Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Ten Ways to Optimize Your TPRM Program

Prioritizing key risks to enhance operational resilience

In an increasingly interconnected global business environment, firms are becoming more reliant on third parties for critical operations, processes, and functions. Although these relationships can provide significant benefits, they also pose potential risks, ranging from ensuring compliance with regulations to addressing cybersecurity and data protection risks.

Management of risks associated with third party relationships is a top priority for management and regulatory agendas. A survey conducted by KPMG found that 73% of respondents confirmed that inefficiencies in their TPRM program exposed them to reputational risk [TPRM Outlook 2022]. The complexity of organizational structures and the multiple stakeholders involved in the management of third party risk remains a key challenge to management teams.

Based on our work as advisors to the financial services industry, we have seen large firms optimize their efforts around TPRM while improving their responses to emerging risks. Our new article aims to share best practices we have observed in adjusting firm programs to prioritize key risks and relationships to enhance operational resilience.

  1. Employ a Risk-Based Approach:
    Adopting a risk-based approach is paramount to drive efficiency across the TPRM lifecycle. This approach involves focusing efforts on third parties that pose the highest risk to the firm, based on factors such as data access, service criticality, operational resiliency and regulatory impact. For instance, third parties with access to sensitive customer data should be prioritized for more frequent and detailed reviews to mitigate risks.

  2. Centralize Oversight and Governance:
    To respond to an increasingly complex risk environment, firms should utilize a multidisciplinary approach to TPRM by adopting a hub and spoke model. The TPRM function would function as a hub with a central leadership team responsible for setting policies, standards, reporting and risk appetite of its operation. This central hub would be supported by subject matter experts (“spokes”) from relevant risk domains, such as privacy, cyber, BC, DR, etc., to provide insights and execution. This approach facilitates comprehensive identification and mitigation of risks, but also provides opportunity to set up a Lines of Defense model, within the Hubs and Spokes and enable independent oversight of the function. Thus, ensuring consistency in risk management and compliance practices while enabling flexibility to address specific business needs.

  3. Leverage Technology and Automation:
    Adopting specialized TPRM software can profoundly enhance the efficiency of routine operations, such as risk assessments, due diligence, and streamline monitoring activities. This strategic move allows for the smarter allocation of precious human resources towards more critical functions like analysis and decision-making. For example, leveraging AI-driven analytics enables the real-time and continuous evaluation of a third party's financial health and cybersecurity practices, thereby elevating the effectiveness of risk management.

  4. Leverage Adaptive Contractual Requirements:
    Embed compliance obligations within contracts and ensure they are adaptive compliance clauses that automatically update to reflect changes in U.S. financial regulation, ensuring continuous compliance without manual contract revisions. For example, a financial services firm could include a clause in its third party contracts stating that the vendor must comply with all current and future regulations related to data protection and privacy, as applicable under federal and state laws.

  5. Develop Strong Ongoing Monitoring:
    To ensure that third party risk is accurately measured and mitigated firms need to perform ongoing monitoring of third party risk profiles and contract performance. Risks assessments should be conducted during the contracting phase and refreshed on a regular basis according to the third party risk score. As changes in the business environment, the third party’s management structure, and internal controls could expose the firms to increased risk and liability. And to integrate third party compliance into their own compliance programs, firms should request third party compliance reports such as SOC1 and SOC2 reports. Utilizing automated external data feeds for third party financials and negative news can also assist in this process by driving efficiency and assessing the risk associated with a third party beyond the service they are providing.

  6. Create an Incident Management Framework:
    Establish clear protocols for incident reporting, ensuring third parties know how and when to report security breaches or compliance lapses. The protocols should tie incidents based on their impact on the firm, and the risk rating of the third party. Additionally, roles and responsibilities should be outlined regarding remediation and escalations using a RACI model (Responsible, Accountable, Consulted, Informed). Within the TPRM framework, firms should outline drivers of additional actions by the third parties. Incidents and the remediation that occurred should also be well documented to ensure resolution. Incident management and proper documentation is especially impactful for compliance breaches affecting financial and data privacy regulations to ensure swift and coordinated remediation efforts.

  7. Create a Reporting Framework
    Through establishing ongoing monitoring and incident reporting within the TPRM framework, firms can easily outline clear a clear reporting framework for third party relationships. Creating this framework also enables analysis of the effectiveness of the overall TPRM framework through the metrics measured during ongoing monitoring. For example, reporting on the number of incidents associated with a particular third party or step in a firms’ TPRM lifecycle can illustrate the effectiveness of current practices, or outline areas for improvement, either to the process or the mitigating controls.

  8. Provide Continuous Education and Training:
    Provide ongoing education and training for TPRM staff and stakeholders across the firm on emerging risks, regulatory changes, and best practices in TPRM. However, as firms have increasingly relied on third parties for key business functions, it is prudent to extend that training to them as well. For example, we have seen several clients set up regular key supplier days where topics like new cybersecurity threats and regulatory compliance updates are discussed. A mortgage servicing firm for instance might provide training on the Fair Credit Reporting Act (FCRA) and the Real Estate Settlement Procedures Act (RESPA) to its service providers.

  9. Dynamic Framework:
    Firms should map the types of data accessed by third party based on applicable regulations and establish horizon scanning to quickly identify and mitigate emerging risks and changes to the regulatory environment. By developing risk assessments with horizon scanning in mind, firms can quickly incorporate these new rules and risks into their existing frameworks without upending their entire TPRM function. Given the rapidly changing threat landscape, it is more critical than ever to recognize and focus on the ever-evolving risks from AI and potential cybersecurity threats, including data breaches, particularly for cloud service providers.

  10. Be Proactive:
    Develop a strategic approach to managing key vendor relationships, including regular performance reviews, alignment of business objectives, and collaborative risk management efforts. For example, through regular touchpoints with strategic third parties, we have seen the enhanced practices they are putting in place as a result of servicing their customers being shared with the firm to drive better outcomes.
"We have seen many clients refine their Third-Party Risk Management program since the updated OCC guidance in 2013, one critical lesson has stood out for me: the importance of proactive communication and partnership with your third party vendors.

Initially, the industry focused heavily on compliance monitoring and audits to verify that the service provided was done in accordance with the contract and relevant laws, which is undoubtedly crucial. However, I have seen that building strong relationships based on transparency and mutual understanding between firms and their third parties significantly enhances compliance outcomes. 

By engaging your third parties in regular discussions about regulatory changes and compliance expectations, our clients not only improved their compliance results but also fostered a culture of shared responsibility for risk management. This approach has led to more effective identification of potential compliance issues before they escalate, saving them significant resources and reinforcing their commitment to maintaining the highest standards of compliance."

- -Greg Matthews, Partner Financial Services Compliance

*Special thanks to Daniel McManus, Grace Bowden, Jamie Lau, and Jack Shickell for their supporting contributions to this article.

Dive into our thinking:

Ten ways to optimize your TPRM program

Download PDF

Third party risk management

Create an ongoing and enterprise-wide risk management strategy which ensures third-party providers are a source of strength for your business – not a weak link.

Explore more

Meet our team

Image of Greg Matthews
Greg Matthews
Partner, KPMG US

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.