Four key considerations for businesses in third-party risk management

Building an effective framework, providing sufficient training, and launching data sets can enable businesses to navigate third-party risks.

Whether it’s a greenwashing issue or a data breach, there are no quick fixes for businesses when addressing reputational damage. This is why third-party risk management (TPRM) programmes are needed. Businesses should move towards proactive management instead of being reactive, meaning to be ahead of the risks and understand what these risks could be, Gavin Rosettenstein, KPMG Australia partner and lead for Asia Pacific, advised. 

Citing results of its research in 2022, KPMG said that 85% of businesses worldwide had TPRM as their top priority, up from 77% before 2020. This is also reflected in a 2023 Moody’s Analytics study which showed that 70% of businesses globally are growing their TPRM investment.

Purpose-built framework

One key consideration for this move is for businesses to create an efficient and effective framework that would better manage their third-party risk. 

“It’s looking beyond what you’d see as your high-risk suppliers and increasing your understanding of your risks across your remaining third parties,” Rosettenstein told the Singapore Business Review. 

He also underscored that there is no one-size-fits-all approach when it comes to TPRM and that the framework should be “purpose-built.”

In this context, Singapore’s central bank revealed that banks in the Lion City had already established a “proper governance structure and framework to facilitate effective and adequate management attention on and oversight of operational risk.”

This entails developing and implementing operational risk management policies and standards that are appropriate for their strategies and risk appetite.

Top-level support

The second consideration is to gain management support within corporates at the highest level. With that support, companies must implement a TPRM programme with a process that may include a suppliers’ onboarding mechanism, said Choon Hong Chua, senior director and head of the Financial Crime Practice Group for APAC and the Middle East at Moody’s Analytics.

The right tools

For the third key consideration, Choon said there must be the right tools for data collection, automation and risk assessment. An example is a consultancy agency’s risk assessment tool that could use artificial intelligence or AI to help analyse, monitor, and evaluate third-parties.

Nothing beats training

The last consideration, Choon cited, is that businesses should provide adequate training to ensure accurate TPRM strategies.

Pieces of training may come from the US Office of Foreign Assets Control to provide a high-level understanding of a sanctions programme. Other training may include understanding risks and how TPRM is an important part of businesses’ enterprise risk management programme.

“We cannot forget the most important part is that people are in the process; where adequate training needs to be done throughout the entire organisation,” Choon stressed in an interview with the Singapore Business Review.

Technology not quite there, yet 

The KPMG study on TPRM also showed that companies expect to use technology to replace manual tasks or support 58% of TPRM tasks within three years. But the majority of them are frustrated by the lack of visibility that their technology on TPRM delivers. Many of the firms who participated said they often encounter data issues.

Saying that technology’s promise is not fully working yet, Rosettenstein emphasised that businesses need to consider how they are using the technology and how it is being integrated in their businesses.

“You can get great success through the life cycle of truly understanding within the workflow,” said Rosettenstein, who advised a thorough understanding of the entire process, from supplier onboarding to risk assessment, due diligence, and accurate record-keeping.

For Choon, businesses can leverage technology to aid in supplier onboarding and risk assessment. 

Offboarding and disengagement

One common third-party risk is cybersecurity threats and it continues to disrupt businesses and damage reputations. This is where businesses may start to “offboard and disengage” with their third-party vendors or suppliers.

According to the KPMG study, businesses are required to ensure their service continues to be delivered despite exiting from a third-party vendor in the event of a stressful situation or unsatisfactory performance.

“Mapping specific services to products and processes within the organization is required to help complete the exercise,” read the study.

As a corollary, Rosettenstein advised that businesses need to know the legal ramifications as there may be potential reclaiming of sensitive data or stock that may still be within the supplier’s premises.

Common risks

In Singapore, some of the challenges for TPRM may vary from one industry to another. For example, Rosettenstein said the retail industry may experience challenges in access to products at the “right time, the right volumes, and the right price.”

Choon of Moody’s Analytics said Singapore’s most significant TPRM issue is how to navigate the constantly changing sanctions landscape that results from tension between larger nations. For example, there are quickly evolving rules between the US and China, subsequent to growing tensions between Taiwan and Beijing, as recently raised by Prime Minister Lee Hsien Loong. There are also new EU penalties targeting countries it doesn’t believe are doing enough to prevent evasion of sanctions on Russia.

“For Singapore, corporations need to be very careful that we stay on top of it and don’t miss our obligations to new and changing sanctions’ requirements. As a trading hub we need to be mindful of how we (do business),” he added.

In the Asia Pacific region, KPMG reported that 71% of retail businesses said they suffered from supply chain disruption, monetary loss, or even reputational damage in the last three years due to a supplier. 

KPMG’s Rosettenstein also said businesses are underestimating the need for “sound TPRM programmes” due to insufficient funding. Limited funding is a challenge because a lot of skilled human resources are necessary to identify what risks have to be addressed.

There is much more to assessing supply arrangements across a broader array of risks and things such as modern slavery, fraud, and data of resilience, Rosettenstein said. The inability to be able to cover those risks is a failure at enabling individuals to provide support. 

Looking ahead, Choon said businesses should look into managing third-party risks to safeguard their businesses and how to maintain resilience amidst uncertainties in global political issues.

Ultimately, the hope is that an appreciation of TPRM will drive an increase in both budgets for businesses and requirements to better understand their supply chain, said Rosettenstein.