Insight

Third-Party Risk Management Outlook 2022

Time for action.

Greg Matthews

Greg Matthews

Partner, FS Regulatory & Compliance Risk , KPMG US

+1 212-954-7784

As the economic recovery picks up speed, third-party risk management (TPRM) is more important than ever before. Faced with supply chain disruption, cyber threats and growing inflationary pressure, global businesses are assessing their operational resilience and reviewing their dependence on third and fourth parties. 

KPMG International's new research - which surveyed 1,263 senior TPRM professionals across six sectors and 16 countries worldwide - reveals that TPRM is a strategic priority for 85 percent of businesses, up from 77 percent before the outbreak of the pandemic. Nonetheless, the outlook for TPRM presents no shortage of challenges.

Our findings demonstrate the need for TPRM leaders to make a step change in their operating models and their approach to third-party risk. This need will only grow as supply chains and broader ecosystems continue to expand, and the risk presented by fourth parties creates further complexity.

1

Third-party incidents are disrupting the business and damaging reputation
Weaknesses in the TPRM operating model, leading to missed opportunities to mitigate risk, are proving to be a major problem for businesses worldwide. Three in four (73 percent) respondents to our survey have experienced at least one significant disruption, caused by a third party, within the last three years. 

2

Businesses underestimate the need for a sound TPRM program, resulting in insufficient budgets
Practitioners are held back by limited budgets that see them prioritizing tactical initiatives over strategic improvements. Six in 10 (61 percent) believe TPRM is undervalued considering its enterprise-critical role. If businesses understood the full complexity of a sound TPRM program, rather than narrowing in on its individual components, they could support larger budgets while benefiting from new efficiencies around operational resilience, cyber security and fraud.

3

Technology is not yet fulfilling its promise
Respondents expect to use technology to automate or support 58 percent of TPRM tasks within three years, which will free them to focus on activities that require human review and interaction. Today, however, 59 percent are frustrated by the lack of visibility that their technology gives them around third-party risk. 

4

The challenge of limited resources is here to stay
TPRM programs are continuing to evolve while teams contend with a growing body of work. Digital tools will help shoulder the burden, but TPRM’s remit is expanding across all risks, domains, and types of third parties. The number of businesses assessing all third parties for environmental risk is, for example, expected to reach 30 percent within three years. A risk-based approach, allocating resources to highest-risk arrangements, would be preferable.

5

Most businesses struggle to maintain a fit-for-purpose TPRM operating model
Respondents largely accept that it was luck, rather than their TPRM programs, which helped them avoid a major third-party incident during the COVID-19 pandemic. In turn, 77 percent believe that overhauling the operating model is overdue.