By Srinivas Potharaju, Risk Transformation Leader and Partner, Risk Consulting, KPMG in India; and Srijit Menon, Third Party Risk Management Leader and Director, Risk Consulting, KPMG in India
While working with third parties (vendors, subsidiaries, business associates, etc.) enables organisations to focus on their core competencies, it also exposes them to financial, regulatory and reputational risks.
Organisations and their customers face a growing number of third-party incidents, coupled with increasing regulatory scrutiny, and therefore, third-party risk is emerging as a key focus area.
Third-party onsite assessment has become a fundamental part of Third Party Risk Management (TPRM) frameworks across organisations. Onsite assessments help organisations to:
- Comply with regulatory requirements
- Perform a sense check and understand third-party organisation risk culture
- Measure third-party staff awareness of key requirements
- Obtain deeper and focused risk insights related to specific areas.
Further, onsite assessments follow a ‘trust but verify’ approach, in terms of physical walkthroughs and observation for areas requiring greater assurance.
However, the COVID-19 pandemic has brought unprecedented disruptions across multiple sectors impacting the business activities of organisations and their third parties. The pandemic not only amplified the impact of third-party and supply chain disruption, but also challenged the ability of global organisations to plan and execute key TPRM components such as onsite assessments. This has likely triggered long-term changes in the way organisations conduct onsite assessments.
KPMG in India’s recently published paper titled ‘Contextualising third-party onsite assessment in the COVID-19 era’ outlines key measures to address the challenges in conducting third-party onsite assessments. Global organisations have been engaged in discussions with regulators, boards and committees in a bid to refresh their onsite assessment strategies. Social distancing and remote working have limited opportunities to conduct physical onsite inspections, and in this backdrop, online assessments are gaining currency.
Online assessments, which leverage a range of collaboration tools, data sharing platforms and augmented reality/virtual reality (AR/VR), are showing a high degree of effectiveness across traditional onsite control areas, such as policy review, system configuration, and confidential information. There, however, remain limitations in some areas. For example, online assessments may not work effectively in scenarios where onsite visits may be mandated to confirm regulatory or business findings, or when there exist data privacy concerns. Issues could also arise when the third party does not have remote access to servers, end-point devices, infrastructure components, and applications, or when the third party is providing services from an offshore development centre without access to the internet.
Online assessments are expected to mature over time as assessors and third parties become accustomed to the new ways of working. While onsite assessments cannot fully replace onsite ones, the need to define alternatives to existing approaches for onsite assessments has become clear, given the new realities that confront businesses today.