Article
Focusing on the climb ahead
Extended enterprise risk management survey 2018
This report shows how extended enterprise risk management (EERM) has continued to benefit from greater executive awareness allowing organizations to tackle the topic with renewed focus and investment. This is even more important due to the threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.
The survey findings reveal organizations are taking an earlier, more strategic view of risk drivers to create value and identify new opportunities. Despite this awareness, and some associated improvements in third-party governance and risk management, six key areas exist where further effort is required by most organizations.
Inherent risk and maturity
- Organizational self-assessment of overall EERM maturity continues to improve at a slower pace despite a perceived increase in the inherent risks in third-party dependence.
Business case and investment
- EERM is increasingly focused on exploiting the upside of risk and demonstrating tangible benefits—a significant shift from only managing the downside of risk.
Centralized control
- Organizations are centralizing many elements of EERM roles, structures, and technologies.
- Centers of Excellence (COEs) and Shared Service Centers (SSCs) represent the dominant operating model, along with an increased focus on market utility models.
Technology platforms
- Technology decisions for EERM solutions are now being made centrally and a three-tiered technology architecture is emerging.
Sub-contractor risk
- Organizations are lacking appropriate visibility and monitoring of sub-contractors engaged by third-parties.
Organizational imperatives and accountability
- Ultimate ownership and accountability for EERM suggest it is established in the C-suite, with
need for improvement in engagement. - Challenges over internal coordination, talent and processes represent areas of highest (organizational) concern over EERM.
The survey results reflect a renewed focus in the last year on enhancing extended enterprise risk management maturity amid increasing perceptions of dependence on third-parties, although moving up the maturity curve has been slower than expected. This report also reflects an emerging shift to include more centralized oversight and management for extended enterprise risk management across the more decentralized or federated structures to enable increased risk-awareness and consistency.
Access our regional highlights across the six key areas and assess how extended enterprise risk management compares across different regions
Click the regions on the map to see the highlights
Industry overviews
Consumer and Industrial Products (C&IP)
Inherent risk and maturity
- 74% of C&IP respondents have a heightened perception of risks inherent in third-parties.
- 55% of C&IP respondents reported some or a significant increase in dependence on third-parties over the last year.
- 19% of C&IP respondents have integrated/optimized their EERM processes and technology.
Business case and investment
- 48% of C&IP respondents are motivated by positive cost reduction in overall spend on third-parties.
- One in four C&IP respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.
Centralized control
- C&IP respondents have one of the highest levels of overall decentralization in their organizations with 61% of respondents stating they are equally or more decentralized than they are centralized; however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
- 78% of C&IP respondents are adopting the CoEs and SSCs operating model.
- 4% of C&IP respondents have outsourced to managed service providers.
- C&IP saw an increase in actual utilization of community models/market utilities from 11% of respondents last year to 18% of respondents stating this to be the case in 2017.
Technology platforms
- Use of niche GRC packages appears to be the dominant trend in C&IP with 69% of respondents stating this to be the case.
Sub-contractor risk
- 75% of C&IP respondents do not have appropriate knowledge and visibility over their fourth and fifth parties.
- Only 15% of C&IP respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.
Organizational imperatives and accountability
- 18% of C&IP respondents state there is a high level of engagement and knowledge of EERM by the Board.
- Identifying the most strategic third-parties to ensure proportionate EERM effort, addressing cyber risks, and building stronger resilience to disruption are top imperatives within C&IP.
Life science and health care (LSHC)
Inherent risk and maturity
- 73% of LSHC respondents have a heightened perception of risks inherent in third-parties.
- 58% of LSHC respondents report some or significant increase in the level of dependence on third-parties over the last year.
- 24% of LSHC respondents have integrated/optimized their EERM processes and technology.
- 54% of LSHC respondents believe they have the longest journey with at least two to three years or more to achieve desired state in EERM.
Business case and investment
- 46% of LSHC respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
- 52% of LSHC respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
- One in three LSHC respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.
Centralized control
- LSHC respondents have one of the highest levels of overall decentralization in their organizations with 63% of respondents stating they are more equally or more decentralized than they are centralized, however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
- 16% of LSHC respondents saw an increase in actual utilization of community models/market utilities.
Technology platforms
- 32% of LSCH respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
Sub-contractor risk
- 85% of LSHC respondents acknowledge that they do not have appropriate knowledge and visibility over their fourth and fifth parties.
Organizational imperatives and accountability
- 15% of LSHC respondents state there is a high level of engagement and knowledge of EERM by the Board.
- 21% of LSHC respondents state there is a high level of engagement and coordination by risk domain owners.
- Identifying the most strategic third-parties to ensure proportionate EERM effort and building stronger resilience to disruption are top imperatives within LSHC.
Financial Services (FS)
Inherent risk and maturity
- 71% of FS respondents have a heightened perception of risks inherent in third-parties.
- The most notable increases in dependence on the extended enterprise have taken place in the FS industry with 59% of respondents reporting some or significant increase over the last year.
- 57% of FS respondents believe they require at least two to three years or more to achieve the desired state in EERM.
Business case and investment
- 52% of FS respondents are the most motivated by positive cost reduction in its overall spend on third-parties.
- 48% of FS respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
- One in four FS respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.
Centralized control
- While 53% of FS respondents feel that the overall control structure in their organization is equally or more decentralized than centralized, 56% of respondents feel that their EERM organization structures are equally or more decentralized.
- 73% of FS respondents are adopting the CoEs and SSCs operating model.
- 2% of FS respondents have outsourced to managed service providers.
Technology platforms
- 18% of FS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
- The uptake of generic GRC packages is highest in FS with 34% of respondents subscribing to this option.
Sub-contractor risk
- 81% of FS respondents do not have appropriate knowledge and visibility over their fourth and fifth parties.
- Only 15% of FS respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.
Organizational imperatives and accountability
- 19% of FS respondents state there is a high level of engagement and knowledge of EERM by the Board.
- 17% of FS respondents state there is a high level of engagement and coordination by risk domain owners.
- Identifying the most strategic third-parties to ensure proportionate EERM effort and addressing cyber risks are top imperatives within FS.
Technology, Media and Telecommunications (TMT)
Inherent risk and maturity
- 53% of TMT respondents report some or significant increase in the level of dependence on third-parties over the last year.
- 49% of TMT respondents believe they require at least two to three years or more to achieve the desired state in EERM.
Business case and investment
- 49% of TMT respondents believe that the ability to increase revenue is one of the important drivers for investment in EERM.
- One in four TMT respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.
Centralized control
- TMT has the highest level of uptake on CoEs and SSCs with 79% of respondent adopting this operating model.
- TMT saw an increase in actual utilization of community models/market utilities from 12% of respondents last year to 27% of respondents in 2017.
Technology platforms
- 9% of TMT respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
Sub-contractor risk
- 24% of TMT respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.
Organizational imperatives and accountability
- 18% of TMT respondents state there is a high level of engagement and knowledge of EERM by the Board.
- Building stronger resilience to disruption and enhancing the technologies to address EERM requirements are top imperatives within TMT.
Public Sector (PS)
Inherent risk and maturity
- 71% of FS respondents have reported a heightened perception of risks inherent in third-parties.
- More than 45% of PS respondents continue to increase their third-party dependence.
- 35% of PS respondents have integrated/optimized their EERM processes and technology in the current survey against 20% in the last year.
- PS has the largest majority of organizations that believe they have the longest journey to achieve desired state in EERM with 75% of respondents believing this to be at least two to three years or more.
Business case and investment
- 50% of PS respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
- One in five PS respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.
Technology platforms
- 18% of PS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
Organizational imperatives and accountability
- A high level of engagement and knowledge of EERM by the Board appears to be the highest in PS with 35% of respondents stating this to be the case.
- 30% of PS respondents state there is a high level of engagement and coordination by risk domain owners.
- Addressing cyber risks and building stronger resilience to disruption are top imperatives within PS.
Energy and Resources (E&R)
Inherent risk and maturity
- 52% of E&R respondents reported some or significant increase in the level of dependence on third-parties over the last year.
Business case and investment
- 44% of E&R respondents appears to be motivated by positive cost reduction in their overall spend on third-parties.
- 40% of E&R respondents state that the strongest drivers for EERM initiatives is reducing the number of third-party related incidents.
- 58% of E&R respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
- One in three E&R respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.
Centralized control
- 73% of E&R respondents are adopting the CoEs and SSCs operating model.
- E&R seems to have outsourced the most to managed service providers with 7% of respondents stating this to be the case.
- E&R saw an increase in actual utilization of community models/market utilities from 28% of respondents last year to 33% of respondents stating this to be the case in 2017.
Technology platforms
- 28% of E&R respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
Sub-contractor risk
- 75% of E&R respondents acknowledge they do not have appropriate knowledge and visibility over their fourth and fifth parties.
- Only 15% of E&R respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.
Organizational imperatives and accountability
- 31% of E&R respondents state there is a high level of engagement and knowledge of EERM by the Board.
- 18% of E&R respondents state that there is a high level of engagement and coordination by risk domain owners.
- Identifying the most strategic third-parties to ensure proportionate EERM effort is a top imperative within E&R.
Previous reports
For many organizations, their third-party ecosystem, or ‘extended enterprise,’ is an important source of business value and strategic advantage. However, as the reliance on third-parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.
Deloitte member firms experienced teams work with clients to develop governance frameworks which effectively identify and manage all forms of third-party risks, looking at both process and technology solutions to deliver value and meet contractual obligations.
2017 EERM survey report
Overcoming the threats and uncertainty
2016 EERM survey report
The threats are real