Subcontractor and affiliate risk has been saved
Subcontractor and affiliate risk
Extended enterprise risk management survey 2019
Organisations lack clarity on addressing risks related to subcontractors engaged by their third parties and affiliates.
Supply chains and networks are becoming broader and longer. Not only are organisations subcontracting to third parties, but third parties are subcontracting to fourth parties, fourth parties to fifth parties, fifth parties to sixth parties and so on. Increasingly organisations realize the significant risks associated with outsourcing.
Our survey respondents accept that they have poor oversight of the risks posed by subcontractors engaged by their third parties. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. The remaining 90% do not recognize the need or have appropriate knowledge, visibility or resources to monitor subcontractors.
The lack of appropriate oversight of subcontractors is making it difficult for organisations to determine their strategy and approach to the management of subcontractor risk. Leading organisations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks”. Once they grasp who their critical subcontractors are, the next step is to understand what assurance their third party is obtaining about them.
Organisations lack clarity in their approach to monitoring and managing risks related to affiliates. Less than a third (32%) of organisations evaluate and monitor affiliate risks with the same rigour as they do other third parties. A higher proportion (46%) take an alternative, typically more simplified, approach to affiliate risk management. And the remaining 22% said they do not have affiliates.
As affiliates are typically part of the same group, organisations are likely to have a higher level of risk-intelligence on them than other third parties. A lighter touch for managing affiliates than other third parties therefore may be acceptable if it is proportionate to the risk involved. The approach to making this assessment must be clearly defined and consistent, not varying and ad hoc.