Third Party Risk Management

Third Party Risk Management solution helps an organisation to identify, assess, and manage risk associated with third-party relationship(s)
A businessman thoughtfully examines investment opportunities, showcasing a professional and strategic approach to financial decisions against a modern backdrop.

Third Party Risk Management emerging as a key focus area

Global organisations increasingly rely on and partner with third parties to perform their operations effectively and efficiently. This dependency or relationship with third parties exposes organisations to different types of risks and makes third parties an attack vector for targeting the end organisations. The resulting increase in number of third party incidents impacting the organisations and emphasis on regulatory assessments has resulted in TPRM emerging as a key focus area for the board and senior management across organisations.

However, organisations continue to face multiple challenges in addressing third party risks including lack of visibility on third/ nth party relationships, managing ever-increasing requests for third party risk assessments, absence of upstream/ downstream process and system integration, complex operating model, and limited use of technology.

KPMG in India, through the below services, assists global and national majors in addressing the above challenges and transforming their TPRM program aligned with Industry leading practices, regulatory requirements, and business objectives:

Advisory Services

KPMG supports organisations in designing and up-lifting their third-party risk management program in-line with the industry leading practices and regulatory requirements.

Advisory Services

Assessment Services

KPMG supports organisations in conducting assessments throughout the third party life cycle to identify, assess, report, monitor, and mitigate risks to the organisation.

Digital Transformation

KPMG supports organisations in digital transformation of their TPRM program.

 

Digital Transformation

Other Solutions:

  1. Enterprise Third Party Risk Management

    KPMG supports organization to design, streamline and operationalize enterprise wide third party risk management program to assess and manage third party risks covering risk risk beyond cyber including ESG, Financial, Legal, Compliance, Operational and Reputational risks. For more information, please refer to Enterprise Third Party Risk Management

  2. Software Supply Chain Security

    KPMG supports organisation to start their software supply chain security journey by assessing and managing risk associated with third party software products and components.

  3. Third Party Cloud Security Assessments

    KPMG supports organisation with cloud control catalog capability that enables them to efficiently assess third party SaaS application services and associated environments.

  4. Third Party Continuous Cyber Risk Monitoring

    KPMG supports organisation to perform continuous monitoring of their third party based on external data feeds or substantive review of control population data.

Our Service offerings

  1. Regulatory gap assessment

    Provide regulatory health check assessment including observation and impact analysis details and Impact Analysis

  2. Maturity assessment
    1. Perform “As-Is” state review of the client’s TPRM program capabilities
    2. Provide TPRM program maturity assessment report including areas of improvement and recommendations along with a transformation roadmap
  3. Business case and roadmap

    Prioritize enhancements, and estimate the efforts and resources required to roll out the TPRM program.

  4. TPRM framework development

    Enhance TPRM framework including scope definitions (risk domains, third party entities, and third party lifecycle), governance mechanism, guidance for third party lifecycle activity, issue and exception management, program KPIs, escalation matrix and reporting mechanism, change management, and policy/process documentation

     

  5. Building TPRM Target Operating Model

    Design and operationalize the TPRM target operating model covering people, process, technology, deployment strategy, service delivery model, performance insights, and data governance

     

  1. Service risk profiling
    1. Inherent risk assessment of potential third party arrangements/services
    2. Periodic review of the third party arrangements/services to assess and monitor any change in the inherent risk profile
  2. Third party risk and control assessments
    1. Third party lifecycle stage coverage: Onboarding, Ongoing Monitoring, and Termination
    2. Assessment Mode: Self-Assessment, Remote Assessment, and Onsite Assessment
    3. Assessment Depth: Response/evidence-based validation, Walkthrough based validation, Test of design, Test of operating effectiveness
  3. Thematic assessments

    Ad-hoc assessments conducted for identified set of third parties and focused on specific risk areas (e.g., impacts assessment for log4j attack)

  4. Contract compliance review

    Contract gap analysis, and diagnostic assessment of Information Security requirements in third party contracts

  5. Issue management

    Logging, tracking, monitoring, and closure of identified gaps as per the agreed action plan and timeline

  6. Leverage utility platform assessments

    Review third party risk assessment results provided by utility platforms

  7. Leverage external data feeds

    Leverage external sources to determine third party risk posture for specific risk groups without the need for intensive manual assessments

  1. Process automation

    End-to-end implementation services for COTS (SAP Ariba, Coupa Risk Assess, Archer, Service Now, One Trust) and KPMG TPRM solutions [KPMG Vendor Assessment and Compliance Hub, Digital Signal Insights Platform (DSIP)]

    1. Business analyst services
    2. Solution implementation and System Integration
    3. Testing Services (UAT / Functionality)
    4. Production support
    5. Program management
    6. Change management
    7. Backlog Management
  2. Dashboard and Reporting

    Automation of Strategic KPIs and Operational SLAs leveraging external dashboarding tools such as PowerBI, Tableau, etc.

  3. NextGen TPRM solutions (AI/ML, RPA)

    Leverage technologies such as RPA and AI/ML to automate manual and redundant task (use cases include automated control testing, parsing of third-party evidence/ documents etc.)

     

Why KPMG in India?

How can we help you?

We have built TPRM program accelerators such as end-to-end TPRM process workflow, risk profiling and assessment questionnaire template, risk mitigation and acceptance form covering exception cases, KPIs template, risk metrics etc. We will leverage these accelerators to reduce time spent on building the deliverable and focus more on building acceptance for the framework with the stakeholders.

How can we help you?

How can we help you?

We work with a network of member firms to ensure physical presence and language capabilities for our global clients. We have consistently delivered engagements beyond traditional assessments and assisted its clients in designing, regulatory requirement mapping, issue assurance, and automation aspects of their third-party risk management programs.

How can we help you?

How can we help you?

We have a strong team of 200+ individuals focused on third party cyber risk management with skill sets such as DevOps, DevSecOps, Cloud Security, Application Security and Product Security, Cyber Security, Pen Testing, SAST & DAST, Security Architect, SOC, etc. Our security professionals are certified in ISO270001, CISSP, CCSP, CISA, CISM, CRISC, CTPRP, OSCP, DevSecOps, AWS, MS Azure, etc.

How can we help you?

How can we help you?

We have worked on digital interventions including third party risk intelligence, bot-led risk assessment, etc. to achieve a shorter turnaround time for executing TPRM program activities.

How can we help you?

Cyber security

Use cyber security to protect your future

Cyber security

Rich Industry Experience

“ KPMG in India has been a trusted partner in the transformation of our Third-Party Risk Management Program for more than two years. Their expertise guidance, insights, and support have been integral to the maturity and success of our program ”

-Global US based Software Technology Company





“ As always, it has been pleasure working with you. I have found the engagement to be incredibly organized and efficient, when delays did arise you demonstrated empathy and understanding. I and the wider team also appreciate the efforts that you put into reducing the controls through historical evidence mapping. ”

-Global Swiss Investment Bank and Financial Services Company
 
 
 

“ We have been working with KPMG’s third-party risk management consultants for over two years and decided it was time to take our program to the next level. We needed industry expertise to help to uplift our manual end-to-end TPRM process. KPMG gave us the best TPRM expert and ServiceNow architects, Not only were they knowledgeable, but they were also extremely patient as we worked through some internal issues. Their partnership has proven valuable several times over. ”

-Global US based Retail Company

Select Credentials

India Insights

Our insights is your gateway to thought leadership and in-depth reports. Explore our curated collection of valuable content, where we delve into complex business challenges, share industry trends, and provide actionable insights.

International Fraud Awareness Week

International Fraud Awareness Week 2024, held from 17-23 November, to raise awareness about the impacts and prevention of fraud

Awareness and actions at the forefront of third-party risk management

Awareness and actions at the forefront of third-party risk management

Beyond the resume: Background screening to protect organisational integrity

Understanding importance of background screening for organisations

Elevating fourth-party risk oversight for financial services

Navigating the complex web of fourth-party risk identification and management in financial services

‘Fit and proper’ due diligence

Integrity through ‘fit and proper’ due diligence for shareholders and key personnel in financial institutions.

International Fraud Awareness Week

International Fraud Awareness Week 2024, held from 17-23 November, to raise awareness about the impacts and prevention of fraud
International Fraud Awareness Week

Key Contacts

To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.

Atul Gupta

Partner and Head - Digital Trust and Cyber

KPMG in India

Kunal Pande

National Co-Head - Digital Risk and Cyber, National Leader - Digital Trust for Financial Services Sector

KPMG in India

Srinivas Potharaju

Partner and Head, Digital Risk and Cyber

KPMG in India

Srijit Menon

National Head for TPRM in India

KPMG in India

Connect with us

Contact our specialists for more information

connect with us