Extended Enterprise Risk Management

Greater transparency delivers greater value

By Tim Scott

Imagine driving a car onto a highway, choosing a lane and then setting the cruise control with no plans to monitor the road until you reach your destination. It sounds more than a little reckless. But too often, that’s the approach businesses take to Extended Enterprise Risk Management. It’s especially dangerous given how much so many companies rely on extended business models defined by multiple, outsourced, third-party relationships. 

These relationships, even in organizations with a strong risk focus, frequently reside at the edge of — or outside — the risk umbrella. An “out-of-sight, out-of-mind” attitude is often adopted once a company delegates a service to a vendor. After signing a contract, many executives assume all parties will perform as expected, or that relationship management and risk monitoring mechanisms are in place and functioning properly. But just like drivers who continually scan the road so they can appropriately react to changing conditions, businesses must constantly re-evaluate the environment in which they operate.

This is particularly true when it comes to Extended Enterprise Risk Management, where every party to a contract is akin to another driver of whom you should be aware. Greater transparency in Extended Enterprise Risk Management within your extended business model means enhancing an organization’s ability to see into itself. It means fully understanding your contract portfolio and third-party relationships across the enterprise to actively manage contracts, assess their value, ensure compliance and minimize risk.

Vendor governance is frequently spread across various internal stakeholders and departments, preventing a complete overview of the corporate contract structure, discouraging holistic management and leading to a compliance approach that is reactive and reparative rather than proactive and preventive. To effectively manage risk, you need a full picture of your extended organization. That means analyzing Key Performance Indicators (KPIs) of critical vendors and regularly reviewing contracts to extract maximum value from third-party relationships, which may include manufacturers, suppliers, service providers, joint ventures, distributors, licensees, customers, agents, franchisees and affiliates. 

Understanding Extended Enterprise Risk Management

Maximizing contract value while minimizing risk requires that contracts be effectively managed across three critical phases: initiation, administration and compliance. 


  • Determine the contract type (revenue share, license fees, intellectual property, etc.) and commercial structure (fixed price/lump sum, cost reimbursable or unit price). 
  • Create and maintain the contract by capturing key requirements, developing the contract, achieving sign-off and execution, and storing the contract appropriately.
  • Incorporate KPIs and Key Compliance Indicators (KCIs) into the contract to improve visibility, agility, consistency and performance.
  • Include a robust “right to audit and inspect” clause.


  • Understand the range of existing contract (document) management competencies and work to improve them in your organization.
  • Make effective use of contract management tools.
  • Carefully consider whether your contract’s KPIs and KCIs support strategic objectives and recalibrate/renegotiate as appropriate.


  • Enhance contract clarity and transparancey through regular communications and check-ins with your vendors.
  • Maximize cost recoveries and future cost savings by analyzing data from end to end in the procure-to-pay lifecycle.
  • Conduct contract audits to identify fraudulent or erroneous data; for example, contractor overcharges, duplicate charges or excessive time logging.

Key questions and next steps

Organizations should ask key questions with respect to their Extended Enterprise Risk Management posture:

  • Does our organization fully understand the meaning of Extended Enterprise Risk Management? 
  • Do we have a clear view of third-party relationships and related information across our entire business model? 
  • Have we identified key risks and risk management priorities for each? 
  • What communication structures and processes are in place with our vendors to eliminate assumptions and misunderstandings?
  • Are we looking for opportunities to maximize the value of our business partnerships through contract management? 
  • Do we regularly review our contracts to ensure we’re receiving value on both costs incurred and services received? 

A contract is a guideline, not a guarantee

You cannot proceed with a business relationship simply assuming that a contract will be executed exactly as it is written. A contract is a guideline, within which both parties are accountable for performance — and assumed risk is rarely one-sided. Business relationships should be, and generally are, built on trust; don’t be afraid to verify the facts on which you base that trust. In the end, that verification increases the strength of your relationship. 

Companies miss many opportunities from a return on investment perspective by not having full transparency of their own contract situation. Finding these opportunities are the right and responsibility of all parties to a contract. Your partners won’t feel guilty about taking vigilant action to preserve contract integrity, and neither should you. 


Did you find this useful?