From policy to practice: Why KPMG chose 3rdRisk for third-party risk management

Third-party risk management is no longer a “nice to have”. With regulations like DORA, NIS2, and the AI Act on the horizon or already in force, and with geopolitical uncertainty and ESG expectations rising, organisations are under growing pressure to understand and manage the risks hidden in their supplier landscape.

KPMG sees that reality up close. In a recent conversation with one of their third-party risk leaders, Hokkie Blogg, Partner Advisory at KPMG, we explored our brand-new partnership with them and how our collaboration helps clients move from policy on paper to risk management in practice.

3rdRisk is a tool that is fit for purpose and relatively easy to deploy. It’s a complete tool, with a lot of regulations built in out of the box, that can be plug-and-play included in the tool’s monitoring.

A partnership built on experience and trust

The relationship between 3rdRisk and KPMG did not start from scratch. It goes back to earlier collaborations between our founders and KPMG’s team in a previous chapter of their careers.

When our KPMG counterpart moved firms, the relationship moved with them. They already knew the 3rdRisk proposition, had seen how it addressed third-party risk challenges in practice, and recognised the same issues at KPMG clients. That familiarity made it a natural step to explore a formal partnership.

In their words, the foundation for the collaboration lies in three things:

• A long-standing professional relationship.

• Trust how we work and what our platform can do.

• A shared view of the challenges in the third-party risk management (TPRM) market.

From there, the idea was simple. KPMG brings deep advisory expertise. 3rdRisk brings a focused, fit-for-purpose TPRM platform. Together, we can help organisations not only design their approach but actually run it.

What KPMG sees in the market

Naturally, we were also curious about what KPMG sees in the market that led to them recognising that their clients could benefit from a collaboration with 3rdRisk. Simply, KPMG’s clients are dealing with a mix of external pressure and internal complexity.

On the external side, several forces are pushing TPRM up the agenda:

• Regulations such as DORA and NIS2 explicitly require attention to third-party and supply chain risk, especially in cyber and operational resilience.

• ESG expectations raise questions about environmental and social impact across the supply chain.

• Geopolitical developments impact continuity, sanctions exposure, and concentration risk.

• Stricter audits and supervisory scrutiny mean boards are asked much sharper questions about their dependencies on third parties.

On the internal side, clients often struggle with very practical questions:

• Lack of overview: Who are all our suppliers, globally and locally?

• Need for further insights: Where do we depend on the same supplier in multiple parts of the organisation?

• Desire for efficiency: How do we avoid sending the same supplier four different questionnaires from four different departments?

• Data structure: How do we keep all this information up to date in a structured, risk-based way?

KPMG already supports organisations with the strategic and policy side of this. They help define TPRM policies, set risk appetites, and identify which controls are needed. Naturally, clients then ask the next question: “How do we implement this in a manageable way, without drowning in spreadsheets?”. That is where technology, more specifically, 3rdRisk comes in.

Why 3rdRisk fits KPMG’s TPRM approach

When KPMG looked at the technology landscape, they saw a familiar pattern. Many solutions are built as classic GRC tools first, with TPRM added as one of many modules. These platforms can be powerful, but they also tend to be complex to implement, tightly linked to broader ERP or GRC environments, and heavy on licensing and configuration. They are not always a fit for purpose solution.

3rdRisk is different in a few important ways:

• Purpose-built for third-party risk
  The platform is designed around TPRM from day one, not bolted onto a general GRC stack. That means the workflows, data model, and reporting are aligned directly with supplier and third-party risk.

• Standalone and pragmatic
  Organisations can implement 3rdRisk in a matter of weeks, alongside existing systems, without a full ERP or GRC overhaul. It is easier to deploy and manage through its own lifecycle, which lowers time to value.

• Out-of-the-box content
  The platform includes regulatory frameworks, standards, and risk domains that can be activated and used directly in assessments and monitoring. That reduces the effort needed to translate policy into concrete questionnaires and controls.

For KPMG, this makes 3rdRisk a practical tool to support the advisory work they are already doing. They can help clients define what “good” looks like, then configure 3rdRisk so that policies, risk appetite, and controls actually show up in day-to-day supplier management.

What makes the collaboration unique for clients

KPMG knows how traditional GRC implementations work, and they also know how challenging they can be. For many organisations, a full GRC rollout is a multi-year journey. This is time, and often money, that isn’t always readily available. Especially when a company already has various tools in their toolkit, with limited resources for a complex, expensive GRC tool.  

The collaboration with 3rdRisk gives clients two choices:

• They can keep or develop their broader GRC landscape.

• At the same time, they can move faster on third-party risk by using a specialised, lighter-weight TPRM platform.

Another practical aspect is flexibility. KPMG can use the 3rdRisk platform as part of joint propositions with us, or under a white-label structure in their own offerings. That means they can tailor how the platform shows up for each client, while still relying on the same core capabilities and technology.

For clients, the benefit is straightforward. They get:

• Advisory support from a global firm that understands their industry, organisation, governance, and risk environment.

• A concrete, usable platform that turns those insights into structured assessments, monitoring, and workflows with suppliers.

• If they like, they can outsource all of their third-party risk management activities to KPMG.

That means you can book plenty of progress, without being thrown into the deep end. No complex tooling for you to wrap your head around. Instead, you can count on KPMG and 3rdRisk to help you go from theoretical policies to practical risk management.

The TPRM challenges KPMG sees most often

In our discussion, we were also curious about the biggest recurring challenges that KPMG sees in third-party risk programmes. Three key themes stood out.

1. Fragmented supplier landscapes
   Large organisations often have many legal entities, business units, and local offices. Different teams may buy from the same suppliers independently. Without a central view, it is hard to see total exposure or to coordinate how you engage with key suppliers.

2. Inconsistent engagement with suppliers
   When supplier data is fragmented, relationship management usually is too. Suppliers may receive separate questionnaires from different stakeholders in the same company, about similar topics such as cybersecurity or EU regulation. That is inefficient for both sides and increases the risk of misalignment.

3. Missing risk-based foundations
   Many organisations just do “something” on vendor management, but that’s not always from a clear risk management perspective. In fact, KPMG often finds that:

• There is no explicit risk appetite defined for third parties.

• Supplier management policies are incomplete or not fully aligned with risk appetite.

• Controls are not clearly linked back to specific risks.

In their view, a strong TPRM programme starts with those fundamentals. You decide what risks you accept, then define policies and controls to match. A platform like 3rdRisk helps to embed that logic in day-to-day processes, so TPRM does not remain a theoretical framework. In fact, it even helps you assign things like risk appetite, so you can evaluate your measures and the residual risk.  

Regulation reinforces this more structured, practical approach. Directives such as DORA and NIS2 explicitly require organisations to look at third-party and supply chain risks. Once you start addressing those requirements, it makes sense to take a broader, more integrated view of third-party risk rather than focusing on a single topic in isolation. After all, managing only a portion of the risks is like cleaning only a part of your house. It’s a good start, but you’d feel much better with it all done.  

Looking ahead together

For KPMG, the collaboration with 3rdRisk is a way to connect their advisory strength with a practical, purpose-built TPRM solution. For 3rdRisk, it is an opportunity to support more organisations that are ready to move beyond spreadsheets and scattered questionnaires.

Both parties share a common goal: to make third-party risk management structured, transparent, and easy to manage for everyone; from the board and risk team to the suppliers responding to the questions’

Want to learn more about the 3rdRisk platform? Then check out our on-demand demo or visit our platform page. If you're interested in becoming a partner yourself, feel free to reach out through our contact us page.