Renewed Urgency on Third Party Risk Management (TPRM)

Download PDF

The overall business climate worldwide continues to be increasingly complex. Since the Covid-19 pandemic, we experienced an economic downturn, disruption in supply chains (raw material shortages, increased costs of production, transportation challenges) and volatility in capital markets. Not to mention ongoing regional conflicts, rising geopolitical tensions and trade wars.

As all of this happens, there are evolving risks faced across the board by organizations beyond the traditional or “known” ones (financial, compliance, operational, reputational). Companies are being reactive to ESG and cyber risks and compliance managers are constantly scratching their heads on how to manage the ongoing burden of regulation, while increasing stakeholder and shareholder value.

Businesses across every industry are increasingly dependent on a robust network of third parties in order to execute their core activities. Such third parties include vendors, suppliers, distributors, agents, joint ventures, alliances, subcontractors, and service providers. This network is critical to maintain a global footprint and effectively compete in the marketplace.

The increased shift toward third-party driven business models, exposes organizations to a host of new and serious risk and compliance issues.

Additionally, as guided by various regulators and as many companies have experienced first hand, while you may trust the third parties you work with, the risks associated with third party interactions cannot be outsourced.

There are numerous cases where lack of proper oversight of third parties has resulted in serious consequences. Companies in the US and globally have been exposed to significant risk, adversely affecting their performance and reputation, and have faced heavy enforcement actions resulting in heavy fines, penalties and remediation costs.

A fundamental question to ask considering all of the above is “Is your business protected when you bring in third parties to your network?” For many organizations, allocating the resources, time, and effort for this critical task can be daunting.

While there are no immediate signs of any of these challenges letting up soon, it is still imperative for organizations to continue being resilient and proactive on their TPRM programs.

“To centralize oversight and governance in TPRM, firms should adopt a hub and spoke model that utilizes a multidisciplinary approach. Such a model involves a central leadership team acting as the hub, setting policies, standards, reporting, and risk appetite, while being supported by subject matter experts from relevant risk domains. Additionally, employing a risk-based approach is essential, focusing on third parties that pose the highest risk based on data access, service criticality, operational resiliency, and regulatory impact. It's important to enrich data associated with services by gathering detailed information upfront about service delivery and controls. Continuous monitoring of party/provider risk profiles and contract performance should be conducted, incorporating comprehensive risk inventories and adapting to market and strategic changes. Lastly, firms must ensure their TPRM meets or exceeds global and jurisdictional regulatory expectations, maintaining compliance regardless of the party/provider's location and ensuring that these providers also meet all applicable legal obligations.”

Managing program requirements throughout lifecycle of the relationship, from initiation to termination, including reporting to management.
Risk-based program requirements, focusing time and effort on managing third parties that pose the greatest risks to their organization.
Clear roles and responsibilities across three lines of defense to promote agility, point to emerging risks, and help clarify an organization’s strengths and weaknesses.
Fit for purpose technology and automation- the thinking beyond simply GRC platforms in order to use smarter technology for automating workflows, risk assessments and use of AI (such as agents/prompts) to streamline the process and shorten cycle times, enabling companies to concentrate on their core activities.

The KPMG view of the elements that constitute an effective TPRM program is set out in the graphic below.

We bring to the table a network of TPRM professionals with deep subject-matter experience to help deliver TPRM program designs for clients’ global operations and regulatory requirements. Our professionals possess cross-industry experience across all industry sectors and leverage Leading technology solutions and delivery experience through established TPRM methods and technology accelerators.

How we help clients

Assess

Maturity assessment: Rapid current state review of TPRM capabilities; provide observations and recommendations
Regulatory review: Gap analysis against relevant regulatory requirements; provide observations and recommendations
Business case and roadmap: Prioritize enhancements and size the level of effort required to roll out the program
Internal Audit: 3LoD co-source

Transform

Framework design: Establish or enhance TPRM program and process components; develop program documentation, lifecycle templates and technology business requirements

Technology enablement: Configure and implement workflow technology, risk intelligence software and third-party utilities

Tuning: Enhance elements of the TPRM program and process; e.g. metrics and reporting, data analytics or TPRM risk appetite

Run

Scenario testing: Third party business continuity and exit plans

Managed services: Operate broad processes for pre-and post-contract screening and monitoring of third parties. Incorporate leading technologies and data sources with best practice processes delivered by risk domain specialists

Third Party Assessments: Execute portfolio of risk and controls assessments pre- and post-contract

Strong, compliant and consistent framework across the enterprise.
Intelligent risk scoring model.
Risk-based and robust screening, due diligence and monitoring.
Automation of inherent risk assessment and due diligence activities.
Reduced onboarding cycle times and program costs with optimized and streamlined processes.
Real-time monitoring and alerting to anticipate service disruptions before they occur.
Insights and analysis to track, report and predict.
Integration with complementary processes and tools (procurement and contract lifecycle management).

Dive into our thinking :

Renewed Urgency on Third Party Risk Management (TPRM)

Download PDF

Vision and program design	Implementation and enhancement	Operational execution
Assess TPRM activities against applicable global regulatory requirements and industry leading practices	Design, build, implement, and assess TPRM specific requirements for risk areas as well as functional technology requirements	Solve challenges related to lack of skilled staff to execute the day to day TPRM activities.
Define the vision and strategy of the TPRM programby designing a target operating model	Streamline and/or remediate pain points in the program to help enhance efficiency and effectiveness	Drive the value of TPRM program by providing transparency to third party risk and performance

TPRM program

TPRM risk programs

Contract management

TPRM services

Technology enablement

Program Design: target operating model and service delivery model development

gap assessments against global TPRM requirements
development of these models at the 2nd LOD, 1st LOD and regional operating levels

Program documentation: policy, procedures and standards development

Global TPRM services: Assist with compliance with local regulations

Compliance TPRM: program design, compliance TPRM risk assessments and due diligence questionnaires, regulatory consumer compliance mapping to contracts for risk assessment and testing

Cyber TPRM: program risk assessment, CISO cyber TPRM program design, risk segmentation

Fourth Party/Subcontractor Risk Management: program design, inventory development

Operational Resiliency: integrating TPRM program in operational resiliency planning

Convergence experience: aligning risk assessments to reduce duplication and drive cost savings

Cognitive Contract Management: using AI/NLP to collect and analyze contracts

Contract Performance Management: managing critical contracts SLAs to avoid value leakage

Contract Compliance: avoidance of fines and penalties or assessing compliance with you contract terms at your customers

Exit Strategies: development of and assessment of exit strategies

Integrity due diligence: reputational assessments through research of adverse news/ litigation/ownership

Cyber TPRM reviews: conducting cyber risk assessments and due diligence reviews on an ongoing basis as a managed service

GRC/other TPRM technology implementation: Assist with scoping of right-sized technology requirements

Strategic partnerships with GRC platforms/utilities as desired (example: ServiceNow, etc.)