Be responsible and effective: Strike a balance
Deloitte Extended Enterprise Risk Management 2020 Global Survey
"84% of respondents said their organization had experienced a third-party incident in the last three years. Among those, 17% of respondents have faced a high-impact third-party risk incident."
Extended enterprise risk management (EERM) is also known as third-party risk management (TPRM). An organization’s extended enterprise includes third parties such as suppliers, distributors, resellers, franchises and joint venture partners. It can be a vital source of competitive advantage, but may also present significant risks.
Deloitte's fifth annual global survey on extended enterprise risk management (EERM) in 2020 includes the views and observations of 1145 respondents from 20 countries all over the world. Respondents are typically responsible for governance and risk management of the extended enterprise in their organizations. The reports highlights various key finding areas, the impact of COVID-19 on third-party risk management and our predictions for the EERM trends in 2020-2021.
Deloitte China Extended Enterprise Risk Pence Pang said: "In the past few years, organizations have increasingly relied on third-party partners to achieve strategic goals. In 2020, the COVID pandemic has highlighted the huge impact of third-party partner risks on organizations. The pressure of external supervision and the need for internal management has caused the corporate executives to pay unprecedented attention to third-party risk management:
- Nearly one-third (32%) of the respondents realize that third-party risk management is the number one project, which is the highest from the past survey results.
- However, 72% organizations are still not satisfied with their EERM technology. The core challenge is the lack of a centralized third-party information library.
- Therefore, by increasing investment, organizations are improving and supplementing third-party risk management by a) introducing emerging digital intelligent technologies and b) making full use of external assistance to promote the transformation, and hoping to realize the enhancement of corporate resilience in the end."
Extended Enterprise Risk – Organization's pains and hidden worries
In the current situation, regardless of the future economic prospects, business leaders around the world tend to strengthen extended enterprise risk management capabilities to deal with the rapid changes in their specific markets. The report pointed out that 84% of respondents said that their organizations had encountered third-party incidents in the past three years, slightly up from 83% last year. Among them, 17% of respondents said that their organization has faced high-impact third-party risk incidents from extended enterprises in the past three years. These incidents have had a severe impact on customer service, financial position, regulatory compliance and/or reputation. 19% of organizations estimated that their financial exposure to a major third-party incident is US$500 million or more, and 11% estimated the financial exposure to be US$1 billion or more.
A rise in regulatory activity in various countries encourages nimble organizations to progress towards a greater EERM maturity. Those unable to keep pace with changing expectations fall behind their peers on the maturity journey. The report shows organizations need to improve in various areas including real-time information, risk metrics and reporting, and third party risk management tools.
1. Balancing responsibility and cost
47% of respondents said that the desire to develop capability and capacity to respond to third-party related incidents (47% of respondents) was this year's biggest driver for more investment in EERM. However, 59% of respondents still believe they under invest in EERM. The lack of investment is turning a blind eye at the core risk domains and a myopic approach to address the core risks.
Deloitte point of view:
Due to the lack of strategic view, some organizations' investment in EERM are limited and piecemeal. This will affect greatly on organization's effectiveness and efficiency in its extended enterprise risk management.
2. Wider focus
Senior executives are extending their focus from "Third-Party Risk Management" to a broader view of "Third-Party Management", i.e. boosting the general effectiveness of third-party relationships and not just a fragmented approach to manage third parties. It includes using dedicated relationship management teams for the most critical and strategic third-party relationships in the management of risk, contracts, performance, finance, and other areas; using emerging technologies to enhance the monitoring of third parties, such as real-time ongoing monitoring and risk sensing, to provide actionable intelligence. These will enable synergies in the long-term.
Deloitte point of view:
The evolution of extended enterprise risk management (EERM) into a wider discipline of extended enterprise management (EEM) is the next logical step for organizations to establish holistic mechanisms that manages all types of risks across all categories of third parties.
3. Strike a balance
Use of emerging technologies
Accelerated by the need for a rapid response and recovery related to the global pandemic, we expect continued investment in tech-enabled transformation initiatives in pursuit of the twin objectives of efficiency and effectiveness. We believe this will increasingly be driven by the need for holistic, rather than piecemeal, management of third parties. A centralized repository of intelligence built on cutting edge technology will be the important foundation for this.
Leveraging external assistance
A growing number of organizations use external support to improve and supplement their EERM programs. In our first survey five years ago, nearly all organizations had their center of excellence (CoE) and shared service structure (SSC) fully in-house. This year, we see nearly a quarter of organizations (24%) at least partially outsourcing their CoEs and SSCs. 15% of organizations use talent from an external provider of managed services. 16% of organizations use an external managed services provider's EERM technology solution as a service. Compared with insourcing, professional third-party risk management providers can deploy trained specialist workers and technology more efficiently and effectively with expertise in managing third-party risks in specific industry segments. They can provide organizations with more consistent and personalized assistance programs, including risk intelligence, utility models*, and managed services.
*Utility tools: Risk management tools and systems based on industries experience and risk management experience
Predictions for 2020-21 and impact of COVID-19
Crises tend to reinforce the need to invest in good risk management, as we have seen in the aftermath of the global financial crisis. This time is no exception. There have been more and more cases of damage caused by third-party service issues during the COVID-19 crisis, and the leadership's understanding of the value of its EERM has also increased. Organizations are paying unprecedented attention to business continuity planning to deal with possible future risks.
The journey towards full EERM maturity will remain full of challenges in 2021. Nevertheless, the positive side is that the emergence of new technologies and management tools will enable third-party risk management to be more intelligent and efficient.
The report also includes third-party risk assessments and EERM maturity assessments for the various sectors, such as Consumer industry, energy, Resources & Industrials industry, Financial Services industry, Government and Public Services industry, Life Sciences and Health Care industry, and Technology, Media and Telecommunications industry. Please download the "Deloitte Extended Enterprise Risk Management 2020 Global Survey" report for more information.
Deloitte China Cyber & Strategic Risk Leader
Deloitte China Extended Enterprise Offering Champion
Deloitte China Risk Advisory Partner (Hong Kong)
Deloitte China Risk Advisory Director (Hong Kong)