As the economic recovery picks up speed, third-party risk management (TPRM) is more important than ever before. Faced with supply chain disruption, cyber threats and growing inflationary pressure, global businesses are assessing their operational resilience and reviewing their dependence on third and fourth parties.

 

Focus areas for TPRM programs in the early or medium stage of maturity

The imperative for organizations at an early or medium stage of maturity is to establish a program that allows you to manage third parties appropriately. For any organization, below are some of the must-haves when it comes to a viable TPRM program:

Pre-contract to due diligence: You should complete appropriate due diligence prior to executing the contract. Depending on the industry and service, key risks such as cyber security, business continuity or compliance may be prioritized over other risks.

Risk-based approach: You don’t need to look at each third-party engagement with the same level of depth. Considering limited time and resources, you should focus on the third parties that impact the most critical services. As the TPRM program matures, you can expand the scope to cover broader tiers of third-party arrangements as well as additional risk domains.

Ongoing monitoring: For third parties supporting critical services, you should establish an ongoing monitoring plan to assess, over the lifetime of the contract, that the third party is delivering in line with expectations. The control assessment should be done by the relationship owner and overseen by a function responsible for that risk.

Program governance: this focuses on overseeing, monitoring and governing the arrangement, effectively resolving incidents that occur, and managing occasions when a decision is required that is at odds with the stated policy. These types of governance decisions need appropriate policies, along with clear roles and responsibilities, to avoid ineffective challenge and poor decision-making.

 

 

Focus areas for TPRM programs in the more advanced stages of maturity

Organizations that are at a more advanced stage of TPRM maturity, whose programs are well-established and fully operational, should focus now on optimizing the program. It is often cost pressures and frustrations around the time taken to complete assessments that drive this need. Optimizing an advanced TPRM program generally focuses on the following areas:

Automation: Organizations are looking to automate the end-to-end workflow, having tools/technologies replace human activity and reducing the time to complete those activities. This can support faster decision-making and assist in managing costs. To complete tasks for various components, you can also leverage industry utilities or feeds to streamline the due diligence process.

Risk-based approach: To further streamline the risk tiering of third-party services, you can tighten the criteria used to delineate something as critical or high risk. This may include:

• Using specialty programs for homogenous groups of third-party services with a standard risk profile, such as affiliates, to allow for a “light-touch” approach.
• Proceeding straight to a purchase order when there is nominal risk in a service.
• Processing the remaining “standard” contracts through the third-party program, but reducing the number of questions associated with each risk category, evaluating the need for on-site/in-person due diligence, and using industry utilities that provide assessment reports covering in-scope areas.

Off-boarding and disengagement: Organizations want to understand how they can exit a relationship in the event of a stressed situation that is not of their doing. They also want to make sure the service continues to be delivered to customers and markets. Mapping specific services to products and processes within the organization is required to help complete the exercise.

Service delivery model: We see an ongoing trend for businesses to establish a unified, enterprise-wide “center of excellence”, which may or may not be centralized. The center of excellence is one of the most efficient ways for organizations with limited resources to cover the broad population of third parties. A unified framework supports consistency across the program, enhanced data quality, and accountability between the central team and the relationship owner.

Management of fourth parties and affiliates: In mature programs, fourth parties as well as intercompany and intracompany transactions – are no longer out of scope. You can benefit from having appropriate controls such as contract documentation and from aligning program steps with those required by the TPRM program

 

Third-Party Risk Management Outlook 2022 available here: Third-Party Risk Management outlook 2022 - KPMG Global (home.kpmg)