Article

Third-party Governance and Risk Management

Focusing on the climb ahead

Extended enterprise risk management survey 2018

This report shows how Third-party Risk Management had continued to benefit from greater executive awareness in 2017 which have allowed organisations to tackle the topic with a renewed focus and investment. This is even more important due to amid prevalent threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines. 

This current survey reveals that organisations are taking an earlier, more strategic view of risk drivers to create value and identify new opportunities. Despite this awareness, and some associated improvements in third-party governance and risk management, six key areas exist where further effort is required by most organisations.

Inherent risk and maturity

  • Organisational self-assessment of overall EERM maturity continues to improve at a slower pace despite a perceived increase in the inherent risks in third-party dependence.

Business case and investment

  • EERM is increasingly being focussed on exploiting the upside of risk and demonstrating tangible benefits - a significant shift from only managing the downside of risk.

Centralised control

  • Organisations are centralising many elements of EERM roles, structures and technologies.
  • Centres of Excellence and shared service models represent the dominant operating model, along with an increased focus on market utility models.

Technology platforms

  • Technology decisions for EERM solutions are now being taken more centrally and a three-tiered technology architecture is emerging.

Sub-contractor risk

  • Organisations are lacking appropriate visibility and monitoring of sub-contractors engaged by third-parties.

Organisational imperatives and accountability

  • Ultimate ownership and accountability for EERM suggest it is well and truly established in the C-suite roles with need for improvement in engagement.
  • Challenges over internal coordination, talent and processes represent areas of highest (organisational) concern over EERM.

The survey results reflect a renewed focus in the last year on enhancing extended enterprise risk management maturity amid increasing perceptions of dependence on third-parties, although moving up the maturity curve has been slower than expected. This report also reflects an emerging shift to include more centralised oversight and management for extended enterprise risk management across the more decentralised or federated structures to enable increased risk-awareness and consistency.

Access our regional highlights across the six key areas and assess how extended enterprise risk management compares across different regions

Click the regions on the map to see the highlights

Industry overviews

Consumer and Industrial Products (C&IP)

Inherent risk and maturity

  • 74% of C&IP respondents have a heightened perception of risks inherent in third-parties.
  • 55% of C&IP respondents reported some or a significant increase in dependence on third-parties over the last year.
  • 19% of C&IP respondents have integrated/optimized their EERM processes and technology.

Business case and investment

  • 48% of C&IP respondents are motivated by positive cost reduction in overall spend on third-parties.
  • One in four C&IP respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.

Centralized control

  • C&IP respondents have one of the highest levels of overall decentralization in their organizations with 61% of respondents stating they are equally or more decentralized than they are centralized, however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
  • 78% of C&IP respondents are adopting the CoEs and SSCs operating model.
  • 4% of C&IP respondents have outsourced to managed service providers.
  • C&IP saw an increase in actual utilization of community models/market utilities from 11% of respondents last year to 18 % of respondents stating this to be the case in 2017.

Technology platforms

  • Use of niche GRC packages appears to be the dominant trend in C&IP with 69% of respondents stating this to be the case.

Subcontractor risk

  • 75% of C&IP respondents do not have appropriate knowledge and visibility over their fourth/fifth parties.
  • Only 15% of C&IP respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

Organisational imperatives and accountability

  • 18% of C&IP respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort, addressing cyber risks, and building stronger resilience to disruption are top imperatives within C&IP.

Life Science & Healthcare (LSHC)

Inherent risk and maturity

  • 73% of LSHC respondents have a heightened perception of risks inherent in third-parties.
  • 58% of LSHC respondents report some or significant increase in the level of dependence on third-parties over the last year.
  • 24% of LSHC respondents have integrated/optimized their EERM processes and technology
  • 54% of LSHC respondents believe they have the longest journey with at least two to three years or more to achieve desired state in EERM.

Business case and investment

  • 46% of LSHC respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • 52% of LSHC respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
  • One in three LSHC respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

Centralized control

  • LSHC respondents have one of the highest levels of overall decentralization in their organizations with 63% of respondents stating they are more equally or more decentralized than they are centralized, however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
  • 16% of LSHC respondents saw an increase in actual utilization of community models/market utilities

Technology platforms

  • 32% of LSCH respondents use features of the existing ERP system or other organization-wide backbone systems for procurement

Subcontractor risk

  • 85% of LSHC respondents acknowledge that they do not have appropriate knowledge and visibility over their fourth/fifth parties.

Organisational imperatives and accountability

  • 15% of LSHC respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • 21% of LSHC respondents state there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort and building stronger resilience to disruption are top imperatives within LSHC.

Financial Services (FS)

Inherent risk and maturity

  • 71% of FS respondents have a heightened perception of risks inherent in third-parties.
  • The most notable increases in dependence on the extended enterprise have taken place in the FS industry with 59% of respondents reporting some or significant increase over the last year.
  • 57% of FS respondents believe they have at least two to three years or more to achieve the desired state in EERM.

Business case and investment

  • 52% of FS respondents are the most motivated by positive cost reduction in its overall spend on third-parties.
  • 48% of FS respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • One in four FS respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

Centralized control

  • While 53% of FS respondents feel that the overall control structure in their organization is equally or more decentralized than centralized, 56% of respondents feel that their EERM organization structures are equally or more decentralized.
  • 73% of FS respondents are adopting the CoEs and SSCs operating model.
  • 2% of FS respondents have outsourced to managed service providers.

Technology platforms

  • 18% of FS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
  • The uptake of generic GRC packages is highest in FS with 34% of respondents subscribing to this option.

Subcontractor risk

  • 81% of FS respondents do not have appropriate knowledge and visibility over their fourth/fifth parties.
  • Only 15% of FS respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

Organisational imperatives and accountability

  • 19% of FS respondents state there is a high level of engagement and knowledge of EERM by the Board
  • 17% of FS respondents state there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort and addressing cyber risks are top imperatives within FS.

Technology, Media and Telecommunications (TMT)

Inherent risk and maturity

  • 53% of TMT respondents report some or significant increase in the level of dependence on third-parties over the last year.
  • 49% of TMT respondents believe they have at least two to three years or more to achieve the desired state in EERM.

Business case and investment

  • 49% of TMT respondents believe that the ability to increase revenue is one of the important drivers for investment in EERM.
  • One in four TMT respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

Centralized control

  • TMT has the highest level of uptake on CoEs and SSCs with 79% of respondent adopting this operating model.
  • TMT saw an increase in actual utilization of community models/market utilities from 12% of respondents last year to 27% of respondents in 2017.

Technology platforms

  • 9% of TMT respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

Subcontractor risk

  • 24% of TMT respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

Organisational imperatives and accountability

  • 18% of TMT respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • Building stronger resilience to disruption and enhancing the technologies to address EERM requirements are top imperatives within TMT.

Public Sector (PS)

Inherent risk and maturity

  • 71% of FS respondents have reported a heightened perception of risks inherent in third-parties.
  • More than 45% of PS respondents continue to increase their third-party dependence.
  • 35% of PS respondents have integrated/optimized their EERM processes and technology in the current survey against 20% in the last year.
  • PS has the largest majority of organizations that believe they have the longest journey to achieve desired state in EERM with 75% of respondents believing this to be at least two to three years or more.

Business case and investment

  • 50% of PS respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
  • One in five PS respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.

Technology platforms

  • 18% of PS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

Organisational imperatives and accountability

  • A high level of engagement and knowledge of EERM by the Board appears to be the highest in PS with 35% of respondents stating this to be the case.
  • 30% of PS respondents state there is a high level of engagement and coordination by risk domain owners.
  • Addressing cyber risks and building stronger resilience to disruption are top imperatives within PS.

Energy and Resources (E&R)

Inherent risk and maturity

  • 52% of E&R respondents reported some or significant increase in the level of dependence on third-parties over the last year.

Business case and investment

  • 44% of E&R respondents appears to be motivated by positive cost reduction in their overall spend on third-parties.
  • 40% of E&R respondents state that the strongest drivers for EERM initiatives is reducing the number of third-party related incidents.
  • 58% of E&R respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • One in three E&R respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

Centralized control

  • 73% of E&R respondents are adopting the CoEs and SSCs operating model.
  • E&R seems to have outsourced the most to managed service providers with 7% of respondents stating this to be the case.
  • E&R saw an increase in actual utilization of community models/market utilities from 28% of respondents last year to 33% of respondents stating this to be the case in 2017.

Technology platforms

  • 28% of E&R respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

Subcontractor risk

  • 75% of E&R respondents acknowledge they do not have appropriate knowledge and visibility over their fourth/fifth parties.
  • Only 15% of E&R respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

Organisational imperatives and accountability

  • 31% of E&R respondents state there is a high level of engagement and knowledge of EERM by the Board
  • 18% of E&R respondents state that there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort is a top imperative within E&R.

Previous reports

For many organisations, their third-party ecosystem, or ‘extended enterprise’, is an important source of business value and strategic advantage. However, as the reliance on third parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.

Our experienced teams work with clients to develop governance frameworks which effectively identify and manage all forms of third-party risks, looking at both process and technology solutions to deliver value and meet contractual obligations.

Third Party Governance & Risk Management - 2017
Overcoming the threats and uncertainty

Third Part Governance & Risk Management - 2016
The threats are real

Did you find this useful?