Trust matters - An increasingly complex regulatory landscape, the introduction and enforcement of ESG targets, cyber threats and supply chain interruptions are challenging organizations’ sustainable growth while upholding their values.

In recent months, we’ve seen a number of legislative changes ranging from new laws to address human rights or environmental concerns - in line with Environmental, Social and Governance (ESG) agendas set by various law makers - to the implementation of whistleblowing legislations. Public opinion has never been more powerful, and with consumers more empowered than ever, organizations are increasingly concerned about the risk of regulatory non-compliance and potential reputational impact.

Meanwhile, organizations have become increasingly reliant on third parties (and fourth parties) for the delivery of goods or services and, as such, a third party failure can have a direct impact on an organization’s brand and reputation. A recent survey by KPMG found that three in four (73 percent) respondents have experienced at least one significant disruption, caused by a third party, within the last three years. "An organization’s reputation and values are not only driven by the actions and conduct of the organization, but also by the actions and behavior of its third parties” says Kami Zargar, Director and Head of Forensics at KPMG Belgium.

"An organization’s brand and reputation are potentially its most valuable asset and unique competitive advantage" explains Kami. "Building and guarding trust has become a focus point for many organizations, along with growing responsibly while respecting people, the environment and the relevant laws and regulations. The complexity of business models and rapidly changing regulations create a hyperactive risk landscape."

New business models: more opportunities, more risks

"Organizations are increasingly partnering with and relying on external parties to procure expertise, access new markets and add quality throughout the value chain," says Kami. "That's an evolution from which organizations are reaping the benefits: greater efficiency, faster innovation and increased quality. But it also comes with increased risks, especially given an organizations’ limited visibility and control over its third parties’ compliance governance and risk mitigation measures. Whether a key infrastructure provider, supplier, distributor or sales agent, each category of third party presents a specific set of inherent risks. Organizations can only manage these risks through a well-established risk based program that enables an assessment of third party risks across different lifecycles, from onboarding to offboarding."

Understand the risks your organization is exposed to

"A first step is to gain an understanding of the potential risks your organization could be exposed to via your third party relationships. A careful vetting of your business relationships is necessary to assess those risks," says Kami. "In doing so, certain business relationships will likely exhibit greater risks, and certain factors are more crucial with respect to possible reputational damages, operational risks, government investigations, monetary fines and criminal prosecutions. Organizations with a global footprint or overseas business partners can be subjected to the rules and regulations in those overseas jurisdictions too."

Should all risks be treated the same way? "No, that approach doesn't work," affirms Kami. "It’s important to develop a proportional risk-based approach. Some risks have a greater potential impact on your organization than others. As a result, third party risk management programs should be supported by a clearly articulated risk appetite against which the third party risk should be managed and reported to the key stakeholders. For instance, a large supplier of business-critical ICT infrastructure presents a greater risk than a supplier of office materials."

Harness the power of data

"Those who want to examine how external parties are performing need to develop a workable model that has data at its core," Kami says. "The right data will provide insights into how external parties are complying with corporate values and regulatory requirements. From the outset, clear KPIs with respect to the relevant risk domains should guide the development of such a program. Data collection is then linked to these KPIs, allowing you to assess the performance of external parties and identify areas for improvement based on clear criteria. As an organization, you can then get to work more quickly to address these points. Consequently, you'll be able to contain the risks more effectively." 

Train your parties and follow up

"Educating third parties about your corporate values, code of conduct and setting relevant expectations are critical to your organization’s compliance strategy," states Kami. "This should begin as early as the selection and onboarding of any new business partner and reflected in the underlying contractual arrangements. And that should remain a focus throughout the collaboration."

And what about partners who don't follow the rules? "A clear ongoing monitoring program supported by appropriate contractual protections will help a great deal in managing potential risks of a third party’s misconduct or non-compliance," Kami explains. "A well-defined, risk-based ongoing monitoring program will help identify potential risk exposures, engage with those who are falling short of compliance requirements, and determine relevant remediation measures."

A governance model is needed to maintain reputation

"At KPMG, we’ve developed a 'Third-Party Risk Management (TPRM) framework’ that helps organizations identify, assess and manage the risks of third (or fourth) party relationships," says Kami. "It’s always a good idea to start by assessing how regulations are evolving across your business's jurisdictional footprint. Our TPRM framework will then enable you to assess the current state of your third-party risk management measures while learning from industry better practices. This framework brings together various components of an effective operating model such as policies and procedures, people, organization and technology, to provide greater insight and practical improvement opportunities, proportionate to your requirements."

Want to learn more about KPMG's Third-Party Risk Management framework? Discover the latest insights from KPMG's 2022 TPRM Outlook.  

    

Client testimonial

KPMG in Belgium worked with Bekaert, a market and technology leader in steel wire transformation and coating technologies, to develop an enterprise wide compliance model based on three pillars: educate, examine and enforce. The resulting third-party risk management program allowed Bekaert to monitor their relationships with third (and fourth parties) with a view to prevent, detect and respond to potential incidents. Watch the video:

    

Explore

Discover more about our multidisciplinary approach to Third Party Risk Management.