been little progress made on TPRM programs. For example, half of the 2020 respondents said they did not have sufficient capabilities in-house to manage all the third-party risks they face and this year, 52 percent still felt that way. Even more worryingly, 74 percent of the 2020 global respondents said they urgently needed to make TPRM more consistent across the enterprise, and this year that number rose to 77 percent.

Eighty-four percent of respondents agree with this statement: “The crisis made it clear that it’s time for us to overhaul our TPRM operating model.” To help Canadian companies on this transformation journey, we have identified five elements they should focus on as they strive to develop, strengthen and optimize their TPRM program.

In many Canadian businesses, risk management is still fairly compliance-driven and/or transactional. Sixty-five percent of respondents agree that their TPRM activity is generally undervalued by their organization, given how much of their business depends on third parties. Eighty-seven percent say that their TPRM function should be playing a much more active role in ensuring business continuity. While only 33 percent say they regularly report on TPRM to senior management, and 79 percent say they have a long way to go before the TPRM function could be described as a strategic partner.

“Tone at the top” is critical to the success of an organization’s ability to collectively manage third-party risks. The pandemic has clearly highlighted the need for risk management to be better integrated into key processes and activities, providing real input into decision-making. To do that, the conversation must be elevated to the C-suite and the Board. Leadership should be continuously updated on the TPRM landscape, including changes in risk exposures both pre- and post-contracting and existing over-concentration(s), as well as emerging risks and their potential impact on the organization.

79% say they have a long way to go before the TPRM function could be described as a strategic partner.

The C-suite should also take special note of environmental, social and governance (ESG) risks, and committing to CO2 emissions reduction as 80 percent of those come from “scope-3” emissions, generally associated with third parties (in areas such as transportation, distribution, waste, energy and fuel, leased assets, and travel). It is critical that, as part of their third-party risk assessments, organizations evaluate their spend categories and suppliers with the highest CO2 emissions, and ultimately relook (or ‘rebalance’) their portfolio to identify levers and alternates that will help bring down emissions.

Visibility at the C-suite level should drive the appropriate amount of attention to risk and, perhaps most of all, budget. The right budget for TPRM will enable organizations to be:

• Holistic: Understanding their risk exposures across all third party arrangements, individually and in aggregate
• Efficient: Reducing the overall throughput and TPRM lifecycle timeframes
• Effective: Providing early insights on current and emerging risks

This will enable companies to make risk-based decisions and adequately reduce their risk exposures.

Eighty-one percent of respondents know that they urgently need to make TPRM more consistent across their organization. One of the biggest legacy issues we still see is the existence of “pockets” or “siloes” in managing third-party risks across functions.

Less than one in three (30 percent) respondents say their program is well-integrated with partner functions across the business, such as procurement and legal, and only 37 percent set clear roles and responsibilities across the TPRM program and lifecycle.

Almost half (49%) of all TPRM tasks, on average, are supported by technology or process automation to some extent. Canadian executives expect the proportion of supported tasks to rise to 60% within the next 3 years.

Meanwhile, in practice, respondents saying that their technology does not give them anywhere near the visibility they need to manage third-party risk across the entire supply chain.

81% say they urgently need to make TPRM more consistent across their enterprise.

Of course, covering the wide range of third-party risks requires a specific—if not niche —skill set, often lacking across organizations and difficult to source. Sixty-five percent of organizations are indeed saying they do not have sufficient in-house capabilities to manage all of their third-party risks.

All of this adds up to a clear case for organizations to establish and continuously upgrade their TPRM operating model(s). We recommend that companies:

• Formalize the TPRM function: Organizations need to establish a formal TPRM function to provide more in-depth and transversal coverage of all underlying risks across the business. Understanding third-party exposures across the entire business with one centralized view of all suppliers and partners can help uncover the most material risks in aggregate, as well as hidden risks or weaknesses that one function might not see in isolation.
• Monitor risk holistically and continuously: We need to move away from the old model of once-a-year, check-the-box risk assessments—and focus on the other 364 days. Organizations need to establish near-real-time and continuous methods of re-assessing risk exposures, not simply collating data in time for reporting cycles. Given that organizations are also partnering with non-traditional vendors, they need to expand their risk assessment to non-financial risks or “newer” risks, such as business continuity, cyber, data protection or ESG.
• Address resourcing challenges: To meet the growing skills gap, organizations should increase their TPRM budget and invest in training programs to upskill current resources.
• Leverage technology: The right technology can significantly improve visibility, helping companies to be far more responsive to potential major disruption and change within their domestic, regional and global supply chains. Useful applications include centralized vendor library, automated risk assessment workflows, risk reporting capabilities, or assessment of contract risk compliance.

To keep their business functioning, companies need 360-degree visibility of all of their third parties and the risks that come with them. They should establish an end-to-end process to assess all third-party risks, from vendor selection down to execution and termination of contract. They should also ensure they have the proper mechanism to collect and analyze the data, gaining the necessary insights to manage risk exposure, such as concentration risk.
 
Our survey indeed indicated that 34 percent of respondents flag poor quality or inconsistent data as the biggest challenge to TPRM transformation. Lack of integration is often a barrier to TPRM transformation, as data is collected in a fragmented or siloed manner.

Looking at vendors holistically can help expose broader risks that might not be visible at a single-departmental level. It is important for example to collect information on locations, transportation routes, and more. With an understanding of how a shipment is travelling, a business can be more proactive should a jam or a strike arrives. Failing to do so, a business can only be reactive, putting them at a disadvantage.

Organizations can use this information to model the various possibilities that could happen internally or with other organizations they work with, and regularly and timely escalate the most material risks to the C-suite.

Further to the findings of the survey itself, our practice leaders have observed the need for organizations to perform regular and detailed scenario planning to become more risk resilient. Upon achieving an enterprise-wide view of their risk postures, Canadian businesses will be in a better position to anticipate and prepare for risks and ultimately assess their ability to respond to them.

This means asking:

• What risk scenarios could emerge?
  
• How will I continue to serve my current customers and grow my business if these scenarios materialize?
• What do I need to do in the current market to secure my sources, ensure my supply, and preserve and grow my business?

Many businesses, for example, have strong relationships with just one or two major suppliers or partners, or just one or two large customers or export markets. Recognizing the need to strengthen their supply chains, companies can actively seek a broader list of suppliers or alternative markets, customers, transport and logistics providers.

Risks (and third parties) will vary in terms of the frequency with which they need to be assessed and planned for. Key trading partners, for example, should be the subject of frequent, near-real-time planning for all major risks. Businesses are encouraged to invest resources in scenario planning, as it represents a strategic improvement to the TPRM function.

Adopting this model in other sectors would help minimize the time for onboarding, enhance continuous monitoring, and reduce resource requirements through sharing. Organizations should collaborate to establish relevant KPIs with third parties (including KPIs on fourth and fifth parties), leveraging the necessary technologies such as blockchain, and collect/share data on them centrally.

The pandemic made it abundantly clear that Canadian organizations can’t gamble with risk or rely on luck to protect their businesses. While reliance on third parties continues to grow, TPRM programs are still largely fragmented and not integrated with other organizational processes.

Like many other risks, those associated with third parties must become a strategic priority, with appropriate focus, funding and expertise throughout all facets of the business, including processes, people, systems and data enablement—to provide the holistic view necessary to adequately manage the key risk exposures.

To maximize program benefits, TPRM should:

• Clearly define roles and responsibilities, right up to the C-suite
• Become an integrated, company-wide program
• Establish an end-to-end process to assess all third-party risks, from vendor selection through to termination
• Invest in scenario planning to anticipate and respond to upcoming risks
• Engage in “coopetition” within you sector

Only then will organizations be able to develop a complete picture of their third-party risk, and properly plan for a more secure and successful future.

TPRM leaders understand that they need a structured and phased approach to achieve the right level of board and management attention and investment. KPMG professionals can support you across the spectrum of needs you may have to achieve your TPRM program goals as laid out below:

• Maturity assessment: Rapid current state review of TPRM capabilities; provide observations and recommendations.
• Regulatory review: Gap analysis against relevant regulatory requirements; provide observations and recommendations.
• Business case and roadmap: Prioritize enhancements and size the level of effort required to roll out the program.
• Internal Audit: Three lines of defense (3LoD) co-source.

• Framework design: Establish or enhance TPRM program and process components; develop program documentation, lifecycle templates and technology business requirements.
• Technology enablement: Configure and implement workflow technology, risk intelligence software and third-party utilities.
• Tuning and optimization: Enhance elements of the TPRM program and process. For example: metrics and reporting, data analytics or TPRM risk appetite.

• Scenario testing: Third-party business continuity and exit plans.
• Managed services: Operate end-to-end processes for pre- and post-contract screening and monitoring of third parties. Incorporate leading technologies and data sources with leading practice processes delivered by risk domain professionals.
  
• Third-Party assessments: Execute portfolio of risk and controls assessments pre- and post-contract.

We surveyed 1,263 senior TPRM professionals across 16 countries worldwide to understand how organizations were approaching third-party risk. This included 100 Canadian responses in six sectors: