Third party risk management Third party risk management

Using third party suppliers puts organizations at risk of penalties and reputational damage, which can lead to significant downstream operational cost implications. Organizations are increasingly reliant on third parties, such as vendors, suppliers, service providers, agents, distributors, brokers, joint ventures and resellers, to deliver business-critical products and services. Therefore, it is essential that third party risk management (TPRM) is carried out strategically and correctly for the approval and management of third parties. Developing and implementing effective strategies can be challenging, so don’t hesitate to seek outside help.

Follow this field guide to third party risk management to optimize your organization's performance, reputation and security.

Failing to provide adequate TPRM can pose various risks such as, reputational risks, technology risks, data privacy, operational risks, regulatory and compliance, and financial risks. It is essential to cover these aspects to enable business growth and resilience. Research suggests that 60% of organizations have faced problems due to insufficiently rigorous programs, which is why 77% of businesses say that TPRM is a strategic priority.

Successful TPRM programs across industries should follow a defined process for identifying, monitoring and managing third party risks. Our analysis have allowed us to define the key steps in helping your organization upgrade their TPRM programs. KPMG’s framework for effective TPRM operating model is based on four pillars; governance, process, infrastructure, and data.

• Governance refers to the policies, standards, responsibilities, and risk appetite that establish the scope and focus of the program.
• The process requires consistency in the risk-based approach for assessing third party services and skills to support decision-making.
• The infrastructure supports efficient workflow, task automation and reporting aligned with the company’s operating style (centralized or distributed) for a consistent management of risk across business lines and regions.
• The collection of real-time data is essential for decision making, risk assessments and performance monitoring.

Findings from over 14 countries and 1’000 corporations suggest that the majority of industries need to improve their TPRM program. Transformation is driven by a constant cycle of program uplifts, process optimization and innovation. We have derived four key steps to help you make this happen.
 

1. Agree on the vision: Determine where TPRM sits within your organization, whether it falls under Risk and Compliance, or Finance, Admin and Operations. Placing TPRM within the broader procurement organization can lead to significant operational efficiencies and an improved user experience. Furthermore, enabling automation of the program is essential for scaling TPRM.
   
   
2. Build the model: TPRM programs are complex. Not only does every part of the organization use third parties, each third party service has multiple risks, and different oversight functions need to be consulted on individual risk assessments. TPRM program development needs constant updates to ensure that the how, when and where of business stakeholders involvement is efficient.
   
   
3. Optimize the process: This aims to ensure that third parties that do not meet pre-determined risk criteria and materiality thresholds are not put forward for assessment by the TPRM program. This can be done through risk segmentation, such as establishing a disciplined risk-scoring methodology across third party services, and enhancement of the service delivery model to reduce costs and increase accountability.
   
   
4. Evolve and innovate: The greatest effort in the TPRM program revolves around the gathering of information and assessment of third party control information. There is an increasing acknowledgment to collect and share information between third parties and their customers to reduce costs. The largest investments for risk management surround technology, data analytics and automation.

Optimizing your TPRM program will help your organizations performance, reputation and security. The four key steps (ie. Agree on the vision, build the model, optimize the process and evolve and innovate) will help your business improve and update the TPRM. However, TPRM programs can be very complex depending on your company’s structure and the multiple risks that are impactful. Asking for help will only improve your efficiency, resilience and risk aversion.

Get more insight here: Third Party Risk Management Outlook 2020