In today's complex and volatile global markets, third-party relationships are a critical source of competitiveness and growth for financial services businesses. Financial institutions are increasingly reliant on third-party suppliers to deliver business-critical products and innovative services in the fast-paced and ever-evolving digital age.
But as our research indicates - and as the disruptive impact of COVID-19 has made clear - TPRM needs to be approached in a more-consistent manner that ideally relies on a centralized and refined service model across the entire organization. Failures by third-parties can rapidly tarnish business reputations, unleash significant downstream operational and cost implications, and generate significant penalties for regulatory noncompliance or misconduct.
While some financial institutions are indeed making progress on TPRM, particularly via technology innovation, many still need to invest in areas that include streamlining workflows and optimizing the technology enablement of their TPRM programs. Despite advances in governance, risk and compliance (GRC) solutions, many financial institutions today are still conducting many aspects of their TPRM process via email or spreadsheets.
The KPMG Third Party Risk Management outlook 2020, a survey of third-party risk management (TPRM) executives, including leaders at financial services organizations, revealed that many businesses within the financial sector appear unprepared for the complexity of assessing diverse risks cohesively across business lines and regions.
- Six of 10 respondents overall cited third parties’ failure to deliver as their highest reputational risk and have experienced sanctions or regulatory findings concerning TPRM. About three quarters overall called TPRM a strategic priority, saying they ‘urgently need to make TPRM more consistent across the enterprise.’ For FS organizations specifically, TPRM remains at the top of regulatory agendas globally and this trend is driving a focus on improving TPRM among sector businesses.
- Financial institutions cited cyber-risk management, data governance/privacy, cost efficiency, business growth and brand reputation as ‘business critical’ initiatives. But more than half lack in-house capabilities to manage third-party risk, with TPRM funding described as limited (48 percent) or scarce (30 percent). Meanwhile, 71 percent believe their TPRM teams are ‘undervalued.’
- FS businesses have the following TPRM processes in place today: a total of 81 percent cited assessment of third parties before contract (38 percent) and thirdparty monitoring (43 percent); on-site assessment (29 percent); a risk-based monitoring approach (34 percent); second-line (32 percent) or third-line (38 percent) oversight of TPRM and third parties.
- Relatively few FS businesses believe they are ‘highly proficient’ in areas such as: managing global thirdparty issues (35 percent); managing or improving cyber defenses (39 percent); collaborating with internal stakeholders or partners (38 percent); fully understanding third-party risk (32 percent); ensuring global regulatory compliance (40 percent). Most view their abilities in these areas as merely ‘adequate’ or ‘requiring improvement.’
- Key challenges to TPRM transformation cited among FS businesses include: Lack of skills (36 percent); integration challenges (30 percent); regulatory compliance concerns (34 percent); employee resistance (29 percent); lack of funding (30 percent); data quality/consistency (30 percent).
- Seamless data-sharing of third-party information is viewed as ‘the holy grail of TPRM’ by 69 percent of overall respondents but many firms face these barriers: incompatible systems, privacy concerns, poor or inconsistent data, insufficient resources or processes, and organizational silos.
Throughout this document, "we", "KPMG", "us" and "our" refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.