Submit RFP

      Many organizations have become highly dependent upon external vendors, for managing cloud and data, delivering business functions like finance and human resources, and handling logistics and warehousing. These vendors may in turn outsource to fourth parties. Without appropriate procedures in place, this leaves organizations vulnerable to cyberattacks and supply chain disruption, questionable labor and environmental practices, and poor-quality products and services that impact internal and external customers.

      A large private or public entity must manage the risks associated with an army of third, fourth and fifth (or “nth”) parties that may run into the tens of thousands. The proliferation of fourth and fifth parties (“vendors of your vendors”) — many of whom may have no direct contact with the organization — takes risk management and operational resilience to a new level of complexity. The web of parties is greater than enterprises may realize, enlarging the attack surface with threats beyond the organizational line of vision.

      As communications and transactions go digital, and significant numbers of people work remotely, the risk only rises. Third party risk management (TPRM) encompasses a wide range of activities, from initial procurement and onboarding, ongoing management and monitoring, skillfully managing risk — and driving improved performance — through the lifecycle of the relationship. However, without clear and consistent accountability for TPRM, the risk of a damaging incident, or non-compliance, remains high.

      In this article we discuss how Chief Technology Officers (CTOs), Chief Information Security Officers (CISOs), Chief Compliance Officers (CCOs), and Chief Procurement Officers (CPOs) can transform TPRM through managed services, to reduce costs, increase efficiency, speed, scalability, and operational resilience, and preserve business continuity.

      Today’s big TPRM challenges

      There is increasing pressure and regulatory scrutiny to meet demanding requirements for know your customer (KYC) and know your supplier (KYS) onboarding and monitoring, to verify that third parties are genuine, competent, and financially viable, with sustainable business practices. There is increasing pressure and regulatory scrutiny to meet demanding requirements for know your customer (KYC) and know your supplier (KYS) onboarding and monitoring, to verify that third parties are genuine, competent, and financially viable, with sustainable business practices. These regulatory requirements include:

      • Canada’s OSFI B-10, covering federally regulated financial institutions
      • Health Insurance Portability and Accountability Act (HIPAA) in the US
      • European Union’s Digital Operational Resilience Act (DORA), setting expectations of digital operational resilience for financial entities
      • European Union General Data Protection Regulation (GDPR)
      • European Union Corporate Sustainability Due Diligence Directive (CSDDD)
      • US Interagency guidelines for financial institutions, requiring effective information security for organizations and their service providers
      • LUX Circular CSSF 22/806, which aims to provide a transparent, homogeneous and harmonized national framework for outsourcing arrangements for financial entities based in Luxembourg
      • UK PRA SS2/21, covering operational resilience for UK financial institutions
      • Singapore MAS guidelines for outsourcing and third party arrangements, to ensure adequate governance and sound risk management controls.
      • European Banking Authority (EBA) Guidelines on outsourcing arrangements 

      Risks can vary across sectors. For example, automotive manufacturers are highly focused on quality across their extensive, complex supply chains, to ensure that vehicles are safe and perform consistently. Life sciences is heavily regulated, with companies having to verify the quality and safety of all ingredients and show that outsourced activities — notably laboratory testing — are carried out to required standards. Industries like energy and telecommunications, which are vital to national security, need to demonstrate operational resilience along the entire value chain. Sectors with large customer databases, such as consumer and retail, and consumer financial services, are obliged to meet strict data privacy and security demands and, increasingly, keep data within specific geographical boundaries. Meanwhile, nearly all organizations must comply with regulations on environmental, social and governance (ESG), data protection, anti-money laundering, and sanctions.

      Responsibility for TPRM varies, with functions like procurement, legal, compliance, risk management, data privacy, security, and IT often dealing with different vendors. Tasks include carrying out due diligence, onboarding vendors, monitoring, performing onsite audits, developing incident reports, conducting certification searches and other activities. Procurement, in particular, has played a leading role in improving efficiency and the speed of delivery, while retaining strong risk management that matches the organization’s risk tolerance. These departments may well have their own data systems, and varying attitudes and appetite for risk, which could mean that some third parties receive less rigorous attention than others, increasing the chance of incidents, inadequate performance, or non-compliance. Procurement’s role in making high-quality buying decisions is often underutilized, presenting an opportunity for better vendor risk management. Many organizations are unable to gain a complete overview of all the risks associated with each third party, which can threaten organizational resilience.

      On top of this, a fragmented approach to third party risks, all too common amongst organizations today, and frequently involving manual tasks, slows down decision-making, delays vendor onboarding and holds up operations.

      Often missing is a holistic view on third-party risk across the entire ecosystem of vendors, and a consistent approach to managing these risks. There is a tendency for the various internal functions overseeing third parties to view risk purely in terms of KYC and onboarding. They may require additional perspectives to carry out appropriately thorough risk assessments, and, as a result, could neglect the ongoing management and monitoring that is essential to stay on top of potential and evolving risks.

      The case for managed services in TPRM

      Outsourcing TPRM, as part of supply chain strategy, can bring significant benefits, offering a tailored service that integrates with existing IT infrastructure and processes, and collaborates closely with the legal, compliance, and procurement functions. Managed services providers take a 360-degree view of the risks facing third parties, helping to identify where threats may lie and evaluate the impact of events. Risk assessment and monitoring becomes more centralized, enabling a standardized, comprehensive risk management approach that quantifies risks and reduces the chance of gaps or blind spots.

      Here’s how outsourcing TPRM through managed services can help address critical pain points like speed, monitoring, scalability, and cost-efficiency while leveraging cutting-edge technologies to streamline risk management:

      A huge priority for TPRM — as delays in onboarding can clog up vital supply sources, while any delay in identifying problems can have a severe impact on costs, compliance and reputation.

      Through continuous monitoring of systems and networks, potential issues are identified before they escalate, maintaining business continuity by reducing downtime and interruptions.

      By fostering collaboration and clear communications between internal teams and external vendors, providers minimize misunderstandings and align interests.

      Providers are also likely to gain sufficient scale (and the capability to scale up or down quickly if necessary) to handle the massive volumes of third and fourth-party vendors that large organizations typically interact with. Such flexibility not only helps manage seasonal demands and rapid growth, but does so without compromising service quality.

      Many managed services providers operate on a subscription model, making costs more predictable and eliminating the need for large, upfront capital expenditure.

      For overstretched risk management teams, a managed services team provides additional resources to fill in expertise and capability gaps, and bring in the latest technologies — something that may be unaffordable to many organizations. Through careful prioritization of risk management, based upon expected risk levels of different vendors, resources can be further optimized, to focus on those parties where potential risks are highest. An experienced managed services provider has addressed crises in the past and should have a fast, proven streamlined and methodical recovery methodology, to speed up the return to business-as-usual.

      Leading managed services companies invest heavily in the latest technology. Artificial intelligence (AI), automation, and machine learning achieve real-time, or near-real-time monitoring, which could, for instance, trace a failure of suppliers to maintain appropriate environmental standards. Additionally, intrusion detection systems and encryption protect sensitive data and help achieve compliance with security standards. Generative AI (Gen AI) has exciting potential to ease the management of vendors, to gather large amounts of data from disparate systems, translate documents into common languages, and produce insightful reports.

      By integrating cloud-based, portal-driven solutions, along with predictive analytics for proactive risk management, organizations can increase their understanding of vendors along the supply chain and spot problems early — or even in advance — enabling swift action to prevent disruptions and improve resilience. This might, for example, help identify a supplier in financial difficulties, before its condition becomes critical. These insights also enable informed decisions on vendor relationships and risk management strategies.

      With large-scale automation replacing manual processes, and integrated systems and processes reducing waste and duplication, TPRM costs should decrease. This is a great example of accessing technology though partners, to improve the quality of management information to assist decision-making — such as whether to retain suppliers – and gain cost efficiencies. 

      Critically, as third- and fourth-party risk specialists, a global managed services provider keeps abreast of the latest national and regional regulatory requirements around the world. Such knowledge, allied with strong governance, helps ensure that third parties meet evolving requirements, such as cybersecurity, data privacy, and ESG performance across the supply chain — reducing the chance of penalties and/or reputational damage. Although there have been pushbacks in some countries, the requirement for comprehensive ESG assessments of third parties is growing.

      Four key features of an efficient managed services model

      Taking a risk-based approach to vendor assessments, to identify any potential problems early. Streamlined compliance with privacy and cybersecurity mandates should speed up the onboarding process, so that it considers the third party’s true capabilities, going beyond a mere ‘tick-the-box’ exercise. Important new suppliers and contractors can get to work faster, bringing value to the organization and enhancing the vendor experience to get the relationship off to a good start.

      To continuously evaluate vendor performance against service level agreements (SLAs), to preserve high standards and act when performance levels fall below required levels. Methodologies such as Information Technology Infrastructure Library (ITIL) or Six Sigma drive improved efficiency and performance. AI and other technologies are rapidly transforming the landscape, and can be used to enhance monitoring, to detect any breaches or deviations faster and more comprehensively. For example, by leveraging an AI-powered tool to efficiently and consistently analyze vendor SOC (system and organizational controls) 1 and SOC 2 reports, organizations can benefit from analytics and insights for more risk-intelligent decision making. The results of incident handling should trigger further monitoring or adjustments to the risk classification of the third party.

      When provided by managed services providers via clear roles, responsibilities, and escalation protocols, can be applied consistently across the organization. Regular audits and performance reviews not only assess vendor quality but can also uncover weaknesses or inefficiencies that could lead to problems in the future.

      Using software and research to trace risks across extended supplier networks.

      TPRM is evolving to encompass far more than just compliance

      When leveraged effectively, it can be a significant strategic enabler that helps organizations optimize their supply chain strategy beyond the direct outcomes, swiftly onboard vendors, optimize the value they bring, and reduce the risk of penalties, supply chain disruptions, and reputational damage. 

      To evaluate the opportunity in your TPRM program, consider these questions:

      • Do you have a holistic view of third-party risk across all vendors?
      • Do you have unified data systems across procurement, legal, compliance, and other business functions?
      • Can you quickly identify and address suppliers at risk?
      • Can you keep up with fast-changing regulatory compliance requirements?
      • Are you able to quickly and confidently onboard new suppliers?

      If the answer is “no” or “uncertain”, then it may be time to make a change. For many companies, managed services are a compelling solution.

      This operating model — enabled by AI and other technologies and a suitably skilled and savvy team — can accelerate the transformation of TPRM to become more proactive, avoid risks and incidents, and extract better performance from your extended ecosystem. A multi-stakeholder approach, with a single data repository, involving legal, compliance, and procurement teams in risk management discussions, and augmented by a managed services provider, can drive innovative new ways to manage third- and fourth-party risk, and build trust. 

      Related content

      The expert insights and innovative solutions of KPMG's Risk services can help organizations to anticipate, manage and mitigate risks, helping you stay ahead of emerging threats and sustaining resilience.

      Read more

       advanced technology and industry expertise, KPMG firms' help you address vulnerabilities, ensure compliance and protect your reputation in a complex regulatory environment.

      Read more

      As organizations navigate the complexities of corporate fraud, they need to take proactive steps to implement robust internal controls, promoting an ethical culture, enhancing detection mechanisms, fostering collaboration and transparency, and adapting to technological changes.
      Read more

      A managed services partner delivering outcomes that matter
      Read more

      Go beyond basic improvements to pursue new value and sustained advantage for your organization.
      Read more

      Navigate the complexities of the regulatory landscape and mitigate risks with KPMG professionals' guidance and innovative digital solutions.

      Read more

      Our people

      Alexander Geschonneck
      Alexander Geschonneck

      Partner, Global Forensic Leader

      KPMG in Germany

      Ashish Shah

      Senior Manager, Risk services

      KPMG in Canada

      Roy Waligora
      Roy Waligora

      Partner, Head of Investigations and Corporates Forensic

      KPMG in the UK