Top third-party risks threatening Mid- market companies

Protect your mid-market companies from emerging threats and devastating breaches with these five steps to better risk management.

In today’s competitive environment, mid-market companies need to take advantage of opportunities to reduce costs, enhance customer experiences, increase speed-to-market, and improve value and revenue. 

But with the rewards come risk—legal and regulatory compliance, information security/cybersecurity, business continuity, strategic, financial viability, and reputational risks. The fallout from these everyday concerns can be devastating. 

A company that suffers an “extreme reputational event” has an “80% chance of losing at least 20% of its value,” a loss mid-market companies simply cannot endure.
“Oxford Metrica Reputational Review" (2012)

A company that suffers an “extreme reputational event” has an “80% chance of losing at least 20% of its value,” a loss mid-market companies simply cannot endure.1

To help your mid-market company survive in the digital age, we have five steps to a better risk management function that can safeguard your data and your reputation. 

Step 1: Don’t scrimp on the due diligence at onboarding

“80% of Department of Justice enforcement actions come as a result of third-party infractions.”  

Before signing an agreement with a third party, complete the necessary due diligence, which will reduce risk of regulatory enforcements from the start. According to the World Economic Forum’s Partnering Against Corruption Initiative, these three stages are essential for proper due diligence: 

  1. Understanding the scope of the third-party landscape
  2. Performing risk assessments on individual entities to determine the depth of the due diligence 
  3. And conducting said due diligence 

Organizations that forgo proper vetting processes, such as checking a third party’s business reputation and relationships with foreign officials, raise risk levels and create gaps in management.

Step 2: Integrate risks for total impact

Separate business entities operating in isolation from one another allow third-party risk to grow. The “siloed approach” aligns disciplines with their risk, e.g. financial departments receive financial risks. However, this approach ignores the potential geopolitical or performance factors. A robust risk management strategy with cross-division collaboration helps mid-market companies understand the full spectrum of potential risks and respond effectively. 

Step 3: Now keep at it

Risk doesn’t take a vacation, and neither should your management of it. Ongoing monitoring after the proper onboarding research is crucial. From periodic due diligence to compliance certification requests, monitoring keeps your company in control of dangerous situations. While examining for key risk indicators and regular searches of litigation databases help, a full-fledged supplier management solution would be the best-case scenario. Of course, achieving that level of management isn’t easy, which is why you have help. (See below.)

Step 4: Safeguarding your network from breaches 

According to a Forbes Insights report, almost half of all organizations said a breach damaged their reputation,  and breaches, unfortunately, happen frequently.

Statistics indicate that third-party data insecurity is both prevalent and persistent. A 2017 Bomgar report found several troubling data points:1

1. 67% of survey recipients have experienced a data breach as a result of vendor access.

2. The number of vendors with weekly access to a company's network spiked by 103% from 2016 to 2017.

3. 34% of companies operate on an on/off third-party access model, providing either zero or complete access.


To close any gaps following a breach, a company needs to know one occurred, but that’s not always the case. According to a survey conducted by the Ponemon Institute, more than one third of respondents doubted they would receive notification from their third-party vendor in the case of a breach while 73% doubted they would receive notification about a fourth-party breach. With settlement payments and legal fees totaling tens of millions, if not hundreds of millions, for some third-party breaches, any data insecurity can devastate a mid-market company. 

Step 5: Be better than “good on paper”

Even with a comprehensive risk-assessment management—quickly handled red flags, airtight end-to-end workflow, well-researched onboarding—the dreaded “checkbox” scenario threatens to leave mid-market companies open to risk if full execution is not maintained. For true peace of mind and effective risk management, all aspects of the program must be in place and functional. 

We know it’s not easy, but KPMG can help

Mid-market companies struggle with day-to-day activities, and a detailed risk management program may not be in the cards for your already exhausted team. KPMG can help. We have the industry knowledge and mid-market experience to help your company integrate emerging technologies and achieve full execution of your risk management function. 

With the right program and process innovation, you can thwart and/or survive a potentially damaging event with a rapid response that mitigates risk and keeps your reputation in good standing.

1Source: Aon, “Oxford Metrica Reputational Review” (2012).
4Source: Forbes Insights, “The Reputational Impact of IT Risk” (2014).
5Source: Bomgar, “The Secure Access Threat Report” (2017).