Third Party Risk Management

Third Party Risk Management emerging as a key focus area

Global organisations increasingly rely on and partner with third parties to perform their operations effectively and efficiently. This dependency or relationship with third parties exposes organisations to different types of risks and makes third parties an attack vector for targeting the end organisations. The resulting increase in number of third party incidents impacting the organisations and emphasis on regulatory assessments has resulted in TPRM emerging as a key focus area for the board and senior management across organisations.

However, organisations continue to face multiple challenges in addressing third party risks including lack of visibility on third/ nth party relationships, managing ever-increasing requests for third party risk assessments, absence of upstream/ downstream process and system integration, complex operating model, and limited use of technology.

KPMG in India, through the below services, assists global and national majors in addressing the above challenges and transforming their TPRM program aligned with Industry leading practices, regulatory requirements, and business objectives:

Advisory Services

KPMG supports organisations in designing and up-lifting their third-party risk management program in-line with the industry leading practices and regulatory requirements.

Assessment Services

KPMG supports organisations in conducting assessments throughout the third party life cycle to identify, assess, report, monitor, and mitigate risks to the organisation.

Digital Transformation

KPMG supports organisations in digital transformation of their TPRM program.

Other Solutions:

Enterprise Third Party Risk Management

KPMG supports organization to design, streamline and operationalize enterprise wide third party risk management program to assess and manage third party risks covering risk risk beyond cyber including ESG, Financial, Legal, Compliance, Operational and Reputational risks. For more information, please refer to Enterprise Third Party Risk Management
Software Supply Chain Security

KPMG supports organisation to start their software supply chain security journey by assessing and managing risk associated with third party software products and components.
Third Party Cloud Security Assessments

KPMG supports organisation with cloud control catalog capability that enables them to efficiently assess third party SaaS application services and associated environments.
Third Party Continuous Cyber Risk Monitoring

KPMG supports organisation to perform continuous monitoring of their third party based on external data feeds or substantive review of control population data.

Our Service offerings

Advisory Services
Assessment Services
Digital Transformation

Regulatory gap assessment

Provide regulatory health check assessment including observation and impact analysis details and Impact Analysis
Maturity assessment
1. Perform “As-Is” state review of the client’s TPRM program capabilities
2. Provide TPRM program maturity assessment report including areas of improvement and recommendations along with a transformation roadmap
Business case and roadmap

Prioritize enhancements, and estimate the efforts and resources required to roll out the TPRM program.
TPRM framework development

Enhance TPRM framework including scope definitions (risk domains, third party entities, and third party lifecycle), governance mechanism, guidance for third party lifecycle activity, issue and exception management, program KPIs, escalation matrix and reporting mechanism, change management, and policy/process documentation
Building TPRM Target Operating Model

Design and operationalize the TPRM target operating model covering people, process, technology, deployment strategy, service delivery model, performance insights, and data governance

Service risk profiling
1. Inherent risk assessment of potential third party arrangements/services
2. Periodic review of the third party arrangements/services to assess and monitor any change in the inherent risk profile
Third party risk and control assessments
1. Third party lifecycle stage coverage: Onboarding, Ongoing Monitoring, and Termination
2. Assessment Mode: Self-Assessment, Remote Assessment, and Onsite Assessment
3. Assessment Depth: Response/evidence-based validation, Walkthrough based validation, Test of design, Test of operating effectiveness
Thematic assessments

Ad-hoc assessments conducted for identified set of third parties and focused on specific risk areas (e.g., impacts assessment for log4j attack)
Contract compliance review

Contract gap analysis, and diagnostic assessment of Information Security requirements in third party contracts
Issue management

Logging, tracking, monitoring, and closure of identified gaps as per the agreed action plan and timeline
Leverage utility platform assessments

Review third party risk assessment results provided by utility platforms
Leverage external data feeds

Leverage external sources to determine third party risk posture for specific risk groups without the need for intensive manual assessments

Process automation
End-to-end implementation services for COTS (SAP Ariba, Coupa Risk Assess, Archer, Service Now, One Trust) and KPMG TPRM solutions [KPMG Vendor Assessment and Compliance Hub, Digital Signal Insights Platform (DSIP)]
1. Business analyst services
2. Solution implementation and System Integration
3. Testing Services (UAT / Functionality)
4. Production support
5. Program management
6. Change management
7. Backlog Management
Dashboard and Reporting

Automation of Strategic KPIs and Operational SLAs leveraging external dashboarding tools such as PowerBI, Tableau, etc.
NextGen TPRM solutions (AI/ML, RPA)

Leverage technologies such as RPA and AI/ML to automate manual and redundant task (use cases include automated control testing, parsing of third-party evidence/ documents etc.)

Why KPMG in India?

Accelerators
Global Delivery Models
Team expertise
Digital assets
Publications

How can we help you?

We have built TPRM program accelerators such as end-to-end TPRM process workflow, risk profiling and assessment questionnaire template, risk mitigation and acceptance form covering exception cases, KPIs template, risk metrics etc. We will leverage these accelerators to reduce time spent on building the deliverable and focus more on building acceptance for the framework with the stakeholders.

How can we help you?

We work with a network of member firms to ensure physical presence and language capabilities for our global clients. We have consistently delivered engagements beyond traditional assessments and assisted its clients in designing, regulatory requirement mapping, issue assurance, and automation aspects of their third-party risk management programs.

How can we help you?

We have a strong team of 200+ individuals focused on third party cyber risk management with skill sets such as DevOps, DevSecOps, Cloud Security, Application Security and Product Security, Cyber Security, Pen Testing, SAST & DAST, Security Architect, SOC, etc. Our security professionals are certified in ISO270001, CISSP, CCSP, CISA, CISM, CRISC, CTPRP, OSCP, DevSecOps, AWS, MS Azure, etc.

How can we help you?

We have worked on digital interventions including third party risk intelligence, bot-led risk assessment, etc. to achieve a shorter turnaround time for executing TPRM program activities.

Cyber security

Use cyber security to protect your future

Rich Industry Experience

“ KPMG in India has been a trusted partner in the transformation of our Third-Party Risk Management Program for more than two years. Their expertise guidance, insights, and support have been integral to the maturity and success of our program ”

-Global US based Software Technology Company

“ As always, it has been pleasure working with you. I have found the engagement to be incredibly organized and efficient, when delays did arise you demonstrated empathy and understanding. I and the wider team also appreciate the efforts that you put into reducing the controls through historical evidence mapping. ”

-Global Swiss Investment Bank and Financial Services Company

“ We have been working with KPMG’s third-party risk management consultants for over two years and decided it was time to take our program to the next level. We needed industry expertise to help to uplift our manual end-to-end TPRM process. KPMG gave us the best TPRM expert and ServiceNow architects, Not only were they knowledgeable, but they were also extremely patient as we worked through some internal issues. Their partnership has proven valuable several times over. ”

-Global US based Retail Company

Select Credentials

India Insights

Our insights is your gateway to thought leadership and in-depth reports. Explore our curated collection of valuable content, where we delve into complex business challenges, share industry trends, and provide actionable insights.