“Widespread inability” to manage third party risk in top corporations unearthed by Deloitte study

Developments in Extended Enterprise Risk Management (EERM) maturity have not kept pace with increasingly critical levels of dependence on third parties and, as such, the majority (83%) of organisations quizzed by Deloitte for the company’s fourth annual EERM Survey have experienced a third party incident in the past three years.

According to the outcome of the in-depth study, federated structures are becoming a dominant operating model for third party risk management as Boards and executive management alike continue to take a deep interest in the subject and want to provide more co-ordinated and responsive input. More than two-thirds (69%) of responding organisations say they’ve adopted a federated model that allows for this sharing of responsibility.

The economic environment continues to drive cost reductions and talent investment in EERM. The desire to reduce costs has become the biggest driver for investing in EERM maturity. That’s according to 62% of survey respondents.

A mere 1% of those organisations surveyed consider themselves optimised to address all important EERM issues presented. Chronic underinvestment is making it hard for organisations to achieve their desired EERM maturity levels and, more fundamentally, appears to have hindered many respondents from doing the basic core tasks well.

Signs of a slowdown in global economic growth are beginning to emerge, together with an atmosphere of greater organisational uncertainty. This survey reveals how organisations are recognising this change and are creating value and greater efficiencies with a strong focus on improved and strategic EERM practices.

As the reliance on relationships with outside organisations continues to grow, so do the associated risks – in turn making it crucial that organisations are properly investing in EERM and have visibility into risks that are posed by the extended enterprise – for those third, fourth and fifth parties.

Given that organisations are sharing sensitive information with an average of 583 third party providers, many now recognise the need to better understand the nature of these extended relationships and the contractual agreements involved in order to mitigate risks on the horizon.

Deloitte’s report explores six key areas that are impacting the future of EERM: the economic and operating environment, investment, leadership, operating models, technology and sub-contractor/affiliate risk.

Leadership wants better engagement

For decades, third party risk management was viewed as an operational rather than a Board or top leadership issue. As better management of EERM has been viewed as a transformation opportunity, so Boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of respondent organisations. This starts with better engagement and co-ordination within the business encompassing organisational units, geographies, risk domains and subject matter experts.

As the Deloitte survey has revealed, Boards and executive leadership continue to retain ultimate responsibility for EERM in most organisations.

Who, ultimately, has responsibility for third party risk management, though? The survey results are as follows: 24% Chief Risk Officer, 19% Other Board members and 17% state that it’s the CEO

Leadership involvement trains a keen eye on return on investment. More sustainable operating models for third party risk management are being embraced. These are characterised by federated structures supported by Centres of Excellence and shared service centres, emerging technologies, shared assessments and managed service models as well as a move towards the co-ownership of budget.

More than two-thirds (69%) of respondent organisations say they’ve adopted a federated model. Only 11% of organisations are now highly centralised, which is down from 17% last year. More than half (53%) of those organisations are using Centres of Excellence, while 38% have shared service centres.

Risk to strategic growth

The focus on return on investment should help to improve some of the concern and survey results around EERM investment. The majority (70%) of organisations surveyed believe they have underinvested in third party risk management. Seven-in-ten believe they engage fewer employees than necessary for EERM or are not sure. Half (50%) spend more than $1 million on their annual EERM operating costs, but the top 11% spend more than $10 million each and employ over 100 full-time equivalent staff.

Deloitte’s research shows that many organisations have been less able to make significant capital investments in transformation initiatives to bring about an holistic and integrated approach to third party risk management. The resulting ‘piecemeal’ approach towards investing in EERM has impaired the speed at which organisations have been able to mature strategically in this area versus point-in-time tactical improvements.

Ultimately, this may lead to organisations not being able to do the core EERM basic tasks well such as understanding the nature of third party relationships (50%), lacking the knowledge to understand contract terms (43%) and not monitoring third parties based on their risk profile (41%). Those basic functions need proficiency and are critically important in what’s now a fast-paced and digitally-connected world.

Just over half (53%) of respondents want to see a more co-ordinated and consistent approach to EERM across organisational functions. Investments in managed services and shared assessments and utilities drive efficiencies by reducing the need to increase headcount and cut back on capital expenditure.

Managed service models

For the first time, Deloitte’s survey has captured uptake on three different types of managed service models:

*Managed services to acquire risk intelligence including utility models that facilitate the shared exchange of such data. 18% of organisations use these. A further 21% plan to do so. This is the most popular way in which surveyed organisations are choosing to leverage a managed service model

*Managed services deploying on-premise staff. 18% of organisations use these and a further 13% intend to use them

*Managed services solutions deploying EERM Technology-as-a-Service. 11% of surveyed organisations use these, while a further 14% stated that they plan to do so

There’s still room for growth in managing the extended enterprise as it relates to understanding sub-contractor and affiliate risk, implementing a consistent and co-ordinated EERM approach and also increasing overall EERM maturity through investments.

Only 2% of organisations identify and monitor all sub-contractors engaged by their third parties, while only 8% do so for their most critical relationships. The remaining 90% indicate that they don’t have the need or the appropriate knowledge, visibility or resources to monitor sub-contractors. Less than a third (32%) of organisations evaluate and monitor affiliate risks with the same rigour as they do other third parties.

Dan Kinsella, partner and EERM leader in the Risk and Financial Advisory practice at Deloitte, commented: “Organisations are increasingly depending on external entities that might include third, fourth or fifth parties. However, not many have appropriate oversight into what’s happening across their organisation, in turn leaving them exposed to potential risks. 50% of survey respondents indicated that they don’t understand the nature of their third party relationships. As EERM matures, it’s important that organisations are investing strategically in end-to-end solutions that manage any exposures associated with third parties.”

John Peirson, CEO of Deloitte’s Risk and Financial Advisory practice, added: “There’s much to gain when an organisation manages its extended enterprise well. However, we believe the consequences of negative actions by third parties are likely to continue to grow more severe and be potentially damaging for organisational reputation, earnings and shareholder value. This will remain a compelling driver for organisations to invest in improving their third party risk management processes and frameworks.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts