Two thirds of companies lack adequate visibility over subcontractors to meet incoming GDPR requirements
Just 2% regularly review risk posed by subcontractors of third parties
23 April 2018
57% of global organisations feel they do not have appropriate visibility of subcontractors engaged by their third parties (referred to as fourth/fifth parties), according to a new survey from Deloitte. A further 21% are unsure of oversight practices, and fewer still (2%) routinely review the risk subcontractors pose to their organisation.
Kristian Park, extended enterprise risk management (EERM) partner, Deloitte, said:
”With GDPR coming into force across Europe next month, organisations will already be looking with renewed focus
Regular monitoring of subcontractors remains low, with just 2% of those surveyed engaging in this periodically, and 10% solely reviewing subcontractors identified as critical to continuity of business.
Park added: “This means that 88% of organisations are either dependent on their third parties to conduct subcontractor risk reviews, or have an unstructured, ad-hoc approach to fourth and fifth party oversight. This figure could also indicate that some organisations are simply unaware of their policy or, more alarmingly, do not have one.
“At the same time, the survey reveals that some organisations are already making additional investments
Reliance on third parties continues to grow this year with over half (53%) of respondents reporting ‘some’ or ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered the two greatest contributory factors to
Despite critical levels of
“This is a significantly longer journey than anticipated in earlier
Notes to editors
About the survey
This is the third global survey on Extended Enterprise Risk Management. This year’s survey had 975 responses from organisations across 15 countries across the Americas, EMEA, and APAC. Survey respondents include CFOs, heads of procurement/vendor management, CROs, heads of internal audit, and compliance and IT risk function leads.
In this press release references to “Deloitte” are references to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”) a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is a subsidiary of Deloitte NWE LLP, which is a member firm of
The information contained in this press release is correct at the time of going to press.
For more information, please visit www.deloitte.co.uk
Member of Deloitte Touche Tohmatsu Limited