Retail and consumer goods businesses are at a critical crossroads in their management of third-party risk amid an alarming array of challenges that include COVID-19, unprecedented supply chain volatility, heightened regulatory scrutiny and the threat of fraud and corruption.
Consider the dramatic challenges and trends that are disrupting this sector, starting with COVID-19. The global challenge has unleashed profound new inventory challenges -- many businesses facing a severe shortage of inventory while others grapple with oversupply and an inability to liquidate. Consumer goods manufacturers, meanwhile, are often chasing raw materials to meet demand. In response, many companies are shifting supply chains to new geographies and accelerating their supplier onboarding process -- often ignoring required TPRM controls and thereby heightening the risk of violations that can include third-party fraud, corruption and bribery.
The KPMG Third Party Risk Management outlook 2020, a survey of third-party risk management (TPRM) executives, including consumer goods and retail-sector leaders, reveals that the journey to effective TPRM has, for many businesses, barely begun despite today's extreme challenges:
- Retailand consumer goods businesses cite business growth enablement, data governance/privacy, cost efficiency, cyber-risk management and brand reputation as 'business critical' initiatives. Yet half of these businesses lack in-house capabilities to manage all third-party risks faced, with TPRM funding described as limited (51 percent) or scarce (20 percent), and 63 percent of respondents say their TPRM teams are 'undervalued.'
- Retailand consumer goods organizations have various TPRM processes in place today: assessment of third-parties before contract (41 percent); third-party monitoring (36 percent) or on-site assessment (33 percent); a risk-based monitoring approach (35 percent); second-line (33 percent) or third-line (36 percent) oversight of TPRM and third-parties.
- Only about one in three organizations in these sectors say they are 'highly proficient' in areas such as global compliance; managing global third-party issues; managing or improving cyber defenses; collaborating with internal stakeholders/partners; and fully understanding third-party risk. Most instead view their abilities in these areas as merely 'adequate' or 'requiring improvement.'
- Respondents are challenged in their TPRM transformation efforts by the lack of necessary skills and capabilities (39 percent); integration challenges (30 percent); regulatory breach concerns (24 percent); employee resistance (35 percent); lack of funding (28 percent); data quality/consistency (27 percent).
- Sixty-nine percent of overall respondents viewed seamless data-sharing of third-party information as 'the holy grail of TPRM' -yet many experienced barriers to sharing third-party data, including incompatible systems, privacy concerns, inconsistent data, insufficient resources, and/or organizational silos.
- Regulatory scrutiny of third-party relationships and privacy breaches/loss of customer data is growing -59 percent of respondents overall faced sanctions or regulatory findings related to TPRM. Six of 10 respondents say the highest reputational risks come from third parties' failure to deliver.
Throughout this document, "we", "KPMG", "us" and "our" refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.