Third party governance and risk management

Extended enterprise risk management survey 2019

Deloitte’s fourth annual extended enterprise risk management (EERM) survey shows there is renewed focus on maturing EERM practices within most organizations. This appears to be driven by a recognition of underinvestment in EERM coupled with mistrust of the wider uncertain economic environment.

Discover the latest trends and developments in third party risk management by exploring our six chapters.

Economic and operating environment

The economic environment continues to drive cost reduction and talent investment in extended enterprise risk management. Ongoing uncertainty and distrust in the economic and business environment is having a significant impact on third party risk management. Dramatic shifts at the market level and increased regulatory and internal scrutiny, is driving organizations to focus on cost reduction, talent investment, and revisit existing operating models.

The main drivers for investing in third party risk management are:

• Cost reduction: 62% of respondents
• Reduction of third party related incidents: 50%
• Regulatory scrutiny: 49%
• Internal compliance: 45%.


A piecemeal approach to investment in third party risk management has impaired the speed of the maturity journey, neglected certain risks and adversely affected core basic tasks. Organizations have stalled on their journey to extended enterprise risk management (EERM) maturity. Only 1% of organizations say they address all important EERM issues, and only another 20% say they address most EERM issues. The majority of organizations surveyed also believe they have underinvested in third party risk management. Fewer than three in ten think their capital expenditure is the ideal amount or more and they spend the ideal amount or more on EERM staff and other operating costs.


Boards and senior leaders are championing an inside-out approach to third party risk management, which includes better engagement, coordination and smarter use of data. Our survey reveals that boards and executive leadership continue to retain ultimate responsibility for extended enterprise risk management (EERM) in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. More than a third of organizations admit to having a low, insignificant or unknown level of engagement and coordination across organizational units, geographies, risk domains and subject matter experts

Who has ultimate responsibility for third party risk management?

• 24%: Chief Risk Officer
• 19%: other board members
• 17%: CEO

Operating models

Our survey reveals that robust central oversight, policies, standards, services, and technologies combined with accountability by business unit and geographical leaders is a pragmatic way to proceed. Federated structures are becoming the most dominant operating model for third party risk management, underpinned by centers of excellence and shared services. More than two-thirds (69%) of respondent organizations say they adopt a federated model and only 11% of organizations are now highly centralized, down from 17% last year. More than half (53%) of organizations are using centers of excellence and 38% have shared service centers. Co-ownership of EERM budgets, where organizations retain centralized control but with stronger engagement and collaboration with business unit leaders, is also emerging as a new trend.


Organizations are streamlining and simplifying third party risk management technology across diverse operating units. Our 2019 survey confirms our prediction last year that a three tiered approach for third party risk management will continue. Very few organizations want to develop complex bespoke solutions.

Smartly coordinated investments in third party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity, and create a more sustainable operating model.

• More than 59% of the respondents adopt tier one – enterprise resource planning (ERP) or procurement platforms that establish a common foundation and operational discipline for EERM.
• Three quarters (75%) adopt tier two – risk management solutions that are either EERM specific risk management packages (18%) or generic integrated risk management solutions tailored for EERM use (57%)
• Tier three – risk domain specific technologies – such as financial viability, financial crime, sustainability and cyber threats – continue to grow.

Subcontractor and affiliate risk

The 2019 survey exposes that organizations lack of clarity on addressing risks related to subcontractors engaged by their third parties and affiliates.

Subcontractor risk: Our survey respondents accept that they have poor oversight of the risks posed by subcontractors engaged by their third parties. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. The remaining 90% do not recognize the need or have appropriate knowledge, visibility or resources to monitor subcontractors. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks”. 

Affiliate risk: Organizations lack clarity in their approach to monitoring and managing risks related to affiliates. Less than a third (32%) of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. A higher proportion (46%) take an alternative, typically more simplified, approach to affiliate risk management. And the remaining 22% said they do not have affiliates.



Previous Reports

Third Party Governance & Risk Management – 2018
Focusing on the climb ahead

Third Party Governance & Risk Management –2017
Overcoming the threats and uncertainty

Third Part Governance & Risk Management - 2016
The threats are real

How we help clients

For many organizations, their third-party ecosystem, or ‘extended enterprise,’ is an important source of business value and strategic advantage. However, as the reliance on third-parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.

Deloitte member firms experienced teams work with clients to develop governance frameworks which effectively identify and manage all forms of third-party risks, looking at both process and technology solutions to deliver value and meet contractual obligations.


If you would like to discuss third party risk management please get in touch with one our specialists.
Did you find this useful?