Identifying third-party risk


Identifying third-party risk Ethical BoardroomBy Greg Matthews – Partner in KPMG’s Financial Services Risk Consulting Practice



Ethical Boardroom talks to KPMG on how companies must examine their business relationships in order to assess risk

ETHICAL BOARDROOM: Third party risk is a hot topic right now. Can you explain why it is such an important issue?

GREG MATTHEWS: The global business environment has resulted in the development of ecosystems where a number of parties interact to deliver goods and services. Organisations are continuing to use third parties at a greater rate and the manner in which services are delivered is increasingly complicated in light of digitisation, the Cloud and the global nature of businesses. Understanding how third parties deliver their services and support the organisation’s business is critical, especially given a number of high-profile failures by third parties.

To assess their third party’s ability to manage the organisation’s risks and reputation in line with their expectations, third-party risk management (TPRM) programmes are being established. These programmes assess the third party’s ability to adequately manage the risk in line with its policies and expectations both pre- and post-contract. This results in increased assessments and a corresponding head count increase.

Coordinating across each risk discipline (e.g. privacy, information security and compliance function) to understand how the third party is going to manage certain aspects of the organisation’s risk, based on the service provided, creates bureaucracy and risks slowing down the business need. Balancing risk and performance is at the centre of the challenge.

EB: Boardrooms are taking notice and getting more involved in TPRM. How do they gain a better understanding of their third-party relationships and the associated risks?

GM: Boards of organisations need to understand how the risks to their strategy and business are managed through the use of third parties. It is imperative that, at least on an annual basis, the board understands the TPRM programme through a report from the programme lead. It should be provided with information on; the programme design and operating effectiveness, performance of critical and high-risk rated services; volumes and risk profile of the full third-party portfolio; and any significant operational loss events that have occurred. As a result, it should understand the company’s exposure to third parties failing to deliver.

In addition, as each of the different risk officers present to the board during the course of the year, they should include a qualitative and quantitative aspect to their reporting for the board in terms of how their risk is managed by third parties and how they gain comfort with the third party’s ability to meet policy and expectations.

The board should also approve significant or critical outsourcing arrangements, understanding the business drivers and the risk mitigation components of the arrangement. When there is a failure by a third party, the board should be informed, as appropriate and in accordance with the organisation’s escalation protocol, and understand the established contingency plan.

EB: What steps can executives take to develop effective strategies that will transform TPRM programmes?

GM: Over the past five years, global organisations have undertaken three broad phases of work to enhance their third-party risk management programmes. Phase one was a design assessment to set the tone from the top, clarify governance over the programme, make clear roles and responsibilities in accordance with the three lines of defence principle, ensure risk subject matter experts are engaged both pre- and post-contracting and increase the ongoing monitoring of third parties through a risk-based programme.

The second phase was the implementation of the programme designed in phase one, which resulted in two outputs, the first being increased assessment and ongoing monitoring activities across the organisation and lines of defence. The second was, increased headcount associated with the delivery of these risk management activities.

The third phase centres on streamlining the programme from a risk-based perspective and leveraging advanced technology to automate the programme and activities. There are a number of options available to an organisation to achieve streamlining objectives, including: reducing the number of third parties through a preferred provider programme, enhancing risk assessment questionnaires and gathering of information from third parties, and leverage specialised third-party providers and emerging industry utilities to conduct oversight activities, such as desktop and onsite reviews.

At the end of these three phases, it is important that the elements of the programme come together to form a sustainable TPRM programme, which aligns to risk appetite and tolerance of the organisation’s Enterprise-wide Risk Management programme.

EB: The EU General Data Protection Regulation (GDPR) came into effect in May; to what extent is it going to affect third-party risk management programmes?

GM: Privacy is a well-established risk and one that third parties often manage on behalf of the organisation. A change in regulatory requirements will impact the inherent risk and control environment assessments. They need to be enhanced to help the organisation determine whether applicable data subject to GDPR requirements are being shared and whether the third party is able to manage the requirements of GDPR. Organisations should be proactive in reviewing their existing inventory of third parties and re-performing due diligence as applicable.

“To assess their third party’s ability to manage the organisation’s risks and reputation in line with their expectations, third-party risk management (TPRM) programmes are being established”

Many contracts may not cover the GDPR requirements and existing contract clauses may need to be amended. These should be identified and, depending on the service and third party, negotiated into the contract, in a timely manner, where possible. The search through contracts for existing clauses and coverage can be a significant body of work.

In many cases, we are also seeing organisations undertake a more thorough data lineage assessment. It is no longer sufficient to simply know that there is personally identifiable information being shared with a third party, for example. Now the organisation needs to understand which data elements are being shared with the third party and its subcontractors so that the organisation can manage the risk and comply with requirements such as GDPR effectively.

EB: Do you have any advice for companies who want to proactively manage third-party risk?

GM: There are few imperatives to managing third-party risk proactively. The first is ensuring that you have a clear understanding of what risk is associated with a particular third-party service and a clear alignment of roles and responsibilities around management of that risk.

Second, allowing those responsible and accountable for the management of risk to drive the mitigation activities pre- and post-contract to allow for the appropriate management of the third party. Depending on the criticality of the service, an exit strategy should be prepared in the event the relationship ends.

Third, the activities undertaken should be risk based. To help form a view of where risk lies, data should be gathered to generate insights as to where to focus efforts. These could be due to contract provisions not being in place to mitigate risk, restriction of onsite assessment activities, key controls or products linked to the third-party service and failure of the third party to deliver in line with agreed upon service level agreements.

Finally, use of technology to automate the collection and management of information pertaining to a specific contract or risk. Being able to share information and help different parties build a comprehensive understanding of the interactions between the third party and the organisation is advantageous to driving better risk management.

EB: Can you tell us a little about KPMG’s services?

GM: KPMG has a full range of services to support the development and running of a TPRM programme. We have teams that:

  • Drive the design and transformation of the programme
  • Focus on the various risk components (cyber, privacy, compliance, etc.) and help execute those assessments through managed services
  • Integrate the TPRM components into the procurement and sourcing components
  • Optimise the procurement and sourcing components
  • Monitor contract compliance
  • Automate the various aspects of the TPRM programme and its assessments

KPMG believes a holistic approach to the design and operation of the TPRM programme is of utmost importance because of the programme’s complexity, cutting across business lines, risk oversight lines, regions, products etc. Bringing those organisational components together through the programme to manage third parties is key and this transformation is one of a company’s biggest risks.

KPMG understands the need to balance risk management with business performance and our teams have practical industry, regulatory and risk experience, not just domestically but also internationally, to assist our clients in running their programmes. We have served many of our clients across multiple industries and geographies with these services.


About the Author:

Identifying third-party risk Ethical Boardroom

Greg Matthews is a Partner at KPMG focused on Financial Services Risk and Regulatory Consulting. Greg assists his large, global, FS clients drive strategic, transformative change from a risk and regulatory compliance management perspective. Greg has a wealth of experience assisting clients to establish programs that manage risk, regulatory compliance and drive performance