Contact us

      In today's fast-paced business world, organisations are under constant pressure to innovate and stay ahead of the competition. Many organisations now use Proof of Concepts (PoC) as a strategic approach to assess innovations in products and services, helping to evaluate the feasibility and potential impact of new ideas and solutions. The USP of the approach is the ability to get results fast by focusing on specific project components and limited investment of resources. Where an external party may be invited to collaborate on a PoC, business may face challenges due to effort and elapsed time required to complete TPRM programme requirements using the traditional approach, before completing the PoC. 

      How can an organisation manage risks from external parties supporting Proof of Concepts (PoCs)?

      Below are select practical means of catering to risks brought into the ecosystem due to businesses engaging with external parties in PoCs, which may help better alignment with business objectives:

      • PoC as a relationship type

        For organisations where PoCs maybe a significant percentage of external relationships, business can define PoC as a type of relation in TPRM framework. This could enable the organisation to define an approach fit for the purpose of risk identification and management, specifically for PoCs. This could also give management the opportunity to weigh in on the types of risks that might come in from these relationships and create suitable safeguards.

      • Inherent risk assessment

        All external relationships must go through the initial phase of third-party risk lifecycle to help identify inherent risks of the relationship. If the engagement is identified as a PoC, the inherent risk assessment form itself could be different, with focus being on type of data being utilised, location of data storage (both geographical and organisational), IP ownership and other relevant factors.

      • Due diligence

        Based on the inherent risk assessment and PoC classification, organisations can implement a focused due diligence approach that concentrates on high-risk areas as identified during the inherent risk assessment. This can be achieved both by identifying organisational and external party controls to compute and then mitigate the residual risk across the risk domains relevant to the PoC

      • Organisational controls

        Risk practitioners can adapt their due diligence approach with cognisance of organisation level controls and scope of the PoC. Examples of such controls may include limiting the data set being shared, utilising synthetic or masked data, utilising on-prem infrastructure in place of SaaS (where feasible), provisioning VDI for external party etc 

      • External party control evaluation

        To accelerate due diligence on external party controls, external risk intelligence platforms or independent assurance reports such as ISAE can be leveraged (where applicable) to form an opinion on specific risk areas for the external entity. These can be useful in forming an opinion on cyber security hygiene by reviewing information related to publicly exposed cloud assets, past incidents and breaches, system misconfigurations, unpatched vulnerabilities and reported control exceptions. Risks not covered through this approach can then be assessed by the organisation. Where control gaps are identified during due diligence, the organisation can focus on identifying and implementing compensatory controls within the organisation rather than relying on the external party, in order to reduce the residual risk to an acceptable risk threshold. 

      • With attention to stakeholder needs and user experience, due diligence on external parties can be expedited by having a dedicated task force that is oriented towards prompt risk identification and management within a limited time window. This can be enabled by a skilled pool of resources across risk domains, incorporating scrum principles such as daily huddles among relevant stakeholders to ensure accurate and timely identification of risks.

      • Contracting

        A standard template outlining minimum security obligations specific to PoC may be leveraged to mitigate risks. These obligations might include, but are not limited to, IP ownership, liability and indemnity clauses, security incident reporting, hosting requirements and restrictions, NDA and confidentiality requirements, data destruction protocols, right to audit, regulatory requirements etc.

      • Termination

        At the end of the engagement, risk practitioners can conduct a post PoC evaluation. This should include review of adherence to contractual terms, return and ownership of IP, data retrieval, destruction, or an audit of any external party’s assets that may have been leveraged in the PoC to conclude on risk mitigation. Alternatively, if the PoC is successful the external party can be subject to typical TPRM processes required for a potential long-term partnership.

      TPRM framework needs to innovate, adapt and cater to shift in business strategy and changing needs of stakeholders. A focused approach for addressing third party risk for PoC arrangements is a meaningful way to demonstrate business alignment for TPRM programmes and add value to the organisation and all its stakeholders.

      How can KPMG in India help

      Third Party Risk Management solution helps an organisation to identify, assess, and manage risk associated with third-party relationship(s)
      Read more

      New technologies. Sales channels. Customer experiences. Does your organisation have the confidence and agility to seize these kinds of opportunities, or are cyber threats holding you back?
      Read more

      Use cyber security to protect your future
      Read more

      Author

      Srijit Menon
      Srijit Menon

      National Head for TPRM in India

      KPMG in India

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr