Companies have always relied on third parties for their business, but now even more so in today’s interconnected global economy. Businesses tend to focus their key competencies in-house, turning to third parties to outsource non-core activities or to receive goods or services. Examples of the benefits of engaging with third parties include: reduced costs, improved operational efficiency, and higher quality in products or services delivered.
Having a good overview of third-party relationships is critical: this enables the company to efficiently run its operations and react promptly in the event of incidents, such as supply chain disruptions, data breaches, and sanctions.
Companies getting into trouble due to the actions of third parties isn’t something new. But the speed and proliferation of negative news and the amount of business disruption it causes is unprecedented. Clients are being increasingly held responsible - and liable - for the actions of others in their value chains.
Third-Party Risk Management (TPRM) refers to the process of identifying, assessing, monitoring, and mitigating potential risks associated with an organisation's relationships with external third parties, such as vendors, suppliers, contractors, and partners, throughout the whole lifecycle.
Third-party risk management involves evaluating potential threats and vulnerabilities that these third parties may introduce to an organisation’s compliance with regulations, reputation, operations, financial stability, data security and other aspects.
The goal of TPRM is to minimise the likelihood and impact of these risks by implementing appropriate controls, policies, and procedures to effectively manage relationships with third parties.
Third-party risks can take various forms, depending on the type of operations of the company, and the type of relationship with the third party. The products or services delivered by the third party will pose one or more risks for the company, and at different risk levels.
Cybersecurity – the risk related to the third party’s IT environment security
Data privacy – the risk related to the third party’s use and handling of data
Business continuity – the risk related to the third party’s operations continuity
Environment – the risk related to the third party’s practices impacting the environment
Labour rights (including human rights, health and safety) – the risk associated with a third party's labour management practices as well as in its value chain
Bribery and corruption – the risk related to the third party’s corruption/bribery actions
Trade compliance (export controls) – the risk related to the third party’s import and export transactions
Sanctions – the risk that the third party or any of its personnel is part of a sanction list
Companies face both internal and external challenges when dealing with third parties.
TPRM operates within a complex regulatory landscape that involves various local and international laws, standards, and guidelines. Please find below a non-exhaustive list of laws and regulations impacting TPRM.
We can help you tackle and solve the internal and external challenges related to TPRM, by guiding you in every step of your TPRM journey, from assessing your current maturity stage, to designing the blueprint of your programme, to choosing and implementing a technology, to embedding the programme into your organisation´s strategy and processes.
Even though we can help you at every step of the way, this doesn´t mean that the TPRM programme should be tackled all at once. For example, organisations can choose to focus first on the current state assessment and design of the programme, and look into technology implementation at a later stage. Similarly, the TPRM process could be set up only for a few third-party types or risk domains to start with, and the scope expanded over time.
After the first incremental steps and once the maturity of the TPRM programme increases, it is important to integrate the TPRM model across the other functional areas within the organisation dealing with third parties, to significantly reduce costs, generate value and better respond to changes.
PwC has created a fit-for-purpose, holistic TPRM framework to ensure companies manage third-party risks in the most efficient way, in compliance with regulations and aligned with industry standards.
The TPRM framework encompasses different third-party types and risk domains, and consists of the following ’building blocks’:
Each building block can be looked at simultaneously or one by one, depending on the client´s preference.
1. TPRM process – the end-to-end lifecycle, from third-party onboarding to monitoring to termination. This is supported by a TPRM technology.
2. Third-party inventory and risk landscape – the third-party types of an organisation, and the risk domains.
3. People and governance – the organisational structure for managing TPRM, and related roles and responsibilities.
4. Policies and procedures – the documentation of the TPRM programme.
5. Information reporting and dashboards – the metrics to report information on the organisation’s third-party relationships.
6. Training and culture – the company-wide training and communication on the topic.
7. Programme management and improvement – the continuous improvement of the programme aligned with industry standards.
Compliance with regulations
Assessment of the complete third-party population
Objective and consistent risk assessments
Enhanced control over monitoring post-contract
Identification and prioritisation of the most significant risks
Ability to onboard suppliers only within risk appetite
Resiliency/Fast responsiveness to incidents or red flags identified
Efficiency and automation in the TPRM process through the use of tech
Central source of information, easier reporting
Increased and more efficient collaboration across teams
Good reputation in the market for having a solid programme and working with trustworthy third parties
You will be supported by a dedicated risk management and compliance practice, with more than 100 dedicated professionals in Risk and Compliance teams in Belgium.
We will help you apply the latest industry practices, technology innovations, and regulatory feedback impacting TPRM programmes.
You will get support through an end-to-end suite of TPRM design, implementation, technology enablement and managed services solutions with the same dedicated team.
We will help you leverage proven accelerators built around the TPRM lifecycle based on years of experience, providing a blueprint for success at each stage of the journey.