Recognising that the greatest risk to the enterprise may come from outside the organisation, a recent online poll conducted by Deloitte has revealed that 70% of respondents indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties. Also, nearly half (47%) of respondents said their organisations had experienced some sort of risk incident involving the use of external entities in the last three years.
“The risk comes from needing to trust that these third parties and their sub-contractors are not making mistakes in handling data, ensuring privacy or doing anything else that would harm the business,” explained Dan Kinsella, extended enterprise and third party assurance leader in the Risk and Financial Advisory Practice and partner with Deloitte & Touche LLP.
“Executives extend the enterprise every time they use a cloud service, outsource a business process or otherwise spread operations beyond the traditional four walls of their organisation. Whenever this happens, benefits and risks are derived from those interactions with third parties.”
Overall, organisations are concerned with several extended enterprise risks including financial, regulatory, legal and strategic risks that need to be managed centrally. Responses* to the question: ‘Who oversees risk governance of your organisation’s extended enterprise?’ illuminate another challenge for extended enterprise risk management. 24% of poll respondents indicated it was the Board Risk Committee’s responsibility, while 17% pointed to the Audit Committee and another 11% to the full Board, with the remainder to an internal auditor or external stakeholder. Some just don’t know who’s responsible for managing extended enterprise risk.
Same risk standards
A recent Deloitte risk management survey of CEOs and Boards found that 62% of CEOs fail to hold their extended enterprise to the same risk standards as their own organisation, despite leaders seeing IT providers as posing the greatest threat. A clear line of extended enterprise risk management governance is invaluable to the overall success of the organisation. Senior leadership can create an accountable extended enterprise risk management organisation to mitigate key risks falling through the cracks of the first, second or third lines of defence.
Emerging capabilities of technology-driven systems, applications, controls, programmes and methodologies can improve and accelerate efficiencies. They also can improve compliance and decrease risks from reputation damage, regulatory missteps, consumer backlash and cyber threats. According to poll respondents, their organisations are likely to invest in such emerging technologies and tools during the next 12 months, among them cloud computing (31%), robotics process automation (18%), data visualisation (12%), cognitive technologies (7%), blockchain (7%) and Internet of Things (IoT) (6%) among others.
Examples of leveraging these technologies in the extended enterprise include some insurance companies using data feeds from IoT sensors embedded in cars to adjust owners’ risk premiums, awarding lower premiums to drivers with safe records and charging higher premiums to drivers with riskier driving habits. This capability is disrupting the traditional insurance model, which requires specialist third parties to collect data on a manual basis in order to calculate premiums. Many organisations are already using technologies such as robotics process automation and blockchain to improve clarity about risk exposures and for processing invoices and conducting compliance checks.
Third party ecosystems
Security around third party ecosystems is a legitimate concern for organisations of all sizes. 38% of those polled specified their organisations’ intent to focus on cyber risks in the extended enterprise for the ensuing 12 months. To manage the associated risks better, organisations need an approach whereby they address their cyber risk concerns from the beginning of vendor procurement and include sets of security requirements and controls via contract.
2019 likely will demonstrate the increasing importance of extended enterprise risk management programme maturity to mitigate risks, safeguard compliance and drive business value. Efficiency will also likely be improved in the process as third party ecosystems grow and third parties take on more and more mission-critical core functions in the organisation.
*Responding industry sectors in the survey included banking, capital markets and investment (20%), technology (12%), transportation and hospitality (11%), retail and consumer products (10%), life sciences and healthcare (8%), telecoms, media and entertainment (6%), insurance (5%), industrial products (5%), oil and gas (5%) and power and the utilities (3%)