Third-party Governance and Risk Management


Third-party Governance and Risk Management

Extended enterprise risk management survey 2019

Deloitte’s fourth annual extended enterprise risk management (EERM) survey shows there is renewed focus on maturing EERM practices within most organisations. This appears to be driven by a recognition of underinvestment in EERM coupled with mistrust of the wider uncertain economic environment.

The survey’s key findings are:

1. Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third party risk management are:

  • Cost reduction: 62% of respondents
  • Reduction of third party related incidents: 50%
  • Regulatory scrutiny: 49%
  • Internal compliance: 45%.

2. Investment: Piecemeal investment has impaired EERM maturity development, neglected certain risks and adversely affected core basic tasks.

One of the main reasons for this maturity stall is that organisations are taking a piecemeal approach to investment – they are mostly making tactical improvements, rather than investing in strategic long-term solutions. These tactical improvements have typically focused on the largest regulatory issues of the year, for instance data privacy, cyber risk and information security in 2018 and 2019.

3. Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement, coordination and smarter use of data.

Our survey reveals that boards and executive leadership continue to retain ultimate responsibility for extended enterprise risk management (EERM) in the majority of organisations.

Who has ultimate responsibility for third party risk management?

  • 24%: Chief Risk Officer
  • 19%: other board members
  • 17%: CEO

4. Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services.

Robust central oversight, policies, standards, services, and technologies combined with accountability by business unit and geographical leaders is a pragmatic way to proceed.

5. Technology: Organisations are streamlining and standardising EERM technology across diverse operating units.

Smartly coordinated investments in third party risk management technology can drive efficiency, reduce costs, improve service levels, increase return on equity, and create a more sustainable operating model.

6. Affiliate and subcontractor risk: Organisations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates.

  • Subcontractor risk
    Our survey respondents accept that they have poor oversight of the risks posed by subcontractors engaged by their third parties. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. The remaining 90% do not recognize the need or have appropriate knowledge, visibility or resources to monitor subcontractors.
  • Affiliate risk
    Organisations lack clarity in their approach to monitoring and managing risks related to affiliates. Less than a third (32%) of organisations evaluate and monitor affiliate risks with the same rigour as they do other third parties. A higher proportion (46%) take an alternative, typically more simplified, approach to affiliate risk management. And the remaining 22% said they do not have affiliates.


Ronan Langford

Partner - Risk Advisory | +41 58 279 91 35

Ronan is the Strategic and Operational Risk Lead Partner for Deloitte in Switzerland. He has over 25 years of experience in risk and compliance management. His expertise includes technology and digital risk, financial risk, commercial compliance and regulatory risk. In addition, Ronan also leads the Life Sciences Industry Risk Advisory practice in Switzerland and works primarily in the Life Sciences industry but also has experience of working with global consumer products companies, specifically in regulated industries.

Lukas Schneider

Manager - Swiss Risk Advisory  |  +41 58 279 6016

Lukas is a Manager in our Risk Advisory team in Zurich with a focus on third party advisory and risk management. He has significant experience in designing of third party risk assessment processes, operating models, governance structures and control frameworks to manage risk associated with third party relationships. Lukas is PRINCE2®, COBIT 5 and ITIL® certified.

Did you find this useful?