Share with your friends

More than a Handshake: Third party risk in the digital era

More than a Handshake

In an age where the actions of one player can cripple an entire organization’s reputation, a handshake no longer cuts it.


Related content

More than a Handshake

Trust goes a long way in commercial relationships, but not far enough to truly manage third-party integrity risks amid increased regulator and stakeholder scrutiny. Doing business in the modern world means bringing any number of allies and supply chain partners into your network; and in an age where the unscrupulous actions of one player can cripple an entire organization’s reputation, a handshake and boilerplate agreement no longer cuts it.

Not that third-party risk can be avoided. Modern organizations rely on strategic alliances and partnerships to keep pace with innovation, gain footholds in foreign markets, lower costs and adopt technologies that get them closer to their customers. The need for third-party relationships is nothing new, but now – more than ever – organizations must insulate themselves against the illegal, fraudulent and reputationally damaging actions of their partners.

One weak link

We do not need to search far for examples of companies succumbing to third-party damage. Be it financial institutions unknowingly doing business with corrupt or fraudulent players, pharmaceutical industry partners accused of bribery, or global organizations linked to manufacturers with poor working conditions, there are countless headlines of dubious players harming otherwise reputable organizations.

As a result, organizations are much more cautious about who they are bringing into their network. Third-party arrangements are being scrutinized to a higher degree, prompting high-level boardroom discussions and important questions: What are we really signing up for? Do we understand who we are doing business with? Do we know their integrity? Are we willing to stake our reputation on their operations?

What can you do today?

Technology investments notwithstanding, there are several actions that organizations can take to gain more immediate comfort over their third-party risks.

  • Review the existing third-party risk management controls. Ask yourself: Is our program working as intended? Is it being managed cost-effectively? Have we been successful in maintaining oversight of our third-party risks while ensuring the costs are proportionate to the types of risks we are attempting to manage?
  • Pursue a risk-based approach. Organizations can have a large population of suppliers, customers, joint ventures or agents (both domestic and international), making it impossible to keep tabs on them all. By stratifying third-party integrity risks, you can identify which partners come with high, medium and low risks based on factors such as the nature of their services, their jurisdiction, the amount of spend, or the type of arrangement, among other factors.
  • Monitor your third-party relationships. Ensure third parties are monitored commensurate with their risk level to ensure you are always in control and ready to act when issues begin to crystallize. Indeed, the food service partner that supplies breakfast for your meetings will require less monitoring than the agent acting on your behalf in a foreign jurisdiction, so it does not make sense to dedicate the same monitoring resources and time to both.

Trust 2.0

Trust is still an asset in any partnership, but it is only the foundation. More and more organizations are turning to data analytics and digital tools to gain deeper insights into their potential third-party arrangements. They are using sophisticated 'scrubbing' tools to pour through online sources for accurate and relevant information about who they are bringing into their networks, whether or not they have skeletons in the cupboard that may put at risk the organization's values, regulatory obligations and ultimately the reputation.

And these tools are evolving. KPMG's K-3PID solution, for example, is an AI-enabled name-screening tool created to quickly scour massive amounts of public data simultaneously on their potential partners, while removing false positives, duplicated results, and irrelevant material. Its natural language processing and sentiment analytical capabilities enables auto translation in 60 languages, allowing users to include foreign media and sources in their investigations. The tool also maintains a full audit trail of consulted sources and discounted search results.

KPMG's next generation K-3PID solution is revolutionizing the risk management arena with the ability to help organizations monitor their third party universe on a continual basis. After all, just because a third party passes initial scrutiny, there is no guarantee it will not stray from expectations down the road, become acquired by less trustworthy owners, or bring less reputable players into their own circle. This constant monitoring is now a 'must-have' as commercial relationships can (and will) change, altering the dynamics of even the most established alliances.

What is K-3PID?

KPMG Third Party Intelligent Diligence (K-3PID) is a customizable tech-enabled, AI computing solution designed to perform rapid, broad ranging and cost-effective third-party due diligence, while translating results, auto-discounting false positives and generating a full audit trail.

  • Next Generation Due Diligence: K-3PID employs the same cognitive processes to evaluate search content as a researcher, without the constraints of human-based research. This allows due diligence analysts to spend far more time assessing and reporting on risk.
  • Sources: K-3PID can access thousands of data sources simultaneously and compiles a single comprehensive profile. Its iterative learning approach allows the system to identify and present structured, easy to understand risk ranked results on the subject matter within minutes.
  • On-going monitoring: Once a subject has been screened the system can be configured to produce daily alerts for risk driven events across a third party population.

Every strategy is unique

Different organizations will explore different approaches to third-party risk. Financial institutions, for example, may focus more keenly on regulatory risks such as money laundering and fraud, while entities in less regulated sectors might concern themselves more with quality control, bribery and corruption, and other reputational considerations. No matter the factors at play, organizations must make third-party risk management a priority by using technology, stronger oversight, and controls to tackle what trust alone cannot cover.

Let's do this.

© 2021 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Sign up today