From threat to opportunity: Key focus areas for building an integrated third-party risk management (TPRM) programme

from-threat-to-opportunity img

The focus on emerging risks like cyberattacks, geopolitical conflicts, human rights violations and forced labour in the supply chain has increased the importance of TPRM programmes in organisations and become a key theme in boardroom conversations.

Further, risks posed by third parties are often managed in silos with procurement managing onboarding document verifications, legal managing compliance checks, information security (InfoSec) teams managing cyber and data privacy risks and so on. With global and Indian regulations related to environmental, social and governance (ESG) like the Securities and Exchange Boards of India’s Business Responsibility and Sustainability Reporting (BRSR) coming to the fore, the focus on human rights and ESG risks of third parties is also rising in India and globally, which, in turn, would require additional checks to be conducted

Running the TPRM programme in silos does not provide a unified view of the organisation's risk posture and can potentially result in reputational, operational, and financial risks.

To understand the challenges posed by third party risks and initiatives being taken by organisations to build integrated TPRM solutions, PwC India hosted multiple TPRM summits and surveys across India this year.

Given below are some key themes that have come up during the discussions and surveys conducted by PwC.

Theme 1: Top risks organisations feel exposed to in the next 12 months

More than 40% of organisations we surveyed highlight cybersecurity as a key risk. Over the last few years, the number of third parties which can access an organisation’s network and manage confidential information has increased significantly.1

This has led to an increase in cases of cyberattacks on organisations, which involve the third party’s system being hacked resulting in the leak of confidential information. While traditional measures of risk assessments offer point-in-time security posture of third parties, the focus is now shifting on proactive continuous monitoring of third parties, along with critical fourth parties to ensure supply chain resilience and transparency.

Geopolitical risk also emerged as one of the top risks for more than 25% of organisations. With the ever-evolving geopolitical dynamics, organisations are looking to focus on business continuity risks and incorporate a ‘+1’ strategy for key suppliers and countries of production.2

 

Key insights

While cyber risk continues to dominate as the top risk of focus, Indian organisations have highlighted that that the top risks vary across industries, hence, every organisation needs a tailored TPRM programme which focuses on the industry, geography and regulatory requirements as some of the inputs for consideration.

Theme 2: Areas of focus for investment in technology in the next 12 months

The top focus area highlighted by nearly 30% of organisations is artificial intelligence (AI) and machine learning (ML) technologies.3

Companies today are expanding the scope of third-party reviews to include intermediary (IBO) and ultimate beneficiaries (UBO) of organisations. Identifying these ownerships is difficult as there are multiple layers and jurisdictions involved, which are complex and time consuming to unearth through manual reviews. However, with newer technologies connecting multiple data sources available in multiple languages across the globe, the entire ownership structure of a third party can be created and displayed which allows for greater transparency and informed decision making before onboarding the third party. Additionally, new-age technologies can also predict concentration risk at the time of third party onboarding to help organisations in making informed choices on operational resilience.

 

Key insights

Indian organisations are not shying away from making bold investments in AI and cybersecurity tools to enhance their TPRM programmes.

Theme 3: Current technology deployed by organisations for Third Party Risk Management 

A staggering 58% of organisations highlighted that even today, manual or ad hoc processes were being used to manage third-party risks.4 Key reasons such as cost, lack of a business case, right-fit solution and skilled team were highlighted as reasons for not deploying a technology-based platform.

However, there is a growing consensus that manual approach was resulting in delayed onboarding, missing reviews of suppliers that were identified during audits, limited ongoing reviews, no defined issue management and remediation process. Also, with most organisations either exporting globally, being part of a global firm or with plans of listing, any control gap would result in serious regulatory non-compliances to the US’s Foreign Corrupt Practices Act (FCPA), the UK’s Bribery Act violations along with reputational damage and possible debarment from government contracts.

 

Key insights

Focus on digital transformation through technology adoption will continue to increase in India. Key features like in-built segmentation criteria, inherent risk assessment questionnaires, single unified rating, audit trails, due diligence workflows and issue remediation are essential components while choosing the right technology for your organisation.

Theme 4: Advantages of an integrated Third Party Risk Management solution

Adopting a centralised TPRM programme can address a wide array of risks in a unified manner. It also enables organisations to request third parties to submit all the requirements for risk assessments in one go which reduces the time taken in onboarding the third party.

Operating with an integrated approach as opposed to siloed/fragmented (by-product/service/function/region) outlook also results in achieving an enhanced user experience for suppliers, buyers and business teams.

With a tech-enabled platform, organisations can also get a holistic view of the risks posed by a third party, as the central TPRM team manages the operational aspects of the programme across risks, while the respective risk SME’s act as decision makers for the risk exposure in their domain.

Over time, organisations use the TPRM platform to create a single source of truth to track multiple third party risks and link it with performance management to get a unified view of the third party across external risks as well as their compliance to key performance indicators (KPI) and service level agreements (SLA’s) which have been laid out in contracts for future decision-making for renewals.

Building resilient supply chains through adoption of technology and an integrated approach to manage TPRM risks will be the key pillars which organisations will be focusing on as they move towards increasing the maturity of their programmes.

 

Key insights

A key concern highlighted by organisations in their journey to integrate third party risk management was data quality. With use of multiple legacy systems, multiple ERPs in place due to mergers and acquisitions or decentralised processes, disparate data sets exist across an organisation which have to be standardised in order to draw meaningful insights.

Sources

Contact us

Anu Purkayastha

Partner – Risk Consulting, PwC India, PwC India

Email

Follow PwC India

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide