As the global marketplace grows increasingly complex and competitive, third-party relationships have become critical to cost reduction and increasing capability. They can help enhance customer experience, accelerate speed-to-market and protect reputation. However, whilst there are advantages to working with third parties, it can add complexity to your organisation’s risk profile. Strong governance is required for confidence in your extended control environment, particularly with heightened regulatory expectations.

Managing third party risks end-to-end is complex and presents several challenges:

  1. Increased regulatory expectations:
  • Regulations are increasingly more onerous and wider in scope, encompassing all types of third parties, intra-group arrangements, and cloud service providers.
  • Creating an integration challenge – how does this link to your Operational Resilience and ERM?
  • Greater focus on governance and senior executive accountabilities
         2. Cross-organisational complex operating model
  •  A decentralised model brings inconsistent in risk decisions, creating a disconnect between procurement, risk functions, IT department, and second line
  • A one-size-fits-all approach is not sufficiently risk-based or intelligence-led
  • Volumes can be too high to manage

          3. Technology and data

  • Lack of automation, creating a reliance on overly manual processes
  • Lack of data driven insight means risk management processes lack proportionality, and industry utilities and data feeds not being leveraged

KPMG’s Third-Party Risk Management (TPRM) practice has been successfully advising clients on the most suitable framework, operating model, methodology and tools. Supported by our industry experience and market leading technology, we help businesses bring together the key components of an effective TPRM capability.

Whatever the maturity of your current capability, we can work shoulder to shoulder with you to ensure that third-party providers are a source of strength for your business, not a weak link.

Our services


- Maturity Assessment - Rapid current state review of TPRM capabilities; provide observations and recommendations.

- Regulatory Review - gap analysis against relevant regulatory requirements; provide observations and recommendations.

- Business case and roadmap - prioritize enhancements and size all the level of effort required to roll out the program.

- Internal Audit - 3LoD co-source


Framework design - Establish or enhance TPRM program and process components; develop program documentation lifecycle templates and technology business requirements.

Technology enablement - configure and implement workflow technology, risk intelligence software and third-party utilities

- Tuning and optimization - Enhance elements of the TPRM program and process, such as metrics and reporting data analytics or TPRM risk appetite


- Scenario testing of third party business continuity and exit plans

- Managed services – operate end-to-end processes for pre-and post-contract screening and monitoring of third parties. Incorporate leading technologies and data sources with best practice processes delivered by risk domain experts

- Third Party Assessments - execute portfolio of risk and controls assessments pre- and post-contract

KPMG’s Powered Risk – TPRM solution can fast track your TPRM upgrade and transformation through pre-configured artefacts and technology aligned to industry-leading practices and regulatory requirements. For more information see here.

Talk to our experts

Third-Party Risk Management insights