Enterprise Third Party Risk Management

Enabling Enterprise
Why KPMG in India?
Key Contacts

Enterprise TPRM Program Design and Implementation

KPMG in India assists global and national majors in designing, establishing, and operationalising Enterprise TPRM programme. The programme vision and services are designed based on the client’s organisational priorities and may include achieving a faster onboarding, improved focus on risk and quality, regulatory compliance and enhanced user experience for stakeholders (including internal and external).

Our Sevice Offerings

Design

Support in establishing and/or uplifting of Enterprise Third Party Risk Management programme in line with the industry-leading practices and regulatory requirements.

Operate

Support in executing newly designed and/or uplifted Enterprise TPRM framework elements covering pre-screening, service risk profiling, risk assessments, contracting, ongoing monitoring, issue management and termination.

Transform

Support in implementing technology platform to automate Enterprise TPRM processes to gain operational efficiency and better utilisation of resources.

Enabling Enterprise TPRM Programme

Enterprise TPRM services are designed to provide coverage to various entity types, address risks across the spectrum, and enable risk management throughout the third party relationship lifecycle.

The Enterprise TPRM framework is enabled by policies, procedures, technology, and organisation construct to monitor programme metrics through strategic and operational dashboards.

Entity Scope

Vendor
Affiliates
Joint Ventures
Distributor
Business Partner

Third party risk domains

Environmental, social, governance risk
Reputational risk
Legal risk
Operational/supply risk
Financial Viability risk
Subcontractor/ Fourth Party risk
Technology/Cyber risk
Country risk
Regulatory risk
Concentration risk
Compliance risk
Strategic risk

Third party lifecycle phases

Inherent risk assessment > Due diligence > Contracting > Ongoing monitoring > Termination

Foundations of TRPM program:

Policies and procedures

Organisations, people, skills and training

Governance and program effectiveness

Data and reporting processes

Enabling Technology

Why KPMG in India?

Publications
Team expertise
Digital assets

KPMG: Our Impact Plan

Where our passion meets purpose.

Wolfsberg updated Guidance on Anti-Bribery and Corruption Compliance Programme

17 April 2023, the Wolfsberg Group published its updated 2023 Anti-Bribery and Corruption (ABC) Compliance Programme Guidance

Team expertise

Technical skills

Enterprise Risk management
Skilled in standards such as ISO 14001, ISO 26000, ISO 45001, OHSAS 18001, ISO27001, PCI DSS, HIPAA, TISAX, NIST
Third party concentration risk
Third and fourth party resiliency risk
COSO framework
Privacy Assessments
Emergency technology risk (AI, ML, RPA)
Cloud Security (AWS, Azure, GCP)

Functional skills

Due diligence across global jurisdictions
Public domain information collection and around review
Target operating model design
Alignment with TRPM regulations
TRPM organization structure design
Change management
Environmental, Health and Safety and Social auditing
Expertise in EHS and labor laws (ILO conventions)

We have in-house digital assets that are primarily leveraged to assess and manage non-cyber risk domains on top of the assets covered as part of TPRM (cyber focused) service offering:

Third Party Security Managed Continuous Assessment and Monitoring

Enables automated assessment of control implementations across multiple components
Enables monitoring of fourth party risk via the 'inheritance' concept
Facilitates scalable sharing of control information from third parties to clients

KPMG Diligence & Analytics System

User-friendly web-based interface to submit and receive due diligence requests
Access to a historical record of all due diligence reports
View key workflow and risk data on completed requests through interactive dashboards

KPMG Vendor Assessment & Compliance Hub

Simplified process for risk assessments and efficiency to reduce duplicate efforts
Evidence tracking notification and automated remainders
One-Stop controls and evidence repository

Select Credentials

Swiss Investment Bank

Conducted third party risk management program current states assessment against regulatory requirements and developed a transformational roadmap to achieve the intended maturity level. The scope of the engagement covered third-party types landscape (beyond vendors) and risk categories (beyond cyber and data privacy risks).

UAE Private Bank

Assisted in designing, implementing and operationalizing and third party risk management program globally to ensure compliance with Central Bank of UAE regulations. The scope of the engagement covered of risk domains such as ESG, Litigation, Regulatory, Compliance etc.

French Multinational Bank

Assessed “As-is” state of the TRPM program across APAC, Americas, and EMEA and developed a transformation roadmap including recommendations for harmonization of global processes. Also, designed, implemented and operationalized the Enterprise TRPM Target Operating Model (TOM) globally. Further supported in conducting service risk assessment, and remediation management exercise to review and address regulatory requirements. Risk Domain Coverage: Financial, CSR, Compliance, People/HR, Process, and Operational Resiliency, Data Privacy, ICT, Reputational, Legal, and Fourth Party.

British Multinational Beverage Company

Assisted in uplifting the existing TPRM framework components and provided support in implementing and integrating technology platforms. Further, designed a dashboard, scorecard and visualization report. The scope of the engagement covered risk domains such as Information Security, Legal, Reputational, Contract etc.

British Multinational Pharmaceutical Company

Assisted in designing Enterprise TPRM framework including TPRM Policy, Standard, and Procedures. The scope of the engagement covered risk domains such as Information Security, Privacy, Anti-bribery and Corruption, Sanctions, Complementary Workers, EHS, Labor Rights, Financial Risk, Operations and BCM, Fourth Party Risk, etc.

French Multinational Bank

Assessed "As-Is" state of the TPRM program across APAC, Americas and EMEA and developed a transformation roadmap including recommendations for harmonization of global processes. Also, designed, implemented, and operationalized the Enterprise TPRM Target Operating Model (TOM) globally. Further, supported in conducting service risk assessment, and remediation management exercise to review and address regulatory requirements. Risk Domain Coverage: Financial, CSR, Compliance, People/HR, Process and Operational Resiliency, Data Privacy, ICT, Reputational, Legal, and Fourth Party.

Global Media Organization

Reviewed and uplifted existing Enterprise TPRM program based on identified areas of improvements aligned with industry- leading practices and peers. Also, supported in the enhancing current One Trust module to cover risk areas beyond cyber and data privacy, and integrating the OneTrust VRM module with SAP Ariba. Additionally, conducting a third party risk assessment for new and existing third parties covering risk areas such as Cyber, ESG, Financial Viability Check, Operational and BCM, and Trust.

Multinational Semiconductor Manufacturer

Assisted in conducting maturity assessment against industry leading industrial practices and peer organization. The scope of the engagement covered assessing the maturity level of existing people, process and technology covering risk domains such as Information Security, Privacy, Anti-bribery and Corruption, Financial viability, and Reputational risk.