According to a new survey from Deloitte, 57% of global organisations feel they don’t have appropriate visibility of sub-contractors engaged by their third parties (referred to as fourth/fifth parties). A further 21% are unsure of oversight practices, and fewer still (just 2%) routinely review the risk that sub-contractors pose to their organisation.
This is Deloitte’s third global survey on Extended Enterprise Risk Management (EERM). The 2018 study garnered 975 responses from organisations across 15 countries within the Americas, the EMEA and APAC regions. Survey respondents included CFOs, heads of procurement/vendor management, CROs, heads of internal audit and compliance and IT risk function leads.
Kristian Park, EERM partner at Deloitte, commented: “With the European Union’s General Data Protection Regulation (GDPR) coming into force across Europe at the end of next month, organisations will already be looking with renewed focus at their third party structures. For some, there’s still some way to go to implement adequate sub-contractor management. Compliance with the GDPR not only covers organisations themselves, but also the contractors and sub-contractors with whom they engage. Under the new GDPR, sub-contractors representing fourth and fifth parties must be appropriately monitored. While the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards and reporting data breaches within 72 hours.”
Park added: “In the run-up to 25 May, we would expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers. There’s no ‘one-size-fits-all’ here. The appropriateness of contractor monitoring for the GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify the greater the reliance in terms of confidential data.”
Regular monitoring of sub-contractors
Regular monitoring of sub-contractors remains low, with just 2% of those organisations surveyed engaging in this periodically and 10% solely reviewing sub-contractors identified as being critical to the continuity of business.
Park continued: “This means that 88% of organisations are either dependent on their third parties to conduct sub-contractor risk reviews or have an unstructured, ad hoc approach to fourth and fifth party oversight. This figure could also indicate that some organisations are simply unaware of their policy or, more alarmingly, don’t have one. At the same time, the survey reveals that some organisations are already making additional investments into EERM initiatives. These organisations recognise the business case and see the opportunity to enable growth, innovation and business performance from their contractors and sub-contractors in a risk-intelligent way.”
Reliance on third parties continues to grow this year with over half (53%) of respondents reporting ‘some’ or a ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered to be the two greatest contributory factors towards increasing the risk inherent in this.
Streamlining EERM systems
Despite critical levels of third party dependency, only 20% of organisations have streamlined their EERM systems and processes. 53% of this year’s respondents now believe that their journey to achieve EERM maturity is two to three years or more.
“This is a significantly longer journey than anticipated in earlier surveys when respondents reported that this could be achieved in six months to a year,” concluded Park. “This reflects a more realistic timeframe. We would expect organisations to be closely aligning plans to address the expected regulatory outlook over this period.”