Deloitte Global Survey
Despite increasing dependence on third-parties, organizations are still not fully equipped to manage the extended enterprise
- 74% of survey respondents have faced at least one third-party related incident in the last three years.
- Over 50% of respondents reported “some” or a “significant” increase in their level of dependence on third-parties in the last year
- Only 20% of respondents have integrated or optimized their extended enterprise risk management mechanisms
- Just 11% of respondents are “fully prepared” to deal with the increased uncertainty in the external environment
NEW YORK, NY, 6 APRIL 2017—According to Deloitte Global’s second annual Extended Enterprise Risk Management survey, Overcoming threats and uncertainty, respondent organizations feel inadequately prepared to deal with today’s uncertain political and business environment and its impact on their extended enterprise.
The survey explores how significant changes in the external environment has slowed down progress in implementing holistic, integrated frameworks and risk management mechanisms over the last 12 months. The report also highlights five key areas where organizations should focus in the coming year in order to improve third-party governance and risk management (TPGRM) strategies.
“Businesses have learned that leveraging an ecosystem of third-parties can help innovate and generate incredible flexibility, agility, and cost savings,” said Kristian Park, EMEA Leader, Extended Enterprise Risk Management, Deloitte Global Risk Advisory. “Yet with this opportunity comes risk. Any shortcomings of these third-party providers can damage a business’s brand and reputation, can lead to regulatory penalties, and can disrupt their ability to meet customers’ expectations.”
Park added, “With a comprehensive risk management approach, organizations can confidently seize the competitive advantage offered by the extended enterprise by balancing opportunities and risk.”
Dependency and Vulnerability
The inaugural Extended Enterprise Risk Management survey published in 2016, “The threats are real,” revealed how large global organizations were addressing the key threats faced in managing their extended enterprise. The survey demonstrated how drivers, directly aligned to long-term value-creation were motivating organizations to rapidly enhance their dependence on third-parties. This, together with the increasing frequency of significant third-party incidents, resulted in TPGRM emerging as a board-level focus area, compelling organizations to invest in holistic and integrated programs.
This year’s survey reveals that the strategic dependence on third-parties continues to increase. Over 50 percent of survey respondents indicated an increase in their level of dependence on third-parties in the last year.
However, most organizations are still not managing the risks that third-parties create for them in a holistic and coordinated manner—only 20 percent have integrated or optimized their TPGRM mechanisms. Respondents recognize that these current levels of integration or optimization are far below what they should be. 53 percent of respondents aspire to achieve integration and an additional 27 percent to achieve optimization within the next one to three years.
Uncertainty in the external environment is likely to be a key factor over the next 12 months, which could require investments in building resilience to a changing environment to complement an earlier focus on detection and prevention.
In addition to dependency and vulnerability, the report explores four other key areas where most organizations could benefit from further effort.
- Relationship management and monitoring – 55 percent of respondent organizations stated that they have a reasonable to excellent level of understanding of their third-party population. Although the overall level of understanding of the third-party landscape and associated risks appears to have increased, the survey indicates a lack of confidence in underlying data needed to manage these risks. Similarly, while more than half of respondents consider having a reasonable to excellent understanding of third-parties, this does not appear to be supported by robust, forward looking activities to proactively identify potential issues in advance. Only 13 percent of respondents have forward-looking vigilance capabilities to predict emerging third party risks before the issue occurs.
- Governance and risk management processes – Despite sustained board and executive sponsorship, there is a lack of confidence in underlying TPGRM processes. The proportion of respondents skeptical about TPGRM technology in their organizations has only slightly reduced from 94 percent since the 2016 survey to 90 percent of respondents. A similar lack of confidence relating to the quality of TPGRM processes is also only marginally down from 88.6 percent to 82.5 percent indicating the need for continued focus in this area.
- Technology platforms – The survey results indicate that technology platforms are still being implemented in a “patchwork” manner which reflects short-term thinking. 55 percent of survey respondents now combine more than one technology platform to address different aspects of third-party risk and 43 percent of respondents still leverage their existing enterprise resource planning (ERP) system. These solutions have compelled many organizations to build in manual, spreadsheet-based intervention to address any gaps. Better tools and technology can significantly reduce the time spent on pre-contract, post-contract, and ongoing tracking/monitoring activities. This in turn will likely free up much-needed time for focusing on strategic areas of third-party risk management and value creation.
- Emerging delivery models – Global organizations continue to be managed through higher degrees of decentralization. As a result, various hybrid and innovative delivery models are emerging that combine the characteristics of centralized and decentralized organizations and can enable the organization to remain agile and competitive in the marketplace. The survey found that a majority of respondents (59 percent) have or are in the process of expanding the role of the corporate center to include Shared Service Centers (SSCs) and Centers of Excellence (CoEs) for extended enterprise risk management. This helps organizations to achieve the desired standardization and attract scarce talent and specialized skills. A smaller percentage of respondents (12 percent) are progressively moving to external service provider-based “managed services” models, representing an increasing trend.