In this article, Rupert Chamberlain, Partner, Head of Managed Services, and Alva Lee, Partner, Head of Governance, Hong Kong SAR, KPMG China, explore how business leaders can tackle complex vendor risk landscapes efficiently.

Many organisations have become highly dependent upon external vendors for managing cloud and data, delivering business functions like finance and human resources, and handling logistics and warehousing. These vendors may in turn outsource to fourth parties. Without appropriate procedures in place, this leaves organisations vulnerable to cyberattacks and supply chain disruption, questionable labour and environmental practices, and poor-quality products and services that impact internal and external customers.

A large private or public entity must manage the risks associated with an army of third, fourth and fifth (or ‘nth’) parties that may run into the tens of thousands. The proliferation of fourth and fifth parties (‘vendors of your vendors’) – many of whom may have no direct contact with the organisation – takes risk management and operational resilience to a new level of complexity. The web of parties is greater than enterprises may realise, enlarging the attack surface with threats beyond the organisational line of vision.

As communications and transactions go digital, and significant numbers of people work remotely, the risk only rises. Third-party risk management (TPRM) encompasses a wide range of activities, from initial procurement and onboarding, ongoing management and monitoring, skilfully managing risk and driving improved performance through the lifecycle of the relationship. However, without clear and consistent accountability for TPRM, the risk of a damaging incident, or non-compliance, remains high.

In this article we discuss how Chief Technology Officers, Chief Information Security Officers, Chief Compliance Officers and Chief Procurement Officers can transform TPRM through managed services to reduce costs and increase efficiency, speed, scalability and operational resilience, as well as to preserve business continuity.

Today’s big TPRM challenges

There is increasing pressure and regulatory scrutiny to meet demanding requirements for know your customer (KYC) and know your supplier (KYS) onboarding and monitoring, to verify that third parties are genuine, competent and financially viable, with sustainable business practices. These regulatory requirements include the:

• European Union General Data Protection Regulation
• European Union’s Digital Operational Resilience Act, setting expectations of digital operational resilience for financial entities
• Hong Kong Monetary Authority guidelines for outsourcing and third-party arrangements, to ensure adequate governance and sound risk management controls, and
• Monetary Authority of Singapore’s guidelines for outsourcing and third-party arrangements, to ensure adequate governance and sound risk management controls.

Risks can vary across sectors. For example, automotive manufacturers are highly focused on quality across their extensive, complex supply chains to ensure that vehicles are safe and perform consistently. The life sciences are heavily regulated, with companies having to verify the quality and safety of all ingredients and to show that outsourced activities – notably laboratory testing – are carried out to required standards. Industries like energy and telecommunications, which are vital to national security, need to demonstrate operational resilience along the entire value chain. Sectors with large customer databases, such as consumer and retail, and consumer financial services are obliged to meet strict data privacy and security demands and, increasingly, keep data within specific geographical boundaries. Meanwhile, nearly all organisations must comply with regulations on environmental, social and governance (ESG), data protection, anti–money laundering and sanctions.

Responsibility for TPRM varies, with functions like procurement, legal, compliance, risk management, data privacy, security and IT often dealing with different vendors. Tasks include carrying out due diligence, onboarding vendors, monitoring, performing onsite audits, developing incident reports, conducting certification searches and other activities. Procurement, in particular, has played a leading role in improving efficiency and the speed of delivery, while retaining strong risk management that matches the organisation’s risk tolerance. These departments may well have their own data systems, as well as varying attitudes and appetite for risk, which could mean that some third parties receive less rigorous attention than others, increasing the chance of incidents, inadequate performance or non-compliance. Procurement’s role in making high-quality buying decisions is often underutilised, presenting an opportunity for better vendor risk management. Many organisations are unable to gain a complete overview of all the risks associated with each third party, which can threaten organisational resilience.

On top of this, a fragmented approach to third-party risks – all too common amongst organisations today and frequently involving manual tasks – slows down decision-making, delays vendor onboarding and holds up operations.

Often missing is a holistic view on third-party risk across the entire ecosystem of vendors, as well as a consistent approach to managing these risks. There is a tendency for the various internal functions overseeing third parties to view risk purely in terms of KYC and onboarding. They may require additional perspectives to carry out appropriately thorough risk assessments and, as a result, could neglect the ongoing management and monitoring that is essential to stay on top of potential and evolving risks.

The case for managed services in TPRM

Outsourcing TPRM, as part of supply chain strategy, can bring significant benefits, offering a tailored service that integrates with existing IT infrastructure and processes, and which collaborates closely with the legal, compliance and procurement functions. Managed services providers take a 360-degree view of the risks facing third parties, helping to identify where threats may lie and to evaluate the impact of events. Risk assessment and monitoring become more centralised, enabling a standardised, comprehensive risk management approach that quantifies risks and reduces the chance of gaps or blind spots.

Here’s how outsourcing TPRM through managed services can help address critical pain points like speed, monitoring, scalability and cost-efficiency, while leveraging cutting-edge technologies to streamline risk management.

Speed

A huge priority for TPRM – as delays in onboarding can clog up vital supply sources, while any delay in identifying problems can have a severe impact on costs, compliance and reputation.

Monitoring

Through continuous monitoring of systems and networks, potential issues are identified before they escalate, maintaining business continuity by reducing downtime and interruptions.

Collaboration

By fostering collaboration and clear communications between internal teams and external vendors, providers minimise misunderstandings and align interests.

Scalability

Providers are also likely to gain sufficient scale (and the capability to scale up or down quickly if necessary) to handle the massive volumes of third- and fourth-party vendors that large organisations typically interact with. Such flexibility not only helps manage seasonal demands and rapid growth, but does so without compromising service quality.

Cost

Many managed services providers operate on a subscription model, making costs more predictable and eliminating the need for large, upfront capital expenditure.

Resources

For overstretched risk management teams, a managed services team provides additional resources to fill in expertise and capability gaps, and bring in the latest technologies – something that may be unaffordable for many organisations. Through careful prioritisation of risk management, based upon the expected risk levels of different vendors, resources can be further optimised to focus on those parties where potential risks are highest. An experienced managed services provider has addressed crises in the past and should have a fast, proven streamlined and methodical recovery methodology, to speed up the return to business-as-usual.

Technology

Leading managed services companies invest heavily in the latest technology. Artificial intelligence (AI), automation and machine learning achieve real-time – or near-real-time – monitoring, which could, for instance, trace a failure of suppliers to maintain appropriate environmental standards. Additionally, intrusion detection systems and encryption protect sensitive data and help achieve compliance with security standards. Generative AI has exciting potential to ease the management of vendors, gather large amounts of data from disparate systems, translate documents into common languages and produce insightful reports.

By integrating cloud-based, portal-driven solutions, along with predictive analytics for proactive risk management, organisations can increase their understanding of vendors along the supply chain and spot problems early – or even in advance – enabling swift action to prevent disruptions and improve resilience. This might, for example, help identify a supplier in financial difficulties before its condition becomes critical. These insights also enable informed decisions on vendor relationships and risk management strategies.

With large-scale automation replacing manual processes, and integrated systems and processes reducing waste and duplication, TPRM costs should decrease. This is a great example of accessing technology through partners to improve the quality of management information and to assist decisionmaking – such as whether or not to retain suppliers – as well as to gain cost efficiencies.

Regulations

Critically, as third- and fourth-party risk specialists, a global managed services provider keeps abreast of the latest international, national and regional regulatory requirements. Such knowledge, allied with strong governance, helps ensure that third parties meet evolving requirements, including cybersecurity, data privacy and ESG performance across the supply chain – reducing the chance of penalties and/or reputational damage. Although there have been pushbacks in some countries, the requirement for comprehensive ESG assessments of third parties is growing.

Four key features of an efficient managed services model

Pre-contract due diligence

Pre-contract due diligence is a risk-based approach to vendor assessments to identify any potential problems early. Streamlined compliance with privacy and cybersecurity mandates should speed up the onboarding process so that it considers the third party’s true capabilities, going beyond a mere ‘tick-the-box’ exercise. Important new suppliers and contractors can get to work faster, bringing value to the organisation and enhancing the vendor experience to get the relationship off to a good start.

Ongoing monitoring and incident handling

Ongoing monitoring and incident handling involves continuously evaluating vendor performance against service level agreements to preserve high standards and act when performance levels fall below what is required. Methodologies such as ITIL (previously known as Information Technology Infrastructure Library) or Six Sigma drive improved efficiency and performance. AI and other technologies are rapidly transforming the landscape, and can be used to enhance monitoring and to detect any breaches or deviations faster and more comprehensively. For example, by leveraging an AI-powered tool to efficiently and consistently analyse vendor SOC (system and organisational controls) 1 and SOC 2 reports, organisations can benefit from analytics and insights for more risk-intelligent decision-making. The results of incident handling should trigger further monitoring or adjustments to the risk classification of the third party.

Robust governance frameworks

When provided by managed services providers via clear roles, responsibilities and escalation protocols, robust governance frameworks can be applied consistently across the organisation.

Regular audits and performance reviews not only assess vendor quality but can also uncover weaknesses or inefficiencies that could lead to problems in the future.

Fourth-party risk management

Fourth-party risk management uses software and research to trace risks across extended supplier networks.

TPRM is evolving to encompass far more than just compliance

When leveraged effectively, TPRM can be a significant strategic enabler that helps organisations optimise their supply chain strategy beyond the direct outcomes, swiftly onboard vendors and optimise the value they bring, as well as reduce the risk of penalties, supply chain disruptions and reputational damage.

To evaluate the opportunity in your TPRM programme, consider these questions:

• Do you have a holistic view of third-party risk across all vendors?
• Do you have unified data systems across procurement, legal, compliance and other business functions?
• Can you quickly identify and address suppliers at risk?
• Can you keep up with fastchanging regulatory compliance requirements?
• Are you able to quickly and confidently onboard new suppliers?

If the answer is ‘no’ or ‘uncertain’ to any of these questions, then it may be time to make a change. For many companies, managed services are a compelling solution.

This operating model – enabled by AI and other technologies, as well as a suitably skilled and savvy team – can accelerate the transformation of TPRM to become more proactive, avoid risks and incidents, and extract better performance from your extended ecosystem. A multistakeholder approach, with a single data repository, involving legal, compliance and procurement teams in risk management discussions, and augmented by a managed services provider, can drive innovative new ways to manage third- and fourthparty risk, and to build trust.

Rupert Chamberlain, Partner, Head of Managed Services, and Alva Lee, Partner, Head of Governance, Hong Kong SAR

KPMG China