By Greg Matthews, Advisory Partner at KPMG and Nicole Trawick, consultant for KPMG
It is more than a little surprising that, despite intense global disruptions in 2020 and in particular the challenges posed by Covid-19, very few financial services (FS) firms suffered prolonged outages or disruptions.
Throughout the economic, healthcare and geopolitical crises, FS organisations continued to deliver critical products and services, many of which required complicated coordination between multiple third parties. With 2020 now in the rear-view mirror, many organisations are asking themselves: ‘Were we lucky or is our third-party risk management (TPRM) programme just that good?’
There’s no doubt that TPRM programmes did help firms prepare for the pandemic in several ways, such as by understanding where the third parties are involved in the delivery of services to customers; establishing standards for assessment of third parties’ business continuity and disaster recovery plans; and driving clarity around roles and responsibilities across the organisation. But did these measures truly prevent the organisation from experiencing loss? And will they be enough next time?
While TPRM leaders are questioning the readiness of their programmes to withstand future stress events, they are facing mounting global regulatory expectations for TPRM and the growing consensus across the industry that continuous monitoring must replace point-in-time risk assessments of third parties for key risks, such as cyber. TPRM leaders are increasingly involved in enterprise-wide convergence initiatives that aim to break down silos, decrease costs, and enhance the ability of risk and compliance functions to manage operational resilience and drive sustainable business growth.
Seventy-seven per cent of respondents to KPMG’s 2020 global TPRM survey agree that TPRM is a strategic priority for their organisation. In the post-pandemic world, there will be greater reliance on third parties, as FS organisations lean in to agile, nimble operating models and partner with new companies to bring innovative offerings to market. TPRM leaders must continue to invest in their risk-based approach, so that time and effort is focussed on the third parties that pose the highest potential risk to the organisation.
Figure 1: High-level roles & responsibilities across the TPRM lifecycle
Many of our clients are working on similar challenges as they plan for TPRM programme enhancements in 2021, including:
- Integration and convergence with the broader risk and compliance programme
- Process and service delivery model simplification
- Programme enhancements for emerging risks
- Continuous monitoring of key risk
These topic areas centre on the same theme: how can the TPRM programme provide the right information, at the right time, for the right cost, so that the business can make confident, informed risk decisions about its third parties? “In addition to aligning risk and compliance programmes with the TPRM programme, a key next step for organisations is to select operational resilience scenarios that include third-party failures and conduct joint testing with these third parties.”
“In addition to aligning risk and compliance programmes with the TPRM programme, a key next step for organisations is to select operational resilience scenarios that include third-party failures and conduct joint testing with these third parties.”
Below, we highlight several of the key questions TPRM leaders have been asking and offer recommendations for the road ahead.
INTEGRATE AND CONVERGE
TPRM integration with the broader risk and compliance programme
In risk and compliance, there is a general trend to integrate the risk and compliance disciplines, which have generally evolved in silos that has resulted in a lack of common terms for risks and controls, inconsistent assessment and testing methods and inability to generate a common view of risk.
Given the dependence and prevalence of third parties, organisations should prioritise the need to break down silos and integrate TPRM within the enterprise risk and compliance organisation as part of a broader convergence agenda. Specifically, organisations are analysing how they can integrate third-party services and any outstanding third-party issues into firm-wide risk and control self-assessment (RCSA), compliance risk assessment (CRA), and risk and compliance testing activities.
FIGURE 2: Where are TPRM leaders focussing in the ‘new reality’? Programmes are building on the lessons learned from Covid-19, in order to increase their ability to enable confident, informed third-party risk decisions.
Post the pandemic, there needs to be a clearer alignment between the TPRM and operational resilience programmes to ensure that i) where there are TPRM identified critical dependencies on third parties, these have been factored into the resilience of the service they support, and ii) for key services identified by operational resilience there is a clear understanding of the third parties supporting that, and what the relevant business continuity disaster recovery plans and information are available to form an understanding of the resilience of the service.
In addition to aligning risk and compliance programmes with the TPRM programme, a key next step for organisations is to select operational resilience scenarios that include third-party failures and conduct joint testing with these third parties.
FIGURE 3: Operational resilience defined
Global regulatory compliance and change management
One major challenge to driving a globally consistent integrated risk and compliance function is changing regulatory requirements that impact a TPRM programme. This is key in that many jurisdictions have their own unique requirements, and they are evolving at different speeds and with different focusses, for example the linking of TPRM and operational resilience by the Prudential Regulatory Authority in the United Kingdom. We are particularly seeing divergence between countries in how and when regulators expect to be notified of a new critical third-party relationship.
Affiliate risk management
A trend that is emerging for larger more global firms is the integration of affiliate risk management and TPRM programmes given the similarity of the objectives, activities and regulatory requirements. The TPRM programme has a unique position in the organisation to effectively manage both external and affiliate relationships.
Against the backdrop of operational resilience, the complexity of global inter-affiliate outsourcing arrangements is driving the need for this integration because it’s not simply enough to know what has been outsourced to a legal entity in a foreign jurisdiction, you have to be able to understand how that activity gets executed and whether other legal entities or even external third parties are involved. An example of a new challenge is understanding and documenting the ‘subcontractors’ in an inter-affiliate transaction.
Simplify the process
Across the FS industry, TPRM programmes have matured and achieved business as usual status. Awareness of third-party risk is now engrained in enterprise risk culture, with the assessment and evaluation of the use of third parties now constituting an everyday aspect of management activities. That said, the effort involved to comply with the TPRM programme requirements and regulatory expectations is still significant and firms are exploring a range of actions to manage the volume of assessment activities and drive cost down, including:
- Service delivery model enhancements to centralise the programme and outsource low-value aspects
- Greater emphasis on risk segmentation and the scoring
- model to reinforce a risk-based approach
- Workflow technology enhancements, greater integration between procurement and TPRM tools, and enhanced ongoing monitoring tooling for contract owners, such that they are proactively notified in the event of a risk or performance event
- Increased use of technology, such as low code/no code, alignment of procurement, contract life cycle management, and TPRM technologies and greater use of analytics to identify non-performance issues
Incorporate emerging risks
One of the many lessons of the Covid-19 pandemic was that TPRM programmes need to be nimbler and more adaptive to account for emerging risks. An example of this is the need for quick, clear communications with critical third parties. Too many service delivery managers can confuse and obfuscate the messaging, so the single point of contact has emerged as a better practice. Further, some risks, such as subcontractor and concentration risk, have been components of TPRM for a while, but programmes perennially struggled with the management of them in terms of cost to find alternative third parties or just the simple reality that there are no viable alternatives.
Other risk areas, such as financial viability, supply chain risk and threats posed by remote contingent workers, came into new focus during the Covid-19 pandemic. The need to evaluate and monitor third parties in accordance with enterprise environmental, social, governance (ESG) commitments presents yet another challenge as organisation seek to maintain a diverse supplier base that aligns to the broader communities’ expectations of good stewardship. Key strategies for evaluating emerging risks include:
- Ongoing evaluation of the TPRM strategy and risk appetite to ensure alignment with the enterprise’s risk appetite and corporate strategy
- Regular review of key risk indicators (KRIs) and thresholds
- Exception monitoring to pick up on emerging themes
- At least annual service score refresh to account for changing business need, risk appetite, or change in the third-party service delivery model
- Rationalisation of the third-party inventory to reduce assessment activity volume and better separate signal from the noise
FIGURE 4: Concentration risk defined
At KPMG, we are leading the way in TPRM innovation. We have developed proprietary methodologies and enablers to accelerate your TPRM transformation. Please contact us to learn more about how we can help your TPRM programme empower business leaders to make confident, informed third-party risk decisions.
Implement continuous monitoring
Covid-19 demonstrated that a point-in-time, questionnaire-based risk assessment does not provide assurance that a third party will be able to continue delivering services in a stressed environment nor that the control environment on that particular date is effective in light of emerging risks or risks with a high velocity of change such as cyber risk. The industry is in the process of evaluating approaches to real-time monitoring of key third-party controls with leading TPRM programmes already conducting their proof of concept for continuous monitoring.
Enabling confident, informed TPRM decisions
As FS organisations continue their use of third parties to decrease costs, achieve scale and innovate, business leaders and senior management are realising that their ability to deliver critical products and services to their customers depends on the strength of their third-party relationships. KPMG’s 2020 TPRM Global Survey found that six in 10 respondents feel their greatest reputational risks come from the failure of third parties to deliver critical products and services.
TPRM programmes need to help business’ focus on risk mitigation of third-party failures, key missed service-level agreement (SLAs), or an erosion in the third-party control environment or risk profile by reducing the burden of information gathering and the noise of unhelpful third-party information and assessments. TPRM leaders now can build on the lessons learned from 2020 and:
- Converge third-party risks and issues into enterprise risk and compliance assessments
- Integrate connected programmes, such as operational resilience and affiliate risk management
- Simplify the process so that internal risk and compliance teams, as well as the business, are focussed on risk mitigation, rather than information gathering or unnecessary assessments
- Validate that the TPRM programme is accounting for emerging risks and enterprise strategy Implement continuous controls monitoring for critical third-party services
About The Authors:
Greg is a partner at KPMG focussed on financial services risk and regulatory consulting. Greg assists his large, global FS clients drive strategic, transformative change from a risk and regulatory compliance management perspective. Greg has a wealth of experience assisting clients to establish programmes that manage risk, regulatory compliance and drive performance.
Nicole Trawick is a consultant for KPMG, focussing on the design and build of third-party risk management programmes for financial services and technology companies. She serves on the global leadership team for TPRM solution development, which includes developing new approaches to harness technology to automate processes and perform continuous monitoring for critical third-party relationships.
© 2021 KPMG LLP, a Delaware limited liability partnership and the US member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.