Third-party governance and risk management

In our 2016 global survey on Third-party Governance and Risk Management (TPGRM), we provide the results from over 170 organizations on the key issues and trends impacting their approaches to managing and mitigating third-party risk. This report reflects the survey responses of over 170 senior members of management from a variety of organizations across all industries. The respondents were typically responsible for governance and risk management around third-parties, including Chief Finance Officers, Heads of Procurement/Vendor Management, Chief Risk Officers, Heads of Internal Audit and those leading the Compliance and Information Technology (IT) Risk functions in organizations.

TPGRM is emerging as a board level focus area for many organizations in 2016. The survey results show how investment by organizations in TPGRM has increased year over year and that organizations are now in the process of either implementing or refining the existing implementation of TPGRM processes and frameworks.

At the same time the survey reveals significant gaps in the tools, technology, and underlying processes that must be addressed to ensure that the emerging organizational commitment to managing third-party risk achieves the intended objectives.

Deloitte believes that the increasing frequency of third-party incidents, negatively impacting organizational reputation, earnings, and shareholder value, is currently the single-most compelling driver for organizations to invest in TPGRM.

Key findings

The third-party ecosystem

• As dependence on third-parties becomes increasingly critical, organizations are being compelled to rapidly "catch up" in enhancing the maturity of their TPGRM processes.
• The drivers for third-party engagement are progressively shifting from a focus on cost to a focus on value, reflecting organizational recognition of the strategic opportunity that third-parties can create for them.

Managing third-party risk

• Third-party risk incidents are on the increase with customer service disruption and regulatory breach being considered the top risks.
• Increased monitoring and assurance activity over third-parties is believed to significantly reduce third-party risk.
• Organizational commitment to third-party risk management is not supported by confidence in the related technology and processes.

Third-party governance

• Third-party risk is starting to feature consistently on board agendas with CEO/board-level responsibility in the more progressive organizations or those operating in highly regulated environments.
• Visits to third-party locations are considered the most effective method to gain assurance over third-party management.
• Most organizations are mandating consistent third-party governance standards amidst increasing decentralizations of operating units.

Technology and delivery models

• Existing technology platforms for managing third-parties are considered inadequate.
• Organizations are in the process of deciding between centralized in-house models and external service-provider based models for third-party monitoring.