„Be responsible and effective. Strike a balance.”
Deloitte Extended Enterprise Risk Management Report Part III – Be a responsible business
Deloitte has been conducting the annual global survey on extended enterprise risk management (EERM) for five years now. The latest edition includes the views and observations of 1,145 respondents from 20 countries all over the world. Based on the survey results, Deloitte has released a report focusing on the prevailing trends and EERM challenges faced by organizations.
This year’s report is unique as in addition to surveys completed between November 2019 and January 2020 it also includes information obtained subsequently on the response of enterprises and the third parties in their ecosystems to the rapid developments driven by the pandemic of COVID-19.
The report is entitled “Be responsible and effective. Strike a balance”. This article is the third in a series of eight publications aimed to discuss the key themes emerging from the survey. It explores the possible consequences of trying to strike a balance between achieving returns and being a responsible business.
The desire to be a responsible business and build a reputation for being one has become one of the top drivers of investment in EERM. But research shows that many organizations do not have sufficient budgets to embed responsible business initiatives across all their third-party relationships. As a result, not all third-party relationships are monitored, which may expose the company to unnecessary risks in a longer-term perspective.
The top drivers for EERM investment, as identified by the respondents, are:
a) Response to third-party related incidents (47%)
b) Regulatory requirements and scrutiny (45%)
c) To be a responsible business (43%)
d) Cost reduction (39%)
Response to third-party related incidents was by far the most common motive even before the outbreak of COVID-19. Interestingly, the desire to cut costs topped the list last year. Organizations believe that cost reduction can come from investment in cost and revenue recovery (CRR) initiatives (41%), have an appetite to do more in this regard in the future (51%) or cut costs through investment in shared service centers for EERM (53%). However, as many as 64% of respondents admit that they do not undertake any cost reduction initiatives in combination with risk management programs.
Despite an increasing desire to be perceived as a responsible business, some domains associated with third-party actions and relationships have not been addressed.
a) Climate risk (74%)
b) Environmental risk – air pollution, water waste (57%)
c) Labor and modern slavery risk (54%)
d) Financial crime – money laundering, sanctions (51%)
e) Anti-bribery and corruption (45%)
f) Health and safety risk (43%)
g) Data privacy (40%)
EERM investment remains skewed towards certain risk domains. This year’s report reveals, however, that more and more domains are being invested in.
a) Information security (65%)
b) Cyber risk (60%)
c) Data privacy (60%)
d) Health and safety (57%)
e) Anti-bribery and corruption (55%)
f) Regulatory non-compliance (55%)
a) Cyber risk (23%)
b) Information security (13%)
c) Anti-bribery and corruption (10%)
And the largest proportion of third-party incidents were related to:
a) Cyber risk (11%)
b) Anti-bribery and corruption (10%)
c) Information security (9%)
These risk domains are also more universally applicable to organizations across industry sectors and have been the focus of regulatory attention over the last few years.
a) Subcontractor risk (fourth and fifth parties)
b) Concentration risk
c) Climate risk
d) Geopolitical risk
Interestingly, most respondents believe their organizations under-invest in EERM. Fifty-nine percent of respondents still believe they under invest in EERM, although this is quite a considerable fall from 70% last year. Fifty-eight percent think budgets for managing third-party risk are inadequate. What is more, 57% feel that internal independent reviews of third-party risk frameworks are not hitting the mark and 62% think ongoing monitoring of third parties is inadequate.
As far as cost and revenue recovery is concerned, 51% out of the 36% of organizations that invest in such initiatives would like to intensify them, and out of those who do not undertake such activities at all, 20% would like to do it, 49% do not know yet whether or not they would like to do it, while 31% do not have an appetite to do anything in this regard at all.
An interesting picture emerges from an analysis of budget allocations, especially in comparison with risk domains impacted by incidents and threats posed to the organization by third parties. According to the respondents:
Deloitte point of view
Limited piecemeal investments in EERM have impaired growth in organizational maturity and made it harder to adopt a strategic, longer-term perspective to EERM. The lack of investment in core risk domains associated with being a responsible business, despite the desire to operate and be perceived as one, is a clear fallout of this myopic approach.
We expect organizations to be more responsive to global issues such as climate change, sustainability, food and product safety, and the need to be ethical, and consider these aspects in their EERM programs. Customers’ growing activism will play a much more significant role in setting organizations’ agendas for third-party management in a responsible way. We expect this should ultimately enable organizations to achieve higher returns or to reduce potential losses.
Despite cost-pressures and a desire to maximize the benefits of EERM initiatives, our survey shows that a major part of organizational leaders overlook the role a sound cost and revenue recovery (CRR) program can play in optimizing their extended enterprise. Organizational leadership can be reluctant to commission rigorous reviews of third parties, fearing they signal lack of trust or a need to “police” the relationship. However, in practice, CRR findings are rarely employed in a confrontational manner. Rather, they are used to demonstrate good governance, drive the right behaviors, and facilitate renegotiation of an existing contract on more favorable terms. In parallel, responsible organizations should expand their business continuity planning to include the impact of third parties on the well-being of employees, customers, and the general public in the events such as a pandemic, even if this incurs higher costs.