Renewed Urgency on Third Party Risk Management (TPRM)
You cannot outsource the risk
-19852.jpg)
Evolving Business Climate
The overall business climate worldwide continues to be increasingly complex. Since the Covid-19 pandemic, we experienced an economic downturn, disruption in supply chains (raw material shortages, increased costs of production, transportation challenges) and volatility in capital markets. Not to mention ongoing regional conflicts, rising geopolitical tensions and trade wars.
As all of this happens, there are evolving risks faced across the board by organizations beyond the traditional or “known” ones (financial, compliance, operational, reputational). Companies are being reactive to ESG and cyber risks and compliance managers are constantly scratching their heads on how to manage the ongoing burden of regulation, while increasing stakeholder and shareholder value.
You Cannot Outsource The Risk
Businesses across every industry are increasingly dependent on a robust network of third parties in order to execute their core activities. Such third parties include vendors, suppliers, distributors, agents, joint ventures, alliances, subcontractors, and service providers. This network is critical to maintain a global footprint and effectively compete in the marketplace.
The increased shift toward third-party driven business models, exposes organizations to a host of new and serious risk and compliance issues.
Additionally, as guided by various regulators and as many companies have experienced first hand, while you may trust the third parties you work with, the risks associated with third party interactions cannot be outsourced.
There are numerous cases where lack of proper oversight of third parties has resulted in serious consequences. Companies in the US and globally have been exposed to significant risk, adversely affecting their performance and reputation, and have faced heavy enforcement actions resulting in heavy fines, penalties and remediation costs.
Common Third Party Risks
Some third party risks faced by organizations are outlined below:
A fundamental question to ask considering all of the above is “Is your business protected when you bring in third parties to your network?” For many organizations, allocating the resources, time, and effort for this critical task can be daunting.
Common challenges in managing third-party risk
While there are no immediate signs of any of these challenges letting up soon, it is still imperative for organizations to continue being resilient and proactive on their TPRM programs.
“To centralize oversight and governance in TPRM, firms should adopt a hub and spoke model that utilizes a multidisciplinary approach. Such a model involves a central leadership team acting as the hub, setting policies, standards, reporting, and risk appetite, while being supported by subject matter experts from relevant risk domains. Additionally, employing a risk-based approach is essential, focusing on third parties that pose the highest risk based on data access, service criticality, operational resiliency, and regulatory impact. It's important to enrich data associated with services by gathering detailed information upfront about service delivery and controls. Continuous monitoring of party/provider risk profiles and contract performance should be conducted, incorporating comprehensive risk inventories and adapting to market and strategic changes. Lastly, firms must ensure their TPRM meets or exceeds global and jurisdictional regulatory expectations, maintaining compliance regardless of the party/provider's location and ensuring that these providers also meet all applicable legal obligations.”
No Time To Be Complacent-Evolving Your TPRM Program
Good practice TPRM should be holistic and consider the following:
- Managing program requirements throughout lifecycle of the relationship, from initiation to termination, including reporting to management.
- Risk-based program requirements, focusing time and effort on managing third parties that pose the greatest risks to their organization.
- Clear roles and responsibilities across three lines of defense to promote agility, point to emerging risks, and help clarify an organization’s strengths and weaknesses.
- Fit for purpose technology and automation- the thinking beyond simply GRC platforms in order to use smarter technology for automating workflows, risk assessments and use of AI (such as agents/prompts) to streamline the process and shorten cycle times, enabling companies to concentrate on their core activities.
The KPMG view of the elements that constitute an effective TPRM program is set out in the graphic below.
How Can KPMG Assist You
How we help clients
1
Assess
- Maturity assessment: Rapid current state review of TPRM capabilities; provide observations and recommendations
- Regulatory review: Gap analysis against relevant regulatory requirements; provide observations and recommendations
- Business case and roadmap: Prioritize enhancements and size the level of effort required to roll out the program
- Internal Audit: 3LoD co-source
2
Transform
- Framework design: Establish or enhance TPRM program and process components; develop program documentation, lifecycle templates and technology business requirements
- Technology enablement: Configure and implement workflow technology, risk intelligence software and third-party utilities
- Tuning: Enhance elements of the TPRM program and process; e.g. metrics and reporting, data analytics or TPRM risk appetite
3
Run
- Scenario testing: Third party business continuity and exit plans
- Managed services: Operate broad processes for pre-and post-contract screening and monitoring of third parties. Incorporate leading technologies and data sources with best practice processes delivered by risk domain specialists
- Third Party Assessments: Execute portfolio of risk and controls assessments pre- and post-contract
Outcomes
- Strong, compliant and consistent framework across the enterprise.
- Intelligent risk scoring model.
- Risk-based and robust screening, due diligence and monitoring.
- Automation of inherent risk assessment and due diligence activities.
- Reduced onboarding cycle times and program costs with optimized and streamlined processes.
- Real-time monitoring and alerting to anticipate service disruptions before they occur.
- Insights and analysis to track, report and predict.
- Integration with complementary processes and tools (procurement and contract lifecycle management).
Dive into our thinking :
Renewed Urgency on Third Party Risk Management (TPRM)
Download PDFOur TPRM service catalogue
| Vision and program design | Implementation and enhancement | Operational execution |
| Assess TPRM activities against applicable global regulatory requirements and industry leading practices | Design, build, implement, and assess TPRM specific requirements for risk areas as well as functional technology requirements | Solve challenges related to lack of skilled staff to execute the day to day TPRM activities. |
| Define the vision and strategy of the TPRM programby designing a target operating model | Streamline and/or remediate pain points in the program to help enhance efficiency and effectiveness | Drive the value of TPRM program by providing transparency to third party risk and performance |
| TPRM program | TPRM risk programs | Contract management | TPRM services | Technology enablement |
Program Design: target operating model and service delivery model development
Program documentation: policy, procedures and standards development Global TPRM services: Assist with compliance with local regulations | Compliance TPRM: program design, compliance TPRM risk assessments and due diligence questionnaires, regulatory consumer compliance mapping to contracts for risk assessment and testing Cyber TPRM: program risk assessment, CISO cyber TPRM program design, risk segmentation Fourth Party/Subcontractor Risk Management: program design, inventory development Operational Resiliency: integrating TPRM program in operational resiliency planning Convergence experience: aligning risk assessments to reduce duplication and drive cost savings | Cognitive Contract Management: using AI/NLP to collect and analyze contracts Contract Performance Management: managing critical contracts SLAs to avoid value leakage Contract Compliance: avoidance of fines and penalties or assessing compliance with you contract terms at your customers Exit Strategies: development of and assessment of exit strategies | Integrity due diligence: reputational assessments through research of adverse news/ litigation/ownership Cyber TPRM reviews: conducting cyber risk assessments and due diligence reviews on an ongoing basis as a managed service | GRC/other TPRM technology implementation: Assist with scoping of right-sized technology requirements Strategic partnerships with GRC platforms/utilities as desired (example: ServiceNow, etc.) |
Service category and objectives
| Vision and program design | Implementation and enhancement | Operational execution |
| Assess TPRM activities against applicable global regulatory requirements and industry leading practices | Design, build, implement, and assess TPRM specific requirements for risk areas as well as functional technology requirements | Solve challenges related to lack of skilled staff to execute the day to day TPRM activities. |
| Define the vision and strategy of the TPRM programby designing a target operating model | Streamline and/or remediate pain points in the program to help enhance efficiency and effectiveness | Drive the value of TPRM program by providing transparency to third party risk and performance |
Key services
| TPRM program | TPRM risk programs | Contract management | TPRM services | Technology enablement |
Program Design: target operating model and service delivery model development
Program documentation: policy, procedures and standards development Global TPRM services: Assist with compliance with local regulations | Compliance TPRM: program design, compliance TPRM risk assessments and due diligence questionnaires, regulatory consumer compliance mapping to contracts for risk assessment and testing Cyber TPRM: program risk assessment, CISO cyber TPRM program design, risk segmentation Fourth Party/Subcontractor Risk Management: program design, inventory development Operational Resiliency: integrating TPRM program in operational resiliency planning Convergence experience: aligning risk assessments to reduce duplication and drive cost savings | Cognitive Contract Management: using AI/NLP to collect and analyze contracts Contract Performance Management: managing critical contracts SLAs to avoid value leakage Contract Compliance: avoidance of fines and penalties or assessing compliance with you contract terms at your customers Exit Strategies: development of and assessment of exit strategies | Integrity due diligence: reputational assessments through research of adverse news/ litigation/ownership Cyber TPRM reviews: conducting cyber risk assessments and due diligence reviews on an ongoing basis as a managed service | GRC/other TPRM technology implementation: Assist with scoping of right-sized technology requirements Strategic partnerships with GRC platforms/utilities as desired (example: ServiceNow, etc.) |
Dive into our thinking :
Third-Party Risk Management Outlook (TPRM)
Download PDFMeet our team
