Article

4. Extended Enterprise Risk Management (-4)

2021 Hot Topics for IT Internal Audit in Financial Services

October 2020

Why is it important?

For many organisations, their third-party ecosystem, or “extended enterprise”, is an important source of business value and strategic advantage. However, as the reliance on third parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.

What’s new?

Our 2020 global survey on Extended Enterprise Risk Management (EERM), highlighted an increasingly high interest and leadership focus on third-party risk management. Likewise, this area remains a key focus for Internal Audit.

Some of the key findings as reported in our survey were:

  • A rise in regulatory activity related to EERM has put pressure on organisations, raising benchmarks and expectations as to the definition of good-practice and maturity in this area. 
  • The financial impact of a failure of a third party or sub-contractor has increased significantly in the last 5 years (at least doubled).
  • Organisations are more aware of the need to act as a responsible business, and this forms a top driver for investment in EERM.
  • Many organisations are developing their strategy and vision to transform EERM over the next two to three years.
  • Early indications show that those firms that have made appropriate investments in EERM programmes were faring better in their response to the crisis than those that did not. 
  • We anticipate that organisations will re-evaluate how they position third party management to cope better with high impact events, and expect rapid acceleration of the TPRM maturity curve in the next 12 months.
     

What should Internal Audit be doing?

We have seen that senior executives have now been extending their focus beyond risk to encompass a broader view of third party management: equally, Internal Audit functions should be looking to encompass in their third party management audits areas and sub-disciplines such as contract management, performance management, financial management, and sourcing activities. They should be auditing the design and implementation of the firm’s EERM framework; seek to understand how management assesses the nature and criticality of third party relationships and related contractual terms; and how they manage the associated supplier concentration risks, including those related to critical third parties.

Third party audits should seek to explore lessons learned from the crisis and how management have taken action to revise frameworks, controls and resilience measures to take these into account. Our research suggested that most organisations were unprepared to manage third party risk in the event of such large scale disruption, such as the COVID-19 pandemic. The crisis highlighted the strategic impact of third-party failures, particularly when the operational resilience programmes haven’t taken into account third party dependencies and associated risks. Furthermore, controls around the monitoring of subcontractor risk (fourth or fifth party) were still quite immature or non-existent – with organisations believing that it is the responsibility solely of the third parties that engaged them in the first place.

Conversely, proactive engagement and management of third parties, and alignment with operational resilience plans, significantly reduced the risk exposure. Some indicative actions include:

  • Identifying critical business activities, products and services, and instances with high degree of dependency on third parties.
  • Including intra-group arrangements, subsidiaries and affiliates in this analysis.
  • Leveraging available data sources (internal and external) with regard to critical third parties to identify areas of potential risk – for instance delivery location, financial health, market sector etc.
  • Developing or revalidating contingency plans for the “higher risk” third parties.
Did you find this useful?