close
Share with your friends

Unprecendented business disruption amid COVID-19, global volatility and economic uncertainty. Evolving regulatory requirements, heightened scrutiny and the threat of devastating financial penalties. The alarming and potentially crippling trend of supply chain risks, including those related to fraud, bribery and corruption. The increased threat of information security breaches and data loss due to cyber theft.

Today's pharmaceutical and life sciences organizations have perhaps never faced a more challenging global business environment and its profound impact on third-party risk when, for example, on-site reviews cannot be done. Yet, as revealed in the KPMG Third Party Risk Management outlook 2020, a survey of third-party risk management (TPRM) executives, many are struggling — if not in the dark — amid a troubling lack of strategies, investments, skills and technologies considered critical for the consistent selection, assessment and monitoring of their third-party relationships.

Our 2020 global online survey of 1,100 senior TPRM executives, including life sciences leaders, reveals that the journey to effective TPRM has, for many sectors, barely begun despite today's extreme challenges:

  • Pharma and life sciences businesses cite cyber-risk management, data governance/privacy, cost efficiency, growth and reputation as business-critical initiatives. Yet, half of sector businesses overall lack sufficient capabilities in-house to manage related third-party risks and 57 percent believe their TPRM teams are "undervalued" despite their importance to operational resilience.
  • Just 30 percent of sector businesses say TPRM funding is growing, while a total of 70 percent say funding to evolve and strengthen TPRM programs is "limited" (53 percent) or "scarce" (17 percent).
  • Fewer than 40 percent say they are "highly proficient" in global compliance, managing global third-party issues, improving cyber defenses, collaborating with internal stakeholders/partners and fully understanding third-party risk. Most say their abilities in these areas are merely "adequate" or "requiring improvement."
  • Businesses say they have the following TPRM processes in place: assessment of third parties before contract (34 percent), third-party monitoring (39 percent) or on-site assessment (35 percent), a risk-based monitoring approach (35 percent) and second-line (43 percent) or third-line (32 percent) oversight of TPRM and third parties.
  • Principle challenges to TPRM transformation cited include: A lack of skills/capabilities (39 percent), integration (34 percent), regulatory concerns (34 percent), employee resistance (30 percent), lack of funding (28 percent) and data quality (29 percent).

Throughout this document, "we", "KPMG", "us" and "our" refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.