„Be responsible and effective. Strike a balance.”
Deloitte Extended Enterprise Risk Management Report Part IV – Increasing regulatory activity
The report is entitled “Be responsible and effective. Strike a balance.” This article is the fourth in a series of eight publications aimed to discuss the key themes emerging from the survey. It explores the potential consequences for enterprises of increased regulatory activity with regard to the rules and procedures applicable to their market operations.
Deloitte has been conducting the annual global survey on extended enterprise risk management (EERM) for five years now. The latest edition includes the views and observations of 1,145 respondents from 20 countries all over the world.
Based on the survey results, Deloitte has released a report focusing on the prevailing trends and EERM challenges faced by organizations. This year’s report is unique as in addition to surveys completed between November 2019 and January 2020 it also includes information obtained subsequently on the response of enterprises and the third parties in their ecosystems to the rapid developments driven by the pandemic
A rise in regulatory activity and the related requirements for companies has increased their focus on third-party risk management and encouraged nimble organizations to progress towards a greater EERM maturity. Those unable to keep pace with changing expectations fall behind their peers and lose their competitive advantage. According to the survey, last year nearly 45% of respondents stepped up their investments in EERM due to tightening pressure from regulators. The impact of regulators has spread far beyond the historically regulated industries into risk domains not previously considered. In addition to legislation on bribery and corruption, there are rules to prevent sanctions violations (also international ones), protect the conditions of workers (such as the UK Modern Slavery Act), privacy rules (such as GDPR) and upcoming regulation of cloudbased outsourcing or climate change. This widening remit is coupled with greater regulatory scrutiny. This also affects the assessment of maturity in approaching third-party risk management – and not all organizations can say that they have managed to maintain it at last year’s level. Over the past few years, the situation was as follows:
As can be seen, some organizations struggle to keep up with elevated expectations as to the maturity of their processes. On the other hand, non-compliance with regulations means fighting a losing battle. Increasingly demanding requirements also explain why the numbers, as shown in the table, have remained fairly static over the past few years. The fact that 39% of organizations in 2020 were in the initial or defined stages of the maturity journey means that there still is significant room to improve their approach to TPRM. In order to facilitate the understanding of the EERM maturity assessment, in the table below we have presented Deloitte’s standards applicable to various aspects of a company’s business operations.
Top areas requiring focus and improvement, as identified by respondents, are:
- risk metrics and
- reporting (for 68% of respondents).
- Tools and technology for managing third parties (63%),
- Governance and holistic oversight of third parties by leadership (61%).
EERM maturity is also impeded because many organizations do not cover or consider all third-party relationship types in their programs, which makes their approach to TPRM piecemeal. In particular, this concerns such third parties as:
- Licensees and joint venture partners (20%).
- Sales agents, distributors and franchisees (19%).
- Group companies, subsidiaries and affiliates (15%).
Challenges posed by subcontractors
Subcontractors (fourth or fifth parties) still present a compelling challenge for 80% of organizations: only 20% of respondents say they can effectively monitor either all or even just the more critical subcontractors. This is driven mainly by a lack of knowledge of who the subcontractors are and what risks they pose, and a lack of capacity (time, people and budget). In some cases, organizations don’t want to over-step and perform a role they expect their third parties to perform.
As far as subcontractors are concerned:
- 8% of organizations identify and monitor all subcontractors.
- Another 12% monitor subcontractors of critical third parties only.
- 13% review subcontractors at the initiation of any new contract with a third-party.
- 15% identify and review subcontractors on an ad hoc basis.
- 29% rely solely on third parties for subcontractor management.
- 23% do not monitor subcontractors at all, even through third parties.
Organizations acknowledge that there are significant risks generated by inconsistent monitoring of third parties and their subcontractors, also by their dependencies on parties beyond those they directly contract with.
COVID-19 compelled organizations to better understand not only third-party but also at least their critical subcontractor dependencies. This ranged from becoming familiar with what assurance their third party had to forming combined inspection teams with their third parties to assess and monitor fourth parties. Some organizations also used risk intelligence tools to understand fourth party control environments including financial solvency.
Additionally, new guidance and legal regulations, such as the UK’s Modern Slavery Act, require an organization to consider its entire supply chain, also to review compliance with data privacy rules (GDPR). If there is a breach two or three levels removed from your organization, you are still accountable.
A lack of a holistic approach to management of subcontractors impairs an organization’s ability to monitor them effectively and is also reflected in the lack of adequate exit plans in place, which may present challenges to business continuity.
Continuity of business in the face of the pandemic
Many organizations have initiated robust business continuity planning with their third parties as they respond to COVID-19 but only 47% of them allocated budget to monitor third-party business resilience and continuity. For many, COVID-19 has highlighted the lack of organizational readiness to respond to a pandemic situation. This has been a clear signal that formally maintained continuity or exit plans improve the ability to act and may offer considerable support in the day-to-day running of the business. The survey shows that 40% of respondents believe they have appropriate exit plans for critical third parties, 33% lack such plans and 27% don’t know if they have them or not. Operational resilience is also an area of increased regulatory focus.
59% of respondents believe their EERM procedures are not flexible enough to proportionately and suitably assess start-ups or the contingent workforce. This could mean a lost opportunity to use niche expertise or other sources of strategic advantage. It could also increase risk exposure through a “one-size-fits-all” approach that does not take into account the particular circumstances of different types of third-party relationships, such as the labor rights and tax implications.
Areas requiring improvement
According to respondents, the following areas require TPRM improvement in extended enterprises:
Deloitte point of view
Our experience continually indicates that a rise in regulatory activities encourages nimble organizations to progress towards greater EERM maturity. And those unable to keep pace with the changing expectations, fall behind their peers and lose their competitive advantage. The growing proactivity of regulators presents an ever stronger deterrent to non-compliance.
We predict that new regulatory principles will continue to focus on third-party risk. One area where we expect this to happen more rapidly is in operational resilience and continuity. We believe the optimum state of EERM will continue to be a moving target for many organizations, despite the growing expectations. Organizations will need to reevaluate their earlier self-assessments of maturity at periodic intervals and continue to enhance their solutions. COVID-19 will compel organizations to better understand their subcontractor dependencies across the entire third-party ecosystem. This will improve the understanding, detection and management of critical subcontractor risks typically residing in the depths of a third-party ecosystem.