When establishing a Third-Party Risk Management (TPRM) function, a fundamental step is defining Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). These indicators are critical as they help measure and monitor the performance and risk levels within the TPRM function, ensuring that the business meets its strategic goals and objectives.

What are KPIs and KRIs?

Key Performance Indicators (KPIs):

These are specific metrics used to evaluate the efficiency and success of an organisation’s activities. In the context of TPRM, KPIs help in assessing how well the business manages its third-party relationships and risks.

Key Risk Indicators (KRIs):

These are metrics used to identify potential risks that could affect the company’s objectives. In TPRM, KRIs help in detecting and mitigating risks associated with third-party interactions.

The Role of a Maturity Model

To align TPRM activities with business outcomes, it’s crucial to develop a maturity model. This model outlines incremental steps towards achieving defined business objectives and ensures a structured approach to improving TPRM processes over time.

Leading vs. Lagging Indicators

• Leading Indicators: Predictive measures that help foresee potential issues before they occur. For example, monitoring stock levels to avoid shortages.
• Lagging Indicators: Reflect past performance, helping to understand what has already happened. For instance, analysing the percentage of regulatory compliance after audits.

KPIs for Effective TPRM Strategy

Here are key KPIs used to measure the effectiveness of a TPRM function. These include the key metric and how to effectively measure each KPI:

1. Pre-Contract Sourcing and Procurement Activity:
   • Metric: Number of suppliers sourced.
   • Measure: Percentage of sourced suppliers meeting predefined criteria.
2. Contract Negotiation and Drafting:
   • Metric: Timeliness of contract finalisation.
   • Measure: Average duration from initial negotiation to contract signing.
3. Risk Assessment and Due Diligence:
   • Metric: Completion rate of initial risk assessments.
   • Measure: Percentage of suppliers with documented risk profiles.
4. Ongoing Compliance and Governance:
   • Metric: Number of compliance breaches identified.
   • Measure: Frequency of policy violations detected during supplier relationship management.
5. Performance Management:
   • Metric: Supplier performance ratings.
   • Measure: Average score based on key performance indicators such as delivery timeliness, quality, and responsiveness.
6. Incident Management and Remediation:
   • Metric: Time to resolution for identified risks.
   • Measure: Average duration from risk identification to closure of remediation actions.
7. Platform Utilisation and Effectiveness:
   • Metric: User engagement with TPRM platform.
   • Measure: Frequency of platform access and utilisation for risk assessment and management activities.
8. Regulatory Compliance:
   • Metric: Compliance with industry regulations and standards.
   • Measure: Percentage of regulatory requirements met within defined timelines.

By establishing and consistently monitoring these KPIs, businesses can effectively gauge the performance of their TPRM function. This, in turn, ensures that third-party risks are managed proactively, and business operations align with overall strategic objectives. Regularly reviewing and updating these KPIs is essential to keep pace with the changing risk landscape and regulatory demands.