From a legislative point of view, tackling your Third-Party Risk Management can be tricky as firms must navigate a rapidly evolving regulatory environment. These regulatory constraints also vary significantly from sector to sector.
- Financial institutions, for example, have increasingly strict requirements when it comes to outsourcing, with the European Banking Authority (EBA) and the Bank of England Prudential Authority ("PRA") leading the field with their "Guidelines on outsourcing arrangements" and "Outsourcing and third-party risk management supervisory statement", respectively.
- Outside of the financial sector, there is no clear and leading regulation on Third-Party Risk Management, meaning firms must consider how different regulations touch upon their third parties indirectly. In Belgium, this could mean the Belgian Anti-Corruption Legislation, the UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA). The regulatory instances and watchdogs behind these laws continue to impose hefty fines as they hold firms accountable for the activities of their vendors. According to research by Stanford Law School, nearly 90 percent of FCPA matters for example relate to the use of third-party intermediaries [2].
Looking to the future, a diverse set of regulations are on the horizon, including the European Commission Proposal for a Directive on Corporate Sustainability Due Diligence (2022/0051)[3] and the European Commission draft regulation on Digital Operational Resiliency for financial entities ("DORA").
- Do we have an integrated internal framework in place to support TPRM across the third-party lifecycle? What is the level of maturity of the different components of this framework?
- Do we have a clear view over the underlying objectives of our TPRM actions? What sort of risks are we trying to address?
- How does our concept of third-party risk relate to our broader Enterprise Risk Management principles? Have we defined a third-party risk appetite?
- Are we subject to any regulatory scrutiny of our third-party relationships?
- Is there an inventory in place of all our third-party relationships with their corresponding risk rating?
- Is there an overview available at any time of our third parties' compliance with our organization's requirements?
- Do we have an aggregated view of third-party risk, i.e., are we consolidating and centralizing all TPRM actions?
- Are we considering emerging third-party risks, such as fourth party and concentration risks?
- Do we fully understand how third-party disruption might impact our company now and in the future?
In addition to the questions above for boards, management teams can consider asking the following questions:
- Do we have a view of third-party risk across the lifecycle of our third parties, from onboarding to offboarding?
- How can we avoid operational interruptions and possibly guarantee a smooth running of business?
- How can we identify and consolidate the most important information from an extensive and complex third-party network?
- How can we filter out the business-critical data from unstructured data on the market and derive optimal decisions?
- Do we have a formalized decision on third-party acceptance and onboarding?
- Are we attaching risk ratings or grades of importance to our third parties?
- Do we have enough lead time around potential third-party disruption?
- Do all involved corporate functions "speak the same language" while dealing with disruption?
- Do we have the appropriate tools, processes, organization and governance in place to monitor third-party around the world, whether public or private?
- Is our TPRM linked to our contracting process? Are third-party risks addressed by robust contracts with clear definition of roles and responsibilities?
- Is our TPRM Framework digitally enabled? Is there a need for a TPRM tooling solution? Would this be integrated with our broader Governance, Risk, and Compliance tool?
- Are we periodically re-assessing the risks associated with individual third parties?
- Do we provide the required cross-functional transparency along our value chain to support continuous Third-Party support?
- Can we insure against third-party risks?
- Do we have a risk-based process in place to offboard third parties? Are there pre-defined exit plans in place and are these regularly tested?
1. Ensure the management team has evaluated and addressed the gaps in your organization’s third-party governance process.
2. Explore ways to enhance effectiveness at governing third parties by ensuring the company’s:
- Ability to anticipate supplier disruption;
- Consistent and ongoing access to data for all third-party;
- Consistent cross-functional operating model to identify and mitigate risks in a timely way
- Efficient data acquisition model;
- Ability to define risk metrics and thresholds;
- Robust data analytics;
- Risk monitoring and alerts;
- Workflow processes to facilitate timely risk reviews.
3. Consider technology solutions to uncover insights about our suppliers and evaluate options for mitigating current and future risks.
4. Ensure a frequent testing of crisis management takes place, including business continuity plan testing.
About the Board Leadership Center
KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.
Authors: Jens Moerman, Senior Manager, Risk & Regulatory, and Timon Lesage, Manager, Risk & Regulatory
- Third-Party Risk Management outlook 2022 - KPMG Belgium (home.kpmg)
- Stanford Law School, Foreign Corrupt Practices Act Clearinghouse, Statistics, and Analytics
- Proposal for a Directive on corporate sustainability due diligence and annex | European Commission (europa.eu)
Contact us
