Third Party Risk Management (TPRM) – Security along the entire supply chain

A large proportion of cyber security risks are attributable to third parties within your supply chain. In addition, geopolitical developments and threats from cyber criminals make your supply chain more vulnerable to outages than ever before. This is why more and more regulations such as NIS-2 or DORA require an efficient TPRM framework. The targeted management of risks along your entire supply chain is the key to staying ahead of the competition. You are supported in making the risks along your supply chain transparent and fulfilling regulatory requirements.

To provide a comprehensive overview of our approach to TPRM, the key work packages have been summarised in a structured way. Each package helps to improve your organisation's security posture and shows how our holistic approach aims to overcome the challenges of managing your supply chain.

KPMG offers a comprehensive maturity assessment that evaluates the maturity of your organisation's third party risk management framework (e.g. procurement, risk management departments). Risks are identified in existing processes, roles and technologies to ensure that your service providers are managed effectively. Together with you, a roadmap is created that aims to optimise your TPRM, raise it to industry standards and meet compliance requirements.

Based on your roadmap from the previous step, it is crucial to implement the identified measures to minimise the risks and achieve industry standards and compliance with NIS-2, DORA or ISO 27001. This includes the implementation of specific processes and technical measures related to TPRM.

Your organisation will be supported in creating a structured record of all your service providers associated with critical business processes to ensure transparency about external partners. On this basis, a risk scoring is calculated using key factors of your service providers, such as financial stability, compliance history and operational risks. In addition, the methodology is customised to the needs of your company and you are guided through the entire risk scoring process. This ensures customised scoring and prioritisation of your most important service providers for you (core suppliers).

Our experts conduct an initial review of your contracts to ensure that all your contractual agreements with your service providers meet the specific requirements of your organisation as well as industry-wide and compliance requirements. Business continuity requirements and Key Performance Indicators (KPIs) are integrated into contracts and Service Level Agreements (SLAs) to provide clear and measurable reporting. You can also benefit from control mechanisms that ensure continuous monitoring and adaptation of contracts to new challenges and regulatory changes.

KPMG supports your organisation in the creation of questionnaires that are specially designed for third-party security assessments. These questionnaires are designed to implement standards such as ISO27001, NIST, SOC2, IT-Grundschutz or PCI-DSS.

You will be offered comprehensive support in the coordination and implementation of cybersecurity assessments at your service providers so that you meet the requirements of your organisation. Our work steps include planning and implementing the cybersecurity assessments, analysing the current status of cybersecurity measures, detailed review and validation of the documentation provided and the preparation of a comprehensive final report that lists identified risks and recommends optional risk mitigation measures. Through regular and systematic reviews, we help to identify potential risks at an early stage and implement targeted risk mitigation measures.

Effective incident management and business continuity management (BCM) as part of TPRM are crucial to prepare organisations for security incidents at their service providers. Our approach includes the establishment of a structured process for reporting (communication channel) and handling (potential) security incidents via defined communication channels. In addition, contingency plans are jointly developed and implemented to help maintain critical business processes even in crisis situations.

As part of the TPRM, you will be offered one-off or regular training courses that are addressed both internally (to your employees and managers) and externally (to your external service providers). These training courses are supplemented by jointly designed documents to effectively impart knowledge and skills and to accompany the participants every step of the way in the TPRM.

KPMG offers you the unique advantage of supporting you directly in the implementation of the GRC tool that is right for you, whether you are setting up or optimising your processes. Thanks to our strong alliances with the leading providers (e.g. ServiceNow), you will be helped to utilise the full potential of efficiency, automation and innovation from the tools.

Die TPRM Managed Services von KPMG sind darauf zugeschnitten, Ihre täglichen operativen und Risikomanagementaufgaben zu überwachen. So wird Ihrem Unternehmen ermöglicht, den Mehraufwand durch die Überwachung Ihrer Supply Chain zu reduzieren und sich auf das Wesentliche zu konzentrieren: Ihre Supply Chain zu optimieren und die besten Lieferanten zu wählen. Unser modulares Angebot auf Abonnementbasis nutzt modernste Technologien und das fundierte Fachwissen unserer erfahrenen Expert:innen, um Ihre TPRM-Prozesse mithilfe einer einzigartigen, proprietären Methodik zu verfeinern. So können Sie Risiken minimieren und sicherzustellen, dass Ihre TPRM-Herausforderungen auf konsistente, effiziente und wirtschaftliche Weise gelöst werden.