Global organisations increasingly rely on and partner with third parties to perform their operations effectively and efficiently. This dependency or relationship with third parties exposes organisations to different types of risks and makes third parties an attack vector for targeting the end organisations. The resulting increase in number of third party incidents impacting the organisations and emphasis on regulatory assessments has resulted in TPRM emerging as a key focus area for the board and senior management across organisations.
However, organisations continue to face multiple challenges in addressing third party risks including lack of visibility on third/ nth party relationships, managing ever-increasing requests for third party risk assessments, absence of upstream/ downstream process and system integration, complex operating model, and limited use of technology.
KPMG in India, through the below services, assists global and national majors in addressing the above challenges and transforming their TPRM program aligned with Industry leading practices, regulatory requirements, and business objectives:
- Advisory Services: KPMG supports organisations in designing and up-lifting their third-party risk management program in-line with the industry leading practices and regulatory requirements.
- Assessment Services: KPMG supports organisations in conducting assessments throughout the third party life cycle to identify, assess, report, monitor, and mitigate risks to the organisation.
- Digital Transformation: KPMG supports organisations in digital transformation of their TPRM program.
- Other Solutions:
- Enterprise Third Party Risk Management: KPMG supports organization to design, streamline and operationalize enterprise wide third party risk management program to assess and manage third party risks covering risk risk beyond cyber including ESG, Financial, Legal, Compliance, Operational and Reputational risks. For more information, please refer to Enterprise Third Party Risk Management
- Software Supply Chain Security: KPMG supports organisation to start their software supply chain security journey by assessing and managing risk associated with third party software products and components. For more information, please refer to Software Supply Chain Security
- Third Party Cloud Security Assessments: KPMG supports organisation with cloud control catalog capability that enables them to efficiently assess third party SaaS application services and associated environments.
- Third Party Continuous Cyber Risk Monitoring: KPMG supports organisation to perform continuous monitoring of their third party based on external data feeds or substantive review of control population data.
- Enterprise Third Party Risk Management: KPMG supports organization to design, streamline and operationalize enterprise wide third party risk management program to assess and manage third party risks covering risk risk beyond cyber including ESG, Financial, Legal, Compliance, Operational and Reputational risks. For more information, please refer to Enterprise Third Party Risk Management
Our Service offerings
Regulatory gap assessment
- Provide regulatory health check assessment including observation and impact analysis details and Impact Analysis
Maturity assessment
- Perform “As-Is” state review of the client’s TPRM program capabilities
- Provide TPRM program maturity assessment report including areas of improvement and recommendations along with a transformation roadmap
Business case and roadmap
- Prioritize enhancements, and estimate the efforts and resources required to roll out the TPRM program
TPRM framework development
- Enhance TPRM framework including scope definitions (risk domains, third party entities, and third party lifecycle), governance mechanism, guidance for third party lifecycle activity, issue and exception management, program KPIs, escalation matrix and reporting mechanism, change management, and policy/process documentation
Building TPRM Target Operating Model
- Design and operationalize the TPRM target operating model covering people, process, technology, deployment strategy, service delivery model, performance insights, and data governance
Service risk profiling
- Inherent risk assessment of potential third party arrangements/services
- Periodic review of the third party arrangements/services to assess and monitor any change in the inherent risk profile
Third party risk and control assessments
- Third party lifecycle stage coverage: Onboarding, Ongoing Monitoring, and Termination
- Assessment Mode: Self-Assessment, Remote Assessment, and Onsite Assessment
- Assessment Depth: Response/evidence-based validation, Walkthrough based validation, Test of design, Test of operating effectiveness
Thematic assessments
- Ad-hoc assessments conducted for identified set of third parties and focused on specific risk areas (e.g., impacts assessment for log4j attack)
Contract compliance review
- Contract gap analysis, and diagnostic assessment of Information Security requirements in third party contracts
Issue management
- Logging, tracking, monitoring, and closure of identified gaps as per the agreed action plan and timeline
Leverage utility platform assessments
- Review third party risk assessment results provided by utility platforms
Leverage external data feeds
- Leverage external sources to determine third party risk posture for specific risk groups without the need for intensive manual assessments
Process automation
-
End-to-end implementation services for COTS (SAP Ariba, Coupa Risk Assess, Archer, Service Now, One Trust) and KPMG TPRM solutions [KPMG Vendor Assessment and Compliance Hub, Digital Signal Insights Platform (DSIP)]
- Business analyst services
- Solution implementation and System Integration
- Testing Services (UAT / Functionality)
- Production support
- Program management
- Change management
- Backlog Management
Dashboard and Reporting
- Automation of Strategic KPIs and Operational SLAs leveraging external dashboarding tools such as PowerBI, Tableau, etc.
NextGen TPRM solutions (AI/ML, RPA)
- Leverage technologies such as RPA and AI/ML to automate manual and redundant task (use cases include automated control testing, parsing of third-party evidence/ documents etc.)
Why KPMG in India?
How can we help you?
We have built TPRM program accelerators such as end-to-end TPRM process workflow, risk profiling and assessment questionnaire template, risk mitigation and acceptance form covering exception cases, KPIs template, risk metrics etc. We will leverage these accelerators to reduce time spent on building the deliverable and focus more on building acceptance for the framework with the stakeholders.
How can we help you?
We work with a network of member firms to ensure physical presence and language capabilities for our global clients. We have consistently delivered engagements beyond traditional assessments and assisted its clients in designing, regulatory requirement mapping, issue assurance, and automation aspects of their third-party risk management programs.
How can we help you?
We have a strong team of 200+ individuals focused on third party cyber risk management with skill sets such as DevOps, DevSecOps, Cloud Security, Application Security and Product Security, Cyber Security, Pen Testing, SAST & DAST, Security Architect, SOC, etc. Our security professionals are certified in ISO270001, CISSP, CCSP, CISA, CISM, CRISC, CTPRP, OSCP, DevSecOps, AWS, MS Azure, etc.
How can we help you?
We have worked on digital interventions including third party risk intelligence, bot-led risk assessment, etc. to achieve a shorter turnaround time for executing TPRM program activities.
Rich Industry Experience
Select Credentials
Key Contacts
To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.