Third-Party Risk Management (TPRM)

Identify, manage and mitigate risks resulting from thirdparty relationships

What is third-party risk management?

Companies have always relied on third parties for their business, but now even more so in today’s interconnected global economy. Businesses tend to focus their key competencies in-house, turning to third parties to outsource non-core activities or to receive goods or services. Examples of the benefits of engaging with third parties include: reduced costs, improved operational efficiency, and higher quality in products or services delivered.

Having a good overview of third-party relationships is critical: this enables the company to efficiently run its operations and react promptly in the event of incidents, such as supply chain disruptions, data breaches, and sanctions.

Companies getting into trouble due to the actions of third parties isn’t something new. But the speed and proliferation of negative news and the amount of business disruption it causes is unprecedented. Clients are being increasingly held responsible - and liable - for the actions of others in their value chains.

teamwork third party

Third-Party Risk Management (TPRM) refers to the process of identifying, assessing, monitoring, and mitigating potential risks associated with an organisation's relationships with external third parties, such as vendors, suppliers, contractors, and partners, throughout the whole lifecycle.

Third-party risk management involves evaluating potential threats and vulnerabilities that these third parties may introduce to an organisation’s compliance with regulations, reputation, operations, financial stability, data security and other aspects.

The goal of TPRM is to minimise the likelihood and impact of these risks by implementing appropriate controls, policies, and procedures to effectively manage relationships with third parties. 

Third-party risks can take various forms, depending on the type of operations of the company, and the type of relationship with the third party. The products or services delivered by the third party will pose one or more risks for the company, and at different risk levels.

Examples of some risk domains normally assessed in TPRM

  • Cybersecurity – the risk related to the third party’s IT environment security

  • Data privacy – the risk related to the third party’s use and handling of data

  • Business continuity – the risk related to the third party’s operations continuity

  • Environment – the risk related to the third party’s practices impacting the environment

  • Labour rights (including human rights, health and safety) – the risk associated with a third party's labour management practices as well as in its value chain

  • Bribery and corruption – the risk related to the third party’s corruption/bribery actions 

  • Trade compliance (export controls) – the risk related to the third party’s import and export transactions 

  • Sanctions – the risk that the third party or any of its personnel is part of a sanction list

Challenges companies are currently facing in TPRM

Companies face both internal and external challenges when dealing with third parties.

Internal challenges

  • Lack of inventory of third-party relationships and inadequate data available
  • Lack of connections between teams dealing with TPRM
  • Third-party risks are managed in silos
  • No formal agreements with some third parties
  • Different methodologies used to assess third-party risk, often based on subjective criteria
  • Incomplete understanding of what third parties are doing
  • Different types of third parties
  • Manual and double work performed to risk assess a third party
  • When looking at the full third-party universe of a company, very few third parties are actually included in the risk analysis scope
  • The TPRM process is usually not tech-enabled

External challenges

  • Enhanced stakeholder expectation to have a robust risk management programme
  • Geopolitical and macroeconomic uncertainties
  • Cyber attacks
  • Growing regulatory/supervisory scrutiny. There are multiple regulations around the world on the expectations related to third-party relationships. 

The regulatory landscape

TPRM operates within a complex regulatory landscape that involves various local and international laws, standards, and guidelines. Please find below a non-exhaustive list of laws and regulations impacting TPRM.

  • Anti-bribery and corruption laws (e.g., the U.S. Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, French SAPIN II, etc.)
  • Sanctions regimes (imposed by the UN, the EU, the US, etc.)
  • Sustainability-related regulations (e.g., EU Corporate Sustainability Due Diligence directive (CS3D), the Modern Slavery Act, the EU's Deforestation Regulation, etc.)
  • Data protection and cybersecurity regulations (e.g., General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), etc.)
  • Industry-specific regulations

How can PwC help?

A step-by-step approach

We can help you tackle and solve the internal and external challenges related to TPRM, by guiding you in every step of your TPRM journey, from assessing your current maturity stage, to designing the blueprint of your programme, to choosing and implementing a technology, to embedding the programme into your organisation´s strategy and processes.

Even though we can help you at every step of the way, this doesn´t mean that the TPRM programme should be tackled all at once. For example, organisations can choose to focus first on the current state assessment and design of the programme, and look into technology implementation at a later stage. Similarly, the TPRM process could be set up only for a few third-party types or risk domains to start with, and the scope expanded over time.

After the first incremental steps and once the maturity of the TPRM programme increases, it is important to integrate the TPRM model across the other functional areas within the organisation dealing with third parties, to significantly reduce costs, generate value and better respond to changes.

Our methodology: a holistic TPRM framework

PwC has created a fit-for-purpose, holistic TPRM framework to ensure companies manage third-party risks in the most efficient way, in compliance with regulations and aligned with industry standards.

The TPRM framework encompasses different third-party types and risk domains, and consists of the following ’building blocks’:

Each building block can be looked at simultaneously or one by one, depending on the client´s preference.

tprm framework

1. TPRM process – the end-to-end lifecycle, from third-party onboarding to monitoring to termination. This is supported by a TPRM technology.

2. Third-party inventory and risk landscape – the third-party types of an organisation, and the risk domains.

3. People and governance – the organisational structure for managing TPRM, and related roles and responsibilities.

4. Policies and procedures – the documentation of the TPRM programme.

5. Information reporting and dashboards – the metrics to report information on the organisation’s third-party relationships.

6. Training and culture – the company-wide training and communication on the topic.

7. Programme management and improvement – the continuous improvement of the programme aligned with industry standards.

Why invest in a TPRM framework?

  • Compliance with regulations

  • Assessment of the complete third-party population

  • Objective and consistent risk assessments

  • Enhanced control over monitoring post-contract

  • Identification and prioritisation of the most significant risks

  • Ability to onboard suppliers only within risk appetite

  • Resiliency/Fast responsiveness to incidents or red flags identified

  • Efficiency and automation in the TPRM process through the use of tech

  • Central source of information, easier reporting

  • Increased and more efficient collaboration across teams

  • Good reputation in the market for having a solid programme and working with trustworthy third parties

Why PwC?

  • You will be supported by a dedicated risk management and compliance practice, with more than 100 dedicated professionals in Risk and Compliance teams in Belgium.

  • We will help you apply the latest industry practices, technology innovations, and regulatory feedback impacting TPRM programmes.

  • You will get support through an end-to-end suite of TPRM design, implementation, technology enablement and managed services solutions with the same dedicated team.

  • We will help you leverage proven accelerators built around the TPRM lifecycle based on years of experience, providing a blueprint for success at each stage of the journey.

Third-Party Risk Management

Connect with PwC Belgium

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Bruno Deraedt

Bruno Deraedt

Director, PwC Belgium

Tel: +32 493 24 04 02

Ben Colson

Ben Colson

Director, PwC Belgium

Tel: +32 493 24 04 45