• 1000

Global organisations increasingly rely on and partner with third parties to perform their operations effectively and efficiently. This dependency or relationship with third parties exposes organisations to different types of risks and makes third parties an attack vector for targeting the end organisations. The resulting increase in number of third party incidents impacting the organisations and emphasis on regulatory assessments has resulted in TPRM emerging as a key focus area for the board and senior management across organisations.

However, organisations continue to face multiple challenges in addressing third party risks including lack of visibility on third/ nth party relationships, managing ever-increasing requests for third party risk assessments, absence of upstream/ downstream process and system integration, complex operating model, and limited use of technology.

KPMG in India, through the below services, assists global and national majors in addressing the above challenges and transforming their TPRM program aligned with Industry leading practices, regulatory requirements, and business objectives:

  • Advisory Services: KPMG supports organisations in designing and up-lifting their third-party risk management program in-line with the industry leading practices and regulatory requirements.
  • Assessment Services: KPMG supports organisations in conducting assessments throughout the third party life cycle to identify, assess, report, monitor, and mitigate risks to the organisation.
  • Digital Transformation: KPMG supports organisations in digital transformation of their TPRM program.
  • Other Solutions:
    • Enterprise Third Party Risk Management: KPMG supports organization to design, streamline and operationalize enterprise wide third party risk management program to assess and manage third party risks covering risk risk beyond cyber including ESG, Financial, Legal, Compliance, Operational and Reputational risks.
    • Software Supply Chain Security: KPMG supports organisation to start their software supply chain security journey by assessing and managing risk associated with third party software products and components.
    • Third Party Cloud Security Assessments: KPMG supports organisation with cloud control catalog capability that enables them to efficiently assess third party SaaS application services and associated environments.
    • Third Party Continuous Cyber Risk Monitoring: KPMG supports organisation to perform continuous monitoring of their third party based on external data feeds or substantive review of control population data.

Our Service offerings

Regulatory gap assessment

  • Provide regulatory health check assessment including observation and impact analysis details and Impact Analysis

Maturity assessment

  • Perform “As-Is” state review of the client’s TPRM program capabilities
  • Provide TPRM program maturity assessment report including areas of improvement and recommendations along with a transformation roadmap

Business case and roadmap

  • Prioritize enhancements, and estimate the efforts and resources required to roll out the TPRM program

TPRM framework development

  • Enhance TPRM framework including scope definitions (risk domains, third party entities, and third party lifecycle), governance mechanism, guidance for third party lifecycle activity, issue and exception management, program KPIs, escalation matrix and reporting mechanism, change management, and policy/process documentation

Building TPRM Target Operating Model

  • Design and operationalize the TPRM target operating model covering people, process, technology, deployment strategy, service delivery model, performance insights, and data governance

Service risk profiling

  • Inherent risk assessment of potential third party arrangements/services
  • Periodic review of the third party arrangements/services to assess and monitor any change in the inherent risk profile

Third party risk and control assessments

  • Third party lifecycle stage coverage: Onboarding, Ongoing Monitoring, and Termination
  • Assessment Mode: Self-Assessment, Remote Assessment, and Onsite Assessment
  • Assessment Depth: Response/evidence-based validation, Walkthrough based validation, Test of design, Test of operating effectiveness

Thematic assessments

  • Ad-hoc assessments conducted for identified set of third parties and focused on specific risk areas (e.g., impacts assessment for log4j attack)

Contract compliance review

  • Contract gap analysis, and diagnostic assessment of Information Security requirements in third party contracts

Issue management

  • Logging, tracking, monitoring, and closure of identified gaps as per the agreed action plan and timeline

Leverage utility platform assessments

  • Review third party risk assessment results provided by utility platforms

Leverage external data feeds

  • Leverage external sources to determine third party risk posture for specific risk groups without the need for intensive manual assessments

Process automation

    End-to-end implementation services for COTS (SAP Ariba, Coupa Risk Assess, Archer, Service Now, One Trust) and KPMG TPRM solutions [KPMG Vendor Assessment and Compliance Hub, Digital Signal Insights Platform (DSIP)]
  • Business analyst services
  • Solution implementation and System Integration
  • Testing Services (UAT / Functionality)
  • Production support
  • Program management
  • Change management
  • Backlog Management

Dashboard and Reporting

  • Automation of Strategic KPIs and Operational SLAs leveraging external dashboarding tools such as PowerBI, Tableau, etc.

NextGen TPRM solutions (AI/ML, RPA)

  • Leverage technologies such as RPA and AI/ML to automate manual and redundant task (use cases include automated control testing, parsing of third-party evidence/ documents etc.)

Why KPMG in India?

How can we help you?

We have built TPRM program accelerators such as end-to-end TPRM process workflow, risk profiling and assessment questionnaire template, risk mitigation and acceptance form covering exception cases, KPIs template, risk metrics etc. We will leverage these accelerators to reduce time spent on building the deliverable and focus more on building acceptance for the framework with the stakeholders.


How can we help you?

We work with a network of member firms to ensure physical presence and language capabilities for our global clients. We have consistently delivered engagements beyond traditional assessments and assisted its clients in designing, regulatory requirement mapping, issue assurance, and automation aspects of their third-party risk management programs.

How can we help you?

We have a strong team of 200+ individuals focused on third party cyber risk management with skill sets such as DevOps, DevSecOps, Cloud Security, Application Security and Product Security, Cyber Security, Pen Testing, SAST & DAST, Security Architect, SOC, etc. Our security professionals are certified in ISO270001, CISSP, CCSP, CISA, CISM, CRISC, CTPRP, OSCP, DevSecOps, AWS, MS Azure, etc.

Team Expertise

How can we help you?

We have worked on digital interventions including third party risk intelligence, bot-led risk assessment, etc. to achieve a shorter turnaround time for executing TPRM program activities.

Digital Assets

Rich Industry Experience

  • KPMG in India has been a trusted partner in the transformation of our Third-Party Risk Management Program for more than two years. Their expertise guidance, insights, and support have been integral to the maturity and success of our program

    -Global US based Software Technology Company

  • As always, it has been pleasure working with you. I have found the engagement to be incredibly organized and efficient, when delays did arise you demonstrated empathy and understanding. I and the wider team also appreciate the efforts that you put into reducing the controls through historical evidence mapping.

    -Global Swiss Investment Bank and Financial Services Company

  • We have been working with KPMG’s third-party risk management consultants for over two years and decided it was time to take our program to the next level. We needed industry expertise to help to uplift our manual end-to-end TPRM process. KPMG gave us the best TPRM expert and ServiceNow architects, Not only were they knowledgeable, but they were also extremely patient as we worked through some internal issues. Their partnership has proven valuable several times over.

    -Global US based Retail Company

Select Credentials

Consumer Market and Life Sciences
Energy and Natural Resources
Financial Services
Industrial Markets
Private Equity

Key Contacts

To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.