“Extended enterprise risk management set to be keen focus in 2019” asserts Deloitte

Recognising that the greatest risk to the enterprise may come from outside the organisation, a recent online poll conducted by Deloitte has revealed that 70% of respondents indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties. Also, nearly half (47%) of respondents said their organisations had experienced some sort of risk incident involving the use of external entities in the last three years.

“The risk comes from needing to trust that these third parties and their sub-contractors are not making mistakes in handling data, ensuring privacy or doing anything else that would harm the business,” explained Dan Kinsella, extended enterprise and third party assurance leader in the Risk and Financial Advisory Practice and partner with Deloitte & Touche LLP.

“Executives extend the enterprise every time they use a cloud service, outsource a business process or otherwise spread operations beyond the traditional four walls of their organisation. Whenever this happens, benefits and risks are derived from those interactions with third parties.”

Overall, organisations are concerned with several extended enterprise risks including financial, regulatory, legal and strategic risks that need to be managed centrally. Responses* to the question: ‘Who oversees risk governance of your organisation’s extended enterprise?’ illuminate another challenge for extended enterprise risk management. 24% of poll respondents indicated it was the Board Risk Committee’s responsibility, while 17% pointed to the Audit Committee and another 11% to the full Board, with the remainder to an internal auditor or external stakeholder. Some just don’t know who’s responsible for managing extended enterprise risk.

Same risk standards

A recent Deloitte risk management survey of CEOs and Boards found that 62% of CEOs fail to hold their extended enterprise to the same risk standards as their own organisation, despite leaders seeing IT providers as posing the greatest threat. A clear line of extended enterprise risk management governance is invaluable to the overall success of the organisation. Senior leadership can create an accountable extended enterprise risk management organisation to mitigate key risks falling through the cracks of the first, second or third lines of defence.

Emerging capabilities of technology-driven systems, applications, controls, programmes and methodologies can improve and accelerate efficiencies. They also can improve compliance and decrease risks from reputation damage, regulatory missteps, consumer backlash and cyber threats. According to poll respondents, their organisations are likely to invest in such emerging technologies and tools during the next 12 months, among them cloud computing (31%), robotics process automation (18%), data visualisation (12%), cognitive technologies (7%), blockchain (7%) and Internet of Things (IoT) (6%) among others.

Examples of leveraging these technologies in the extended enterprise include some insurance companies using data feeds from IoT sensors embedded in cars to adjust owners’ risk premiums, awarding lower premiums to drivers with safe records and charging higher premiums to drivers with riskier driving habits. This capability is disrupting the traditional insurance model, which requires specialist third parties to collect data on a manual basis in order to calculate premiums. Many organisations are already using technologies such as robotics process automation and blockchain to improve clarity about risk exposures and for processing invoices and conducting compliance checks.

Third party ecosystems

Security around third party ecosystems is a legitimate concern for organisations of all sizes. 38% of those polled specified their organisations’ intent to focus on cyber risks in the extended enterprise for the ensuing 12 months. To manage the associated risks better, organisations need an approach whereby they address their cyber risk concerns from the beginning of vendor procurement and include sets of security requirements and controls via contract.

2019 likely will demonstrate the increasing importance of extended enterprise risk management programme maturity to mitigate risks, safeguard compliance and drive business value. Efficiency will also likely be improved in the process as third party ecosystems grow and third parties take on more and more mission-critical core functions in the organisation.

*Responding industry sectors in the survey included banking, capital markets and investment (20%), technology (12%), transportation and hospitality (11%), retail and consumer products (10%), life sciences and healthcare (8%), telecoms, media and entertainment (6%), insurance (5%), industrial products (5%), oil and gas (5%) and power and the utilities (3%)

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts