In a demanding business climate quite accustomed to outsourcing, third-party risk management (TPRM) is a well-known requirement to help mitigate the potential hazards of relying on other companies to meet business needs.
But what about the subcontractors your third-party vendors are hiring to get their work done? Is the risk of indirectly doing business with these fourth-party companies also being assessed and managed?
According to a recent KPMG report, there’s a growing exposure to risk associated with these dynamics, as companies scramble to do what’s needed in the midst of never-ending supply chain disruptions.
Here, we’ll dig into five themes uncovered in the KPMG report—as well as insights about fourth-party risk in the supply chain from additional experts.
KPMG: Third-Party Risk Management Outlook 2022
In the report, Third-Party Risk Management Outlook 2022, KPMG International’s survey of 1,263 senior TPRM professionals across six sectors and 16 countries worldwide revealed that for 85 percent of businesses, TPRM is a strategic priority—up from 77 percent before the pandemic emerged.
KPMG described some of the dynamics involved: “As the economic recovery picks up speed, third-party risk management (TPRM) is more important than ever before. Faced with supply chain disruption, cyber threats and growing inflationary pressure, global businesses are assessing their operational resilience and reviewing their dependence on third and fourth parties.”
“Our findings demonstrate the need for TPRM leaders to make a step change in their operating models and their approach to third-party risk. This need will only grow as supply chains and broader ecosystems continue to expand, and the risk presented by fourth parties creates further complexity,” KPMG said.
Report authors described five key themes that emerged from the survey results:
1. Third-party incidents are disrupting the business and damaging reputation.
“Weaknesses in the TPRM operating model, leading to missed opportunities to mitigate risk, are proving to be a major problem for businesses worldwide. Three in four (73 percent) respondents to our survey have experienced at least one significant disruption, caused by a third party, within the last three years,” according to the report.
In this context, KPMG said an increased reliance on subcontractors in the supply chain is adding to the risk, as described by Alexander Geschonneck, Partner, KPMG in Germany.
“Across sectors, fourth parties have been responsible for much recent disruption,” he said in the report. “In manufacturing, that might result from shipping failures. More broadly, it could be a security vulnerability at a supplier’s cloud provider that results in a cyber incident.”
KPMG said that in its survey, 79 percent of respondents “say that they urgently need to improve how they identify and assess fourth parties in their supply chain and the broader ecosystem,” which was up from the 72 percent who said the same in KPMG’s 2020 survey.
Lack of a contractual agreement or direct relationship with fourth parties can make things even more difficult, according to report authors.
2. Businesses underestimate the need for a sound TPRM program, resulting in insufficient budgets.
“Practitioners are held back by limited budgets that see them prioritizing tactical initiatives over strategic improvements,” KPMG said. “Six in 10 (61 percent) believe TPRM is undervalued considering its enterprise-critical role.”
The firm noted that if the “full complexity” of an effective TPRM program were better understood, companies could support larger TPRM budgets while also gaining the benefits that could result from “new efficiencies around operational resilience, cyber security and fraud.”
According to Greg Matthews, Partner, KPMG in the US, organizational leadership underestimates how complex it can be to enable TPRM in a comprehensive way.
“Leadership teams often expect TPRM to be covered by individual functions such as procurement, specific risk disciplines or business units, and overlook the synergies that could arise from a coordinated approach,” he said in the report.
3. Technology is not yet fulfilling its promise.
“Respondents expect to use technology to automate or support 58 percent of TPRM tasks within three years, which will free them to focus on activities that require human review and interaction,” KPMG said. “Today, however, 59 percent are frustrated by the lack of visibility that their technology gives them around third-party risk.”
Quoted in the report, Joy St. John, Director, KPMG in the US, explained that there are other concerns about the effectiveness of technology beyond the lack of visibility.
“Executives are also frustrated by the construct of the technology, over-engineering of the program, and by a lack of effective and clear reporting on program performance and third-party performance,” she said.
4. The challenge of limited resources is here to stay.
“TPRM programs are continuing to evolve while teams contend with a growing body of work,” KPMG said. “Digital tools will help shoulder the burden, but TPRM’s remit is expanding across all risks, domains, and types of third parties.”
For example, among businesses, KPMG said assessing the environmental risk of all third parties is expected to increase significantly over the next three years.
In that context, “A risk-based approach, allocating resources to highest-risk arrangements, would be preferable,” report authors said.
5. Most businesses struggle to maintain a fit-for-purpose TPRM operating model.
“Respondents largely accept that it was luck, rather than their TPRM programs, which helped them avoid a major third-party incident during the COVID-19 pandemic,” KPMG said. “In turn, 77 percent believe that overhauling the operating model is overdue.”
In the report, Jon Dowie, Partner, KPMG in the UK, described the dynamics involved.
“We expected TPRM to become even more of a strategic priority following the pandemic,” he said. “But it’s concerning that businesses are not taking TPRM as far as it needs to go.
The focus up to now has often been on addressing tactical issues, rather than getting an enterprise-wide fix and engagement across the organization. There’s a real need to wake up and sort this out.”
In response to these five themes, KPMG also provides next steps and further recommendations, which can be accessed in the full report.
EY: How to Identify and Evaluate Your Fourth Parties to Drive Resiliency
In a post entitled “How to identify and evaluate your fourth parties to drive resiliency,” EY consultants described the results of their survey of over 200 global institutions with TPRM functions in a variety of sectors.
Summarizing the findings, EY said they revealed that:
-
“While the outsourcing boom brings many benefits, it has also shifted risk management dynamics.”
-
“Third, fourth and so-called Nth parties comprise a complex ecosystem that must be navigated carefully.”
-
“Business leaders should employ data management strategies, revise contractual agreements and much more to stay ahead of the third-party risk management curve.”
Defining a fourth party as “an individual, company or other entity that provides goods or services directly to an organization’s third party,” EY said associated risks are similar to those involving third parties, but “they must be considered in conjunction with third-party relationships to understand overall potential impacts given the potential to shift the risk profile of an entire organization.”
Additionally, when it comes to developing the right strategies for risk mitigation, EY said that although 48 percent of the organizations surveyed “find it relatively easy to report on concentration of spend and third-party concentration,” only six percent could say the same about fourth-party concentration.
Based on the results, EY identified three key challenges associated with managing fourth-party risk:
1. Identifying all fourth parties and maintaining a central fourth-party inventory
“The biggest challenge organizations face is not having sufficient knowledge about their fourth parties,” EY said. “While an organization may loosely understand and/or request how a third party is managing its fourth parties, organizations rarely maintain a centralized inventory of fourth-party information or include contract considerations to enforce compliance.”
2. Determining the significance of a fourth party
“One obstacle in creating this type of inventory is uncertainty about which fourth parties to include and where to obtain relevant information about them,” according to EY. “This requires analysis of all fourth parties — largely informed by access to data and business dependency — to determine just how significant each one is to the underlying third-party services. In turn, this determination reveals which fourth parties must be assessed further.”
3. Understanding roles and responsibilities of managing risk by doing business with fourth parties
“There is also some uncertainty around whether the organization or the third party bears responsibility to manage the risk of doing business with the fourth party,” EY said. ”Organizations that delineate clear monitoring and other risk-related roles for management while also clearly outlining third-party duties in a range of scenarios will be best prepared when fourth-party risk issues arise.”
EY provides further recommendations for “determining the right path forward,” which are available in the full post.
In addition to these insights from KPMG and EY, check out this SupplyChainBrain video, “Managing Third Party Risks to Global Supply Chains,” in which Phil Renaud, executive director of The Risk Institute at The Ohio State University’s Fisher College of Business, “runs down the level of risk to supply chains created by relationships with third parties — and relates how a certain type of third party can help to mitigate it.”
