In today's interconnected business environment, organisations rely heavily on an interconnected web of third-party vendors for critical operations. This reliance amplifies the complexity of Third-Party Risk Management (TPRM) and places significant pressure on companies to manage these risks effectively amidst stringent regulatory requirements and the potential for significant operational disruptions. The failure of third-party vendors can lead to interruptions in essential services, further increasing the need for robust TPRM frameworks to ensure both compliance and operational resilience.
However, many firms struggle with fragmented and siloed risk data spread across various departments and systems. Key information is often dispersed among procurement platforms, risk assessment tools, governance, risk, and compliance (GRC) systems, and numerous spreadsheets and questionnaires stored in disparate files and folders.
This data fragmentation leads to several critical challenges:
- Limited Risk Visibility: Without a unified view of third-party data, organisations find it difficult to assess their overall risk exposure accurately. This lack of visibility hampers their ability to identify high-risk vendors and areas of concentration risk, leaving them vulnerable to unforeseen disruptions.
- Regulatory Compliance Risks: Disjointed data management can result in incomplete or inaccurate reporting to regulators. Firms may struggle to meet obligations under regulations on outsourcing and third-party risk management (e.g. PRA's Supervisory Statement SS2/21 in the UK), potentially leading to compliance breaches and financial penalties.
- Inefficient Decision-Making: Decision-makers lack timely access to critical insights, making it challenging to prioritise oversight activities or respond swiftly to emerging risks. This inefficiency can hinder the organisation's agility and competitive edge.
Key focus areas
Many organisations face challenges in effectively managing their Third-Party Risk Management (TPRM) data and reporting. Companies are seeking to overcome these hurdles by focusing on two key areas:
- Integration of TPRM data sources: By combining data from various sources — procurement systems, GRC platforms, risk assessment tools, and even spreadsheets — organisations can create a comprehensive view of their third-party risk landscape. This integration enables more accurate insights and better visibility into the overall risk profile.
- Self-service reporting: To reduce the operational burden of manual data requests and enable real-time insights, organisations are moving towards self-service reporting. This allows stakeholders to access live metrics on third-party risks, improving the efficiency and effectiveness of risk management processes.
Bridging the gap
We have worked with multiple organisations to help them bridge their data gaps and provide more reliable and actionable TPRM insights. By blending our third-party risk and data analytics expertise, we have defined key elements demonstrating the ‘art of the possible’:
- Key third party risk metrics that are required to enable effective decision-making of various aspects of third-party risk.
- An extended TPRM data model to capture data from the underlying siloed systems and provide an MI and Analytics repository, enabling regulatory reporting, risk management and decision-making
- Persona-based illustrative dashboards showcasing a tangible and achievable target for organisation to strive for when realising their TPRM data strategies.
A high-level data flow enabling this is presented below:
Actions to take now
These are some no-regret actions that companies can take to get started on combining third-party risk data and creating reporting that would help to improve risk governance and decision making.
- Articulate and prioritise third-party risk reporting requirements: Create reporting wireframes to validate key metrics and secure buy-in, then prioritise and document high-priority metrics along with their relevant data sources.
- Understand key data fields and data quality: Identify data fields needed to meet critical reporting requirements as well as any gaps in existing data. Identify how key data sets will be combined together, particularly for datasets from disparate systems.
- Run a limited pilot to build foundations and get quick wins: Establish a foundational data model that can be expanded with additional data and metrics. Share early successes with stakeholders to gain support for further improvements.
Given the typical size and complexity of TPRM data, we find that this iterative approach helps to gradually build a more robust data framework and governance, while allowing an opportunity to discover the requirements and demonstrate value early on.
How KPMG can help
We have extensive experience of helping clients across various industries improve their TPRM data and reporting. Please reach out to schedule a conversation about key topics discussed in the article, and to see the demo of our TPRM risk metrics dashboard.
Our data insights
Something went wrong
Oops!! Something went wrong, please try again
Our people
