TPRM governance: How companies strategically manage third-party risks

In recent months, geopolitical tensions, increasing cyber attacks and stricter regulatory requirements have presented companies with new challenges in managing third parties. Third-party risk management (TPRM) is thus becoming a central component of corporate risk strategies. 

When it comes to third-party risk management, many executives initially think of regulatory requirements such as the Supply Chain Due Diligence Act or the Corporate Sustainability Due Diligence Directive. In practice, however, TPRM goes much further and is currently evolving from a compliance issue to a management tool for resilience and value creation.

However, many companies still work with structures that were designed for a different risk environment and no longer meet current requirements. The number of third parties is increasing, their networking is growing, and dependencies are becoming more complex. At the same time, internal requirements are increasing the pressure for transparency and controllability. Classic TPRM approaches, which are anchored in individual functions in isolation and are only linked to strategic goals to a limited extent, provide only limited guidance in this environment.

A robust TPRM starts with clear governance. Transparent responsibilities and structured cooperation create the basis for consistent risk management. Looking at the three lines of defence model, it quickly becomes clear that all lines are involved in third-party risk management. Impulses often arise in operational functions such as purchasing or account management. Risk and compliance functions define guidelines and methods. Internal audit addresses TPRM in its audit planning and evaluates its effectiveness. In many organisations, TPRM has developed more slowly than other management systems. Strategic anchoring has often remained sporadic. Different departments work on the topic in parallel, but with their own perspectives and methods. The result is fragmented risk profiles, limited comparability and a lack of prioritisation across departmental boundaries.

This is also confirmed by the global KPMG TPRM study involving 851 participating companies, in which the integration and interlinking of TPRM with other risk management programmes is cited as one of the three biggest challenges. It is therefore important that the structural and procedural organisation within TPRM is clearly defined in order to create cross-departmental transparency. Against this background, management should address the following key questions as a first step in designing TPRM governance:

• Where is overall responsibility for the TPRM anchored organisationally, and what decision-making, control and escalation powers does it have? 
• Which third-party risks should be covered by the TPRM, and what criteria are used to define the relevant risk categories (e.g. cybersecurity, compliance, quality, ESG, geographical risks) on a risk-based basis?
• How are the functions and specialist areas to be included derived from the relevant risk categories?
• How are operational risk responsibility, control and monitoring functions clearly separated from one another and interlinked?
• How are decentralised units and specialist departments integrated into the central TPRM governance model?
• Are roles and responsibilities in TPRM – such as TPRM owner, risk owner and supplier owner – clearly defined, and do the responsible persons have the necessary skills, training and decision-making authority?