Press releases

Deloitte Extended Enterprise Risk Management Survey

Amid economic uncertainty, maturing EERM practices take center stage for organizations

New York, Sept. 18, 2019

Key takeaways

  • Developments in Extended Enterprise Risk Management (EERM) maturity have not kept pace with increasingly critical levels of dependence on third parties since first surveyed in 2015, as such the majority (83%) of organizations experienced a third-party incident in the past three years.
  • The economic environment continues to drive cost reduction and talent investment in EERM. The desire to reduce costs has become the biggest driver for investing in EERM maturity (62% of respondents indicated).
  • According to the survey, federated structures are becoming a dominant operating model for third-party risk management as boards and executive management continue to take a deep interest in third-party risk management and want to provide more coordinated and responsive input. More than two-thirds (69%) of respondent organizations say they have adopted a federated model that allows for this sharing of responsibility.
  • A mere 1% of organizations considered themselves optimized to address all important EERM issues presented. Chronic underinvestment is making it hard for organizations to achieve their desired EERM maturity levels, and more fundamentally, hindered many responding organizations from doing basic core tasks well.

Why it matters
Signs of a slowdown in global economic growth are beginning to emerge, together with an atmosphere of greater organizational uncertainty. This survey reveals how organizations are recognizing this change and are creating value and greater efficiencies with a strong focus on improved, strategic EERM practices. As reliance on relationships with outside organizations continues to grow, so do the associated risks — in turn making it crucial that organizations are properly investing in EERM and have visibility into risks that are posed by the extended enterprise — for those third, fourth and fifth parties.

With organizations sharing sensitive information with an average of 583 third-party providers (Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study), many now recognize the need to better understand the nature of these extended relationships and the contractual agreements to mitigate risks on the horizon. This report explores six key areas that are impacting the future of EERM including economic and operating environment, investment, leadership, operating model, technology and subcontractor and affiliate risk.

Media contacts:

Nicole Hockin
Public Relations
Deloitte & Touche LLP
+1 303 305 3074

Clare Buse
Public Relations
Deloitte Services LP
+1 212 436 3457

Key quotes:

Organizations are increasingly depending on external entities that might include third, fourth or fifth parties. However, not many have appropriate oversight into what is happening across their organization — leaving them exposed to potential risks, as 50% of survey respondents indicated they do not understand the nature of their third-party relationships. As EERM matures, it is important that organizations are investing strategically in end-to-end solutions that manage exposures associated with third parties.

Dan Kinsella, partner and extended enterprise risk management leader in the Risk & Financial Advisory practice, Deloitte & Touche LLP

There’s much to gain when an organization manages its extended enterprise well. However, we believe the consequences of negative actions by third parties is likely to continue to grow more severe – potentially damaging organizational reputation, earnings, and shareholder value. This will remain a compelling driver for organizations to invest in improving third-party risk management processes and frameworks.

John Peirson, CEO of Deloitte Risk & Financial Advisory

Leadership wants better engagement, better coordination and smarter use of data
Third party risk management was viewed as an operational rather than a board or top leadership issue for decades. As better management of EERM has been viewed as a transformation opportunity, boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of respondent organizations. This starts with better engagement and coordination within the business, encompassing organizational units, geographies, risk domains and subject matter experts.

As the survey revealed, boards and executive leadership continue to retain ultimate responsibility for EERM in most organizations.

Who ultimately has responsibility for third-party risk management?

  • 24%: Chief Risk Officer
  • 19%: Other board members
  • 17%: CEO

Leadership involvement puts a keen eye on return on investment (ROI). More sustainable operating models for third-party risk management are being embraced — these are characterized by federated structures that are supported by centers of excellence and shared service centers, emerging technologies, shared assessments and managed services models and a move toward co-ownership of budget. More than two-thirds (69%) of respondent organizations say they adopted a federated model and only 11% of organizations are now highly centralized, down from 17% last year. More than half (53%) of organizations are using centers of excellence and 38% have shared service centers.

Piecemeal investment in EERM could be a risk to strategic growth
The focus on ROI should help to improve some of the concern and survey results around EERM investment. The majority (70%) of organizations surveyed believe they have underinvested in third-party risk management. And 7 in 10 believe they engage fewer employees than necessary for EERM or are not sure. Half (50%) spend more than $1 million on their annual EERM operating costs, but the top 11% spend more than $10 million each and employ over 100 full-time equivalent staff.

Still, our research shows that many organizations have been less able to make significant capital investments in transformation initiatives to bring about a holistic and integrated approach to third-party risk management. The resulting piecemeal approach to investing in EERM has impaired the speed at which organizations have been able to mature strategically in this area versus point-in-time tactical improvements.

Ultimately, this may lead to organizations not being able to do the core EERM basic tasks well such as understanding the nature of third-party relationships (50%), lacking the knowledge to understand contract terms (43%) and not monitoring third parties based on their risk profile (41%). Those basic functions and need proficiency are critically important in this fast-paced digitally connected world.

Just over half (53%) of respondents want a more coordinated and consistent approach to EERM across organizational functions. Investments in managed services and shared assessments and utilities drive efficiency by reducing the need to increase headcount and reduce capital expenditure.

For the first time, Deloitte’s survey captured uptake on three different types of managed services models:

  1. Managed services to acquire risk intelligence, including utility models that facilitate the shared exchange of such data. Eighteen percent of organizations use these and a further 21% plan to. This is the most popular way surveyed organizations are choosing to leverage a managed services model.
  2. Managed services deploying on-premise staff. Eighteen percent of organizations use these and a further 13% intend to use them.
  3. Managed services solutions deploying EERM technology as a service. Eleven percent use these and a further 14% plan to.

Subcontractors and affiliate risk: Many organizations have poor oversight
There is still room for growth in managing the extended enterprise as it relates to understanding subcontractor and affiliate risk, implementing a consistent coordinated EERM approach and increasing overall EERM maturity through investments.

Subcontractor and affiliate risk: Only 2% of organizations identify and monitor all subcontractors engaged by their third parties, and only 8% do so for their most critical relationships. The remaining 90% indicate that they do not have the need or have appropriate knowledge, visibility or resources to monitor subcontractors. Less than a third (32%) of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties.

About the Survey
Deloitte’s fourth annual extended enterprise risk management (EERM) survey shows there is renewed focus on maturing EERM practices within most organizations. 1,055 respondents from 19 countries covering all the major industry segments around the world participated in the survey. Respondents are typically responsible for governance and risk management of the extended enterprise in their organizations. Eighty-seven percent of respondents are from large global organizations. This reflects an increasingly high interest and leadership focus on third-party risk management. The survey took place between November 2018 and January 2019, and the sentiment of this period is reflected in the results. Over the past four years, the annual EERM surveys have tracked the key drivers for engaging third parties and investments in third-party risk management. For more information on Deloitte’s "2019 Extended Enterprise Risk Management Survey," or to download a copy, please visit: https://www2.deloitte.com/us/en/pages/risk/articles/third-party-risk.html.

About Deloitte
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500® and more than 5,000 private and middle market companies. Our people work across the industry sectors that drive and shape today’s marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?