„Be responsible and effective: Strike a balance.”
Deloitte Extended Enterprise Risk Management Report Part I – Introduction.
Deloitte has been conducting the annual global survey on extended enterprise risk management (EERM) for five years now. The latest edition includes the views and observations of 1,145 respondents from 20 countries all over the world. Based on the survey results, Deloitte has released a report focusing on the prevailing trends and EERM challenges faced by organizations. This year’s report is unique as in addition to surveys completed between November 2019 and January 2020 it also includes information obtained subsequently on the response of enterprises and the third parties in their ecosystems to the rapid developments driven by the pandemic of COVID-19.
The report is entitled “Be responsible and effective. Strike a balance.” This article is the first in a series of eight publications aimed to discuss the key themes emerging from the survey.
Navigating the impact of COVID-19 on the extended enterprise
Today, striving to balance efficiency and effectiveness in third-party risk management is becoming increasingly important. Deloitte’s survey shows that organizations which manage third-party risk successfully are able to respond to the current crisis more adequately. On the other hand, nearly half of respondents do not view business continuity and the ability to respond promptly as the key aspects of effective operations in their business relationships. Given the global changes reflected in the survey and organizations’ responses, it may be expected that the role of EERM will increase.
The outbreak of COVID-19 in the course of the survey has been another factor affecting considerably not only the day-to-day running of the businesses but also EERM role and methods. Initially the survey, which began in November 2019, did not take account of the impact of the pandemic on business operations. It was supplemented with additional information obtained through interviews and in the course of ongoing cooperation with various organizations. The main conclusion is that the pandemic has revealed how important it is to treat third-party risk management as a priority. Unfortunately, the survey shows that most organizations did not take so mature an approach to third-party risk management as to be able to effectively tackle the challenges posed by the pandemic.
An analysis of the data contained in the report leads to the observation that an increasing number of companies decide to use third parties not only to realize short-term benefits (e.g. cost savings) but as part of their long-term, strategic business development plans. Such an approach creates additional exposure to risk and some risk domains not only remain underinvested but consciously ignored by organizations.
Not only has the pandemic highlighted the impact of third parties on business operations but also shown how quickly some incidents may occur, especially those which are associated with modern communication methods.
What was going wrong?
Jakie są główne obszary do poprawy?
- Piecemeal investments in EERM:
Deloitte survey results reconfirm, year-on-year, that it is becoming more and more critical for organizations to have a holistic and integrated approach to TPRM. Yet in prior years the majority of them struggled to make the required investments due to an uncertain economic and macro-environment. This impaired growth in organizational maturity, neglected certain risks, and adversely affected core basic tasks. Needless to say, even the most mature EERM program cannot eliminate the risk of loss completely. But as far as the actions taken are concerned, we see evidence of a lack of proper planning necessary to respond to high-impact events such as this pandemic as well as conscious neglect of some EERM domains. These areas, which have been underinvested before, now create challenges as these same organizations respond to global events.
- Lack of maturity in TPRM:
Only 15% of organizations integrate or optimize their approach to managing risk with their third parties. This means that 85% do not develop the appropriate capability and capacity to manage the entire spectrum of third-party risks in an integrated and holistic manner across all third-party types in their ecosystem.
- Focus on the largest issue:
Respondents tend to focus on the largest issue of the year (such as cyber risk, data privacy), thus neglecting other, equally important risk domains (including resilience and business continuity).
- Not “brilliant at the basics”:
More and more respondents realize their piecemeal approach to EERM investment weakens their ability to do basic or core tasks well, such as understand the nature and criticality of third-party relationships and understand related contractual terms. This, in turn, leads to inadequate allocations in a time of crisis.
- Under-emphasis of exit plans:
33% of respondents do not have appropriate exit plans for critical third parties. A further 27% do not know if they have them or not. What is more, concentration risks are typically assessed reactively at less than annual intervals for almost half of the respondents..
- Neglect of subcontractors:
The majority of respondents realize the need to monitor third parties but 80% said they did not monitor their subcontractors (fourth and fifth parties), which may lead to incidents relating to underestimated risks.
- Keeping pace with technology:
72% of respondents are not satisfied with their EERM technology solutions (especially with the scope of their access to data, data visualization, ongoing analysis and integration between different solutions). This is inadequate for making critical business decisions.
Responding to the crisis
Most organizations initially responded to the situation by identifying and assessing the impact on their most critical third parties and subcontractors through enhanced monitoring. We note several commonalities in early approaches:
The survey recognizes that many organizations did not have a comprehensive understanding of their risk exposure readily available and did not realize the criticality of third parties for their effective business operations. Also the impact of the pandemic on the organization’s operations in the future remained underestimated and such data was especially important when the crisis hit to enable a focus on those areas which presented the highest risk. Instead of responding to the crisis, companies first had to assess where such preventive measures could be applied.
The most responsive organizations took the following steps earlier than others. Early on they:
Access to up-to-date information and ongoing management of third-party relationships provide real-time knowledge of what is happening on the ground, which in turn facilitates informed decision-making.
For critical third parties organizations:
Organizations are compelled to seek visibility into subcontractor dependencies, supporting their third parties in obtaining additional information on subcontractors and where needed, engaging in conversations and analyses with fourth parties. This helped them gain an in-depth understanding of their potential exposure to fourth- and fifth-party risks and develop contingency plans for incidents.
The use of tools to visualize data has increased in organizational responses to the COVID-19 pandemic. Specifically, many organizations are embracing visual solutions to map the spread of the virus and overlay critical third-party locations to model potential impacts on business continuity better. Visualization can assist an organization to predict challenges and enable it to take proactive action. It also helps develop new executive dashboards for organizational leadership and members of the board to gain real-time access to the most important data.
The pandemic has not been the only factor driving changes in the operations of extended enterprises. An in-depth analysis of the survey responses has identified six key themes which were considered the most important by the majority of respondents. We discuss them briefly below, together with the key findings.
- Cost of failure. Organizations are increasingly concerned about the rising cost of getting third-party risk management wrong.
- Balancing responsibility and cost. According to respondents, organizations are more aware of the need to be a responsible business.
- Increasing regulatory activity. Both market regulators and new regulations have put pressure on the activity related to EERM.
- Long-term vision. Organizations are developing a vision to transform EERM over the next two to three years.
- Leveraging external assistance. More organizations are exploring and engaging external support for their EERM programs.
- Wider focus. Senior executives are extending their focus beyond risk to encompass a broader view of third-party management.
Each theme will be explored in separate articles which will follow soon.