Third-party risk management challenges persist in APAC: KPMG

85% of businesses view third-party risk management as a strategic priority, but many still struggle to establish fit-for-purpose programmes.

Businesses in the Asia Pacific region are facing a more complex and competitive global marketplace, leading to increased reliance on third-party suppliers to deliver critical products and services, a recent study by KPMG showed.

This was highlighted by Gavin Rosettenstein, APAC lead and partner for KPMG Australia, when interviewed recently by the Asian Business Review about his insights on third-party risk management (TPRM) challenges in the region.

Rosettenstein cited a 2022 global survey of 1,260 senior TPRM professionals across 16 countries and territories, which revealed that 85% of businesses view TPRM as a strategic priority, up from 77% previously.

However, the survey also identified several key challenges. These include third-party incidents disrupting businesses and damaging reputations.

“Our data showed that we had 71% of our retail organisations reporting that they’ve encountered a supply chain disruption, monetary loss, or reputational damage in the last three years as a result of a supplier,” said Rosettenstein.

Other challenges included businesses underestimating the need for sound TPRM programmes, leading to insufficient budgets. The survey found that 59% of organisations allocate funding to business-as-usual resource costs rather than strategic TPRM improvements.

“TPRM is heavily undervalued, given its enterprise critical role. So it’s not getting the attention that it requires within organisations,” Rosettenstein lamented.

Additionally, technology is currently failing to deliver on its promise due to integration challenges, poor-quality data, and a lack of skills. Rosettenstein highlighted that limited resources remain a challenge, with organisations lacking skilled personnel to assess supply arrangements across a broader array of risks.

Moreover, many organisations struggle to establish fit-for-purpose TPRM programmes, with only a third stating that their programme is well integrated into other risk and business functions.

To address these challenges, Rosettenstein recommended that organisations revisit their overall approach to TPRM, focusing on foundational elements such as frameworks, policies, procedures, operating models, and technology.

He said businesses should also look beyond high-risk suppliers and increase their understanding of risks across their entire supply base. This requires setting up a framework to identify key suppliers and their associated risks, with tailored safeguards, governance, and management controls.

Rosettenstein acknowledged that many organisations struggle with technology integration and advised businesses to invest in automation for supplier onboarding, due diligence, and record-keeping. Integrating multiple data sources for risk profiling and monitoring can also help businesses make better-informed decisions.

“The need here is to move towards proactive management as opposed to what is reactive. So, be ahead of it and understand what those risks could be,” he said.

To streamline the risk-tiering of third-party services, Rosettenstein stressed the need for businesses to develop criteria for determining the inherent risks posed by suppliers based on factors such as business criticality and access to sensitive data. This enables organisations to allocate resources to the highest-risk areas and manage them more effectively.

Rosettenstein predicts that TPRM will continue to gain increased focus at senior levels within organisations, driving budget increases and an emphasis on proactive management of supply risks.

He believes that maintaining operational resilience amid ongoing change and uncertainty will be key for businesses in the Asia Pacific region.