As dependence on third-parties grows, Deloitte Global study reveals 70% of organizations recognize an increase in risk but remain ill-equipped to deal with them
NEW YORK, NY, USA, 24 April 2018—Organizations are placing a renewed focus on enhancing extended enterprise risk management (EERM) amid increasing dependence on third-parties. Yet progress towards EERM maturity has been slower than expected according to Deloitte Global’s third annual EERM survey, Focusing on the climb ahead.
Dependence on third-parties continues to grow, with 53 percent of respondents reporting ‘some’ or ‘significant’ increase in their level of dependence on third-parties. Yet, seven out of ten survey respondents believe that business and macro-economic uncertainties have increased the risks inherent in managing the extended enterprise.
Despite critical levels of third-party dependency, only 20 percent of organizations have streamlined their EERM systems and processes. 53 percent of respondents now believe their journey to achieve EERM maturity is two to three years or more.
“This is a significantly longer journey than anticipated in earlier surveys, when respondents reported that this could be achieved in six months to a year”, said Kristian Park, EMEA Leader, Extended Enterprise Risk Management, Deloitte Global Risk Advisory. “This reflects a more realistic time-frame, and we’d expect organizations to be closely aligning plans to address the expected regulatory outlook over this period.”
While the main drivers for EERM focus on mitigating risk and compliance, there is an increasing focus on driving value. The business case for investment in EERM is now being driven by other factors that exploit the upside of risk, such as enhancing organizational responsiveness and flexibility, innovation, brand confidence and increasing revenues.
“This is a significant shift from the almost exclusive focus in the past on managing the downside of risk,” continued Park. “Organizations are now taking the concept of the extended enterprise to new levels of critical dependence to exploit untapped opportunities and power organizational performance.”
Overall, the aggregate survey results suggests there is still work to do for many organizations to become fully integrated or optimized in their EERM capabilities.
In addition to a focus on increasing maturity and making a renewed business case for investment, the report explores four other key areas where most organizations could benefit from further effort.
- Centralized control: An increasing number of organizations are adopting central oversight and management to accelerate risk awareness and efficiency. 55 percent of organizations are now equally or more decentralized than centralized (down from 62 percent last year). This reflects that organizations are starting to scale back on decentralization in the overall organization. Out of these 55 percent, only 47 percent have EERM frameworks that are equally or more decentralized than centralized. The remaining 53 percent of respondents thus form the current majority with more centralized EERM programs.
- Technology platforms: In keeping with the trend of increased centralized oversight of EERM activities, technology decisions are now being taken more centrally and a standard tiered technology architecture is emerging. Less than ten percent of respondents are currently using bespoke systems for EERM, a sharp drop from just over 20 percent last year. Cloud technologies that enable agile business operations with standardization represent the most popular emerging technology platform being investigated by survey respondents. 46 percent of respondents are planning to utilize standardized cloud technologies for EERM while 31 percent are considering using Robotic Process Automation for routine EERM tasks across the organization.
- Sub-contractor risk: Organizations lack appropriate visibility of sub-contractors engaged by their third-parties as well as the discipline and rigor to frequently monitor such fourth/fifth parties. 57 percent of survey respondents feel they do not have adequate knowledge and appropriate visibility of sub-contractors engaged by their third-parties and a further 21 percent are unsure of their oversight practices. Only two percent of respondents regularly identify and monitor their sub-contractors (fourth/fifth parties) while another ten percent do so only for those sub-contractors identified as critical.
- Organizational imperatives and accountability: Ownership and accountability for EERM seems to be well and truly established in the C-suite with 78 percent of organizations suggesting that either the CEO, CFO, CPO, CRO or a member of the Board is ultimately accountable for this topic. Survey respondents however believe that there is room for improvement in the level of engagement on the EERM agenda by Board members and risk domain owners. Skills, bandwidth and competence of talent engaged in EERM-related activities appears to be the most significant concern for respondents (45 percent), followed by the clarity of roles and responsibilities and EERM processes (41 percent in both cases). As many as 40 percent of respondent organizations have prioritized the need to establish better coordination between risk domain owners, business unit leaders, functional heads, legal and internal audit teams as their top organizational imperative related to EERM.
About Deloitte Global’s Extended Enterprise Risk Management survey
Deloitte Global’s 2018 EERM survey, “Focusing on the climb ahead,” is based on 975 responses from a variety of organizations across major industry segments and from 15 countries across the Americas, Europe Middle East and Africa (EMEA) and Asia Pacific (APAC). A record number of participants this year is reflective of the ever increasing profile and investment third-party risk management is getting within organizations.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 264,000 people make an impact that matters at www.deloitte.com.