Third party risk management
June 2025 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
June 2025 Issue
FW discusses third party risk management with Dan Click, Diana Keele and Joey Gyengo at KPMG LLP (US).
FW: Could you provide an overview of third-party risk and why it is so important for companies to address it? How can business relationships expose companies to potential problems?
Gyengo: Third-party risk refers to the potential threats posed by individuals or entities with whom the company has a business arrangement, by contract or otherwise, such as vendors, suppliers, service providers, affiliates or contractors. It is crucial for companies to address this risk because these individuals and entities can impact the company’s operations, data security, regulatory compliance and reputation. Third-party relationships can expose companies to various problems, including data breaches, financial losses, regulatory fines and reputational damage if the third parties fail to adhere to required standards or engage in fraudulent activities. By rigorously assessing and managing third-party risk, companies can safeguard their assets, improve compliance with regulations and maintain trust with stakeholders. This involves conducting thorough due diligence, continuous monitoring, periodic auditing and implementing robust contractual agreements to mitigate potential risks.
“By rigorously assessing and managing third-party risk, companies can safeguard their assets.”
FW: What key regulatory issues do companies face with regard to third parties? How have regulations and related requirements in this area evolved in recent years?
Click: Both US and international regulatory bodies continue to evolve their oversight requirements as organisations expand their third-party support model. Regulatory drivers are expanding across risk domains impacting third party risk management (TPRM) with environmental, social and governance (ESG)-related regulations, IT and data privacy, and operational risk focused regulations. In financial services, interagency guidance continues to push the evolution of third-party oversight, including driving further definition and expansion of overarching third-party definitions. With more organisations relying on third parties to support their business, regulators are continuing to emphasise the importance of TPRM within organisations as an extension of control evaluation to the enterprise’s business.
FW: In your opinion, do organisations typically pay enough attention to third party risk management (TPRM)? How are companies generally coordinating third-party risk across the enterprise, given risks span procurement, cyber, finance, compliance, and so on?
Gyengo: Organisations are enhancing their focus on TPRM due to the continued evolution and need of third parties to provide business services in a cost effective and efficient manner. An evolution to a singular TPRM oversight model is expanding in most industries where historically pockets of third-party risk oversight may occur across specific risk domains, such as compliance and cyber, in silos. By evolving to a centralised model, organisations are realising benefits of reduced business owner pain in the process through a singular procurement type intake, greater risk coverage across the third-party population, and enhanced visibility into risks impacting the third party via centralised data.
“Real-time monitoring and predictive modelling will become necessary as regulatory landscapes evolve.”
FW: What steps should companies take to vet third parties? How can they make the process more efficient and effective?
Click: Vetting third parties is crucial for mitigating relevant risks. Companies should adopt a systematic and risk-based approach, starting with a thorough risk assessment to understand potential threats posed by third parties, followed by a number of key steps. First, conduct comprehensive background checks, including financial stability, legal history and reputation analysis. Second, evaluate the third party’s technical, operational and compliance capabilities to validate if they meet set standards. Confirm certifications, licences and past performance reviews. Third, draft clear contracts with detailed terms and conditions, including non-disclosure agreements and compliance requirements. Fourth, implement ongoing risk-based oversight mechanisms, such as automated alerts, to track performance and compliance. Finally, conduct periodic reviews and audits to assess adherence to agreements and identify any emerging risks. To enhance efficiency, leverage technology platforms to automate due diligence processes, utilise risk management software for continuous monitoring and train employees on leading practices for vetting. Also look for opportunities to reduce redundant or non-utilised questions within questionnaires to the third parties.
FW: To what extent are companies leveraging artificial intelligence and automation for TPRM? In what ways can technology be deployed?
Keele: Many companies use automation in TPRM as a force multiplier to enhance efficiency and consistency. Traditional automation handles tasks like notifications and questionnaire management. Advanced technologies like generative artificial intelligence (GenAI) and machine learning (ML) analyse documents and integrate risk data. Industry leaders are moving toward real-time monitoring systems powered by AI and ML, enabling dynamic evaluation of vendor risk. The integration of GenAI in document reviews will streamline and improve risk assessments. A data-driven approach will offer a comprehensive understanding of vendor risks, allowing better resource allocation and proactive strategies. Real-time monitoring and predictive modelling will become essential as regulatory landscapes evolve and cyber threats grow more sophisticated.
“Educate internal teams on the importance of TPRM and best practices.”
FW: What essential advice would you offer to organisations on setting out effective strategies to manage ongoing relationships with third parties? What potential consequences await those companies that fall short?
Click: To manage ongoing relationships with third parties effectively, organisations should adopt a comprehensive risk-based strategy encompassing several key elements. Start with clear contracts that outline expectations, deliverables, compliance requirements and penalties for non-compliance. Have terms and conditions tied to specific risk areas, such as not using subcontractors and penalties for non-compliance with data protection laws. Maintain open and consistent communication channels to address issues promptly and foster strong, collaborative relationships with third parties. Implement continuous monitoring mechanisms to assess third-party performance against predefined metrics and compliance standards. Conduct regular audits to assess if third parties are adhering to contractual terms and identify any potential risks early. Establish a risk management framework tailored to third-party interactions, including risk assessment, mitigation plans and incident response protocols. Additionally, educate internal teams on the importance of TPRM and best practices. Failing to manage these relationships can lead to severe consequences, including regulatory fines, legal liabilities, financial losses, operational disruptions and reputational damage.
FW: Looking ahead, what are your predictions for TPRM trends over the years ahead?
Keele: Industry leaders are embracing continuous, real-time monitoring systems powered by AI and ML, complementing traditional risk assessments. GenAI is streamlining document reviews, enhancing risk assessment accuracy. Data consolidation will create comprehensive, updated risk profiles, enabling proactive risk management. Real-time monitoring and predictive modelling will become necessary as regulatory landscapes evolve, cyber threats grow and third-party portfolios expand. In addition, we are starting to see, and will continue to see, the emergence of new risk domains or shifts in risk domains impacting TPRM. Domains like ESG or, more recently, geopolitical risks unique to each third-party providing services for organisations, can dramatically impact strategic outsourcing decisions for organisations.
Dan Click is a partner in the KPMG risk services practice with over 30 years of experience specialising in third party and vendor/supplier risk management, transforming clients’ risk operations to meet regulatory and business needs. Previously, he served as associate vice president, global anti-corruption compliance for a Fortune 250 retailer and as the senior manager of global investigations at a global automotive manufacturer. He can be contacted on +1 (220) 219 3521 or by email: dclick@kpmg.com.
Diana Keele is a managing director and leader in third-party risk and cyber security with over 15 years of experience. She excels in developing comprehensive risk management frameworks, enhancing cyber resilience and ensuring compliance. She has successfully led projects that protect organisations from cyber threats and third-party vulnerabilities, committed to delivering secure and efficient operations through effective risk management practices. She can be contacted on +1 (602) 203 9004 or by email: dkeele@kpmg.com.
Joey Gyengo is a principal at KPMG who specialises in third-party and enterprise risk management with over 20 years of experience. He excels at developing robust risk frameworks, optimising compliance strategies and mitigating potential business risks. He has led numerous successful projects that enhanced organisational resilience and efficiency. He is committed to helping companies achieve secure and compliant operations through effective third party risk management practices. He can be contacted on +1 (404) 863 5801 or by email: jgyengo@kpmg.com.
© Financier Worldwide