A survey published by Deloitte highlights the latest trends—both opportunities and challenges—in companies’ journey toward a more mature extended enterprise risk management program, one in which third-party risk management is integrated across the firm and led from the top.

This article is from FRA's sister company, Compliance Week.

According to Deloitte’s 2019 extended enterprise risk management (EERM) survey, which garnered responses from 1,055 governance and risk management leaders from 19 countries around the world, most organizations today are placing renewed emphasis on maturing their EERM practices. “This appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment,” Deloitte said.

“Business cycles fluctuate and can be hard to predict, but what isn’t hard to predict is disruption, which never takes a vacation,” says Dan Kinsella, EERM leader and partner at Deloitte & Touche. “Regardless of the economic climate, knowing how to navigate and mitigate risks in a hyper-connected, 24-hour business cycle can be a driver of success, especially when it comes to those connections you might not be thinking much about until it’s too late.”

Deloitte’s EERM report extensively explores six key areas that are impacting the future of EERM programs. Those areas are summarized below.

Economic and operating environment. According to the survey, 62 percent of respondents cited “cost reduction” as their top motive for investing in EERM, followed by 50 percent who cited reduction in the number of third-party-related incidents as a second top motive. Other top reasons for investing in EERM included regulatory scrutiny (49 percent) and internal compliance requirements (45 percent).

It’s no wonder reducing third-party incidents is a top motive, given 83 percent of respondents said their organizations experienced such an incident in the past three years. Of these, nearly half said they’ve experienced either a severe or moderate impact on customer service, financial position, reputation, or regulatory compliance.

To improve their processes, 53 percent of respondents said they seek, above all, a “more coordinated and consistent approach to EERM across organizational functions,” the report said. The need to improve processes, technologies, and real-time management information for EERM (49 percent) was ranked second.

“An interesting new insight is that leadership realizes that, despite budget pressures, EERM ambition requires talent investment: spending money now to save money later,” Deloitte said. “This is largely about recruiting expertise.”

Investment. Deloitte’s survey also showed 70 percent of organizations believe they have underinvested in third-party risk management, and seven in 10 believe they engage fewer employees than necessary for EERM or aren’t sure if they do. Half of respondents said they spend more than $1 million on their annual EERM operating costs, and the top 11 percent spend more than $10 million each and employ over 100 full-time equivalent staff.

“While there is no one-fits-all approach to EERM, all organizations need to look at the ways they are investing in EERM,” Kinsella says. “They need to make sure they aren’t just spending money to reduce critical risk and say they have a strategy in place, but really spending money to reduce risks across the ecosystem, while at the same time driving operational performance, building resilience, and ultimately, creating a return on investment.”

In specific risk domains, investment is skewed toward information security (68 percent of respondents); data privacy (62 percent); and cyber-risk (58 percent). The survey also found many organizations underinvest in other domains, such as labor rights (18 percent), as well as geopolitical and concentration risk (both at 12 percent).

Leadership. Boards and senior leadership continue to retain ultimate responsibility for EERM. According to the survey, 24 percent said responsibility rests with the head of risk; the CEO (17 percent); board (19 percent); chief privacy officer (10 percent); or the CFO (8 percent).

Thirty-seven percent of survey respondents said better in-house coordination between leaders and risk domains, business units, and functions—such as procurement, legal, and internal audit—is a top EERM priority. Just 16 percent, however, believe they have strong in-house coordination in their organizations. Nearly half (49 percent) rated it to be moderate, and the remaining 35 percent consider it to be low, nearly absent, or don’t know.

This inside-out approach—where boards and senior leaders want to be more engaged with issues specific to particular risk domains—is also “reflected in organizational initiatives to exploit data on third parties more smartly,” the report stated. “Boards and senior leaders want to move away from periodic color-coded dashboards to succinct, real-time actionable intelligence with alerts and analysis of trends.” According to the survey, 56 percent of respondents are using or plan to use cloud-based platforms for EERM; 45 percent are focused on robotic process automation (RPA); and 36 percent are using or planning to use visualization techniques to make this intelligence more actionable.

Subcontractor and affiliate risk. The survey also found most organizations have poor oversight of the risks posed by third parties’ subcontractors and affiliates (also called fourth or fifth parties). In fact, 90 percent indicated they “do not have the need or have appropriate knowledge, visibility or resources to monitor subcontractors.”

“Organizations are increasingly depending on external entities that might include third, fourth or fifth parties,” Kinsella says. “However, not many have appropriate oversight into what is happening across their organization, leaving them exposed to potential risks.” In fact, 50 percent of survey respondents said they don’t understand the nature of their third-party relationships.

Organizations also continue to lack clarity in their approach to monitoring and managing risks related to affiliates. Just 32 percent of respondents said their organizations applied the same rigor in evaluating and monitoring such risks as they do with third parties. Another 46 percent reported varying standards, including some degree of ambiguity or an ad-hoc approach.

“Pre-screening, due diligence, and monitoring appears to be much lighter touch for affiliates than other third parties,” Deloitte said in its report. “This is acceptable if proportionate to the risk involved, but the approach must be clearly defined and consistent.” The remaining 22 percent of organizations said they do not have affiliate relationships.

Operating model. Federated structures are the dominant operating model for EERM, underpinned by shared services and centers of excellence (CoE). For the first time, this year’s report observed an emerging trend in managed services to acquire risk intelligence; managed services deploying on-premise staff; and managed services solutions deploying EERM technology. “Investments in managed services and shared assessments and utilities drive efficiency by reducing the need to increase headcount and drastically reduce capital expenditure,” Deloitte said in its report.

“Some of the most catastrophic losses reported in history were caused by third parties, but to understand the risks associated with an extended enterprise, you have to define the ecosystem first,” Kinsella says. “You have to know who you are working with—and then understand the risk, financial, and performance considerations, and then rank them, prioritize them, and build those needs and considerations into the contracts. Risk-sensing technology allows for real-time evaluation and response, and many organizations are choosing a managed services approach to more consistently and efficiently manage it all.”

Technology. Last year, Deloitte highlighted the emergence of a standard three-tiered technology architecture, in which organizations are increasingly streamlining and simplifying specific EERM technology across diverse operating units. “Our 2019 survey supports our assertion that a tiered approach for streamlined and standardized technology investments in EERM will likely continue,” Deloitte said.

In Tier 1, Enterprise Resource Planning (ERP) or procurement platforms establish a common foundation and operational discipline for EERM. Under this tier, more than half (59 percent) of organizations leverage their ERP or procurement platforms as the core foundational component for EERM. Common solutions include SAP; Oracle; SAP Ariba; and Microsoft Dynamics.

In Tier 2, respondents indicated they use either EERM-specific risk management packages tailored to an organization’s third-party management requirements (18 percent) or generic, integrated risk management solutions for EERM use (57 percent). Solutions include RSA Archer; IBM OpenPages; Thomson Reuters; ServiceNow; and MetricStream.

Tier 3 supports the first two tiers by providing niche packages for specific EERM processes or risks providing feeds from specialized risk domains—such as financial viability (cited by 30 percent of respondents); financial crime (28 percent); contract management (18 percent); sustainability (11 percent); and cyber-threats (9 percent).

“The reality is that the majority of corporations today have hundreds upon thousands of third, fourth, and fifth-party relationships,” Kinsella says. “As organizations get bigger, and connections between businesses become easier and faster, the risks—financial, operational, cyber-, reputational—swell as well. An ad-hoc approach to managing that extended ecosystem just won’t do.”

For more information on this topic, join FRA & Compliance Week for the fifth edition of the Third-Party Risk Management & Oversight Summit in San Francisco, December 9-10. The leading conference for compliance and procurement professionals provides two days solely dedicated to the sharing of knowledge and experience within third party risk management, equipping attendees with best practices to properly identify and reduce risk effectively, benchmarking information to ensure alignment, and the knowledge needed to implement and foster compliant third party relationships. Click here to see the full agenda.