Deloitte Global Survey


Deloitte Global Survey: Despite increasing dependence on third-parties, organizations are still not fully equipped to manage the extended enterprise

  • 74% of survey respondents have faced at least one third-party related incident in the last three years.
  • Over 50% of respondents reported “some” or a “significant” increase in their level of dependence on third-parties in the last year
  • Only 20% of respondents have integrated or optimized their extended enterprise risk management mechanisms
  • Just 11% of respondents are “fully prepared” to deal with the increased uncertainty in the external environment

NEW YORK, NY, 6 APRIL 2017—According to Deloitte Global’s second annual Extended Enterprise Risk Management survey, Overcoming threats and uncertainty, respondent organizations feel inadequately prepared to deal with today’s uncertain political and business environment and its impact on their extended enterprise.

The survey explores how significant changes in the external environment has slowed down progress in implementing holistic, integrated frameworks and risk management mechanisms over the last 12 months. The report also highlights five key areas where organizations should focus in the coming year in order to improve third-party governance and risk management (TPGRM) strategies.

“Businesses have learned that leveraging an ecosystem of third-parties can help innovate and generate incredible flexibility, agility, and cost savings,” said Kristian Park, EMEA Leader, Extended Enterprise Risk Management, Deloitte Global Risk Advisory. “Yet with this opportunity comes risk. Any shortcomings of these third-party providers can damage a business’s brand and reputation, can lead to regulatory penalties, and can disrupt their ability to meet customers’ expectations.”

Park added, “With a comprehensive risk management approach, organizations can confidently seize the competitive advantage offered by the extended enterprise by balancing opportunities and risk.”

Dependency and Vulnerability

The inaugural Extended Enterprise Risk Management survey published in 2016, “The threats are real,” revealed how large global organizations were addressing the key threats faced in managing their extended enterprise. The survey demonstrated how drivers, directly aligned to long-term value-creation were motivating organizations to rapidly enhance their dependence on third-parties. This, together with the increasing frequency of significant third-party incidents, resulted in TPGRM emerging as a board-level focus area, compelling organizations to invest in holistic and integrated programs.

This year’s survey reveals that the strategic dependence on third-parties continues to increase. Over 50 percent of survey respondents indicated an increase in their level of dependence on third-parties in the last year.

However, most organizations are still not managing the risks that third-parties create for them in a holistic and coordinated manner—only 20 percent have integrated or optimized their TPGRM mechanisms. Respondents recognize that these current levels of integration or optimization are far below what they should be. 53 percent of respondents aspire to achieve integration and an additional 27 percent to achieve optimization within the next one to three years.

Uncertainty in the external environment is likely to be a key factor over the next 12 months, which could require investments in building resilience to a changing environment to complement an earlier focus on detection and prevention.

In addition to dependency and vulnerability, the report explores four other key areas where most organizations could benefit from further effort.

  • Relationship management and monitoring – 55 percent of respondent organizations stated that they have a reasonable to excellent level of understanding of their third-party population. Although the overall level of understanding of the third-party landscape and associated risks appears to have increased, the survey indicates a lack of confidence in underlying data needed to manage these risks. Similarly, while more than half of respondents consider having a reasonable to excellent understanding of third-parties, this does not appear to be supported by robust, forward looking activities to proactively identify potential issues in advance. Only 13 percent of respondents have forward-looking vigilance capabilities to predict emerging third party risks before the issue occurs.
  • Governance and risk management processes Despite sustained board and executive sponsorship, there is a lack of confidence in underlying TPGRM processes. The proportion of respondents skeptical about TPGRM technology in their organizations has only slightly reduced from 94 percent since the 2016 survey to 90 percent of respondents. A similar lack of confidence relating to the quality of TPGRM processes is also only marginally down from 88.6 percent to 82.5 percent indicating the need for continued focus in this area.
  • Technology platforms – The survey results indicate that technology platforms are still being implemented in a “patchwork” manner which reflects short-term thinking. 55 percent of survey respondents now combine more than one technology platform to address different aspects of third-party risk and 43 percent of respondents still leverage their existing enterprise resource planning (ERP) system. These solutions have compelled many organizations to build in manual, spreadsheet-based intervention to address any gaps. Better tools and technology can significantly reduce the time spent on pre-contract, post-contract, and ongoing tracking/monitoring activities. This in turn will likely free up much-needed time for focusing on strategic areas of third-party risk management and value creation.
  • Emerging delivery models – Global organizations continue to be managed through higher degrees of decentralization. As a result, various hybrid and innovative delivery models are emerging that combine the characteristics of centralized and decentralized organizations and can enable the organization to remain agile and competitive in the marketplace. The survey found that a majority of respondents (59 percent) have or are in the process of expanding the role of the corporate center to include Shared Service Centers (SSCs) and Centers of Excellence (CoEs) for extended enterprise risk management. This helps organizations to achieve the desired standardization and attract scarce talent and specialized skills. A smaller percentage of respondents (12 percent) are progressively moving to external service provider-based “managed services” models, representing an increasing trend.

About Deloitte Global’s Extended Enterprise Risk Management survey:

The survey is based on 536 responses, a significant increase from 170 responses received last year, reflecting the views of senior leaders responsible for governance and risk management of the extended enterprise of their organizations. Survey respondents came from a variety of organizations across all eight major industry segments and from 11 countries across the Americas, Europe, Middle East and Africa, and Asia Pacific regions.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

Did you find this useful?