Deloitte Poll Reveals Maturity Shortfalls in Programs to Manage Third Parties
NEW YORK, March 26, 2018 — According to a recent Deloitte poll, over one-third of respondents define their current organizations’ processes to measure and monitor risks in the extended enterprise as “ad hoc” or “reactive,” characterized as an “initial” or “managed” phase of extended enterprise risk management (EERM) program development. At a time when third parties are moving closer to the core of businesses, the EERM programs that manage those third parties are just now beginning to shift from a manual and transactional approach to a coordinated, consistent, and transformational approach focusing on risk, financial, and performance aspects.
Nearly one-quarter of respondents define their organization’s current process to measure and monitor risk in the extended enterprise as “managed”, meaning there is minimal effort in addressing risk with limited access to third-party data and characterized by functional, reactive problem-solving with responsibilities built into existing roles. Only 3.9 percent of respondents define it as “optimized” with integrated strategy and decision making, executive champions, continuous improvement and investment, and highly customized decision support tools with external data. A full 11.8 percent of respondents define it as “initial” with no formal governance, little management input functioning in fire-fighting mode and using ad-hoc tools. Nearly a third said their organization’s EERM program was either in a “defined” or “integrated” phase of development characterized by a focus on issue prevention or value creation; adapted or customized tools for reporting; monitoring and decision making; and coordinated processes with dedicated owners at the enterprise level.
“Many organizations continue to manage risks in the extended enterprise in a decentralized manner that lacks consistent analysis and governance,” said Dan Kinsella, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “Business units often function autonomously in their oversight of third parties and this decentralized approach inhibits EERM maturity, which requires a more formalized, ‘federated,’ governance model enabled by an effective mix of technology, people, and policies.”
In response to a poll question related to EERM oversight, 42.3 percent believe risk committees are the best entity to oversee risk governance in their organization’s extended enterprise. Only 11.1 percent said that boards are the best entity. This finding comes at a time when C-suite and board level executives are facing questions about their organization’s third-party management that could be more effectively addressed with a deeper understanding of the risks and performance drivers throughout the extended enterprise. Other respondents believe internal auditors (15.5 percent), regulators (6.5 percent) or external auditors (3.9 percent) are the best entity to oversee risk governance in their organization’s extended enterprise.
The poll found a majority of respondents believe their organization will invest in EERM programs over the next 12 months. Of those responding in the affirmative, 24 percent believe their organization is most likely to invest in exploring and adopting technology while 14.6 percent believe their organization is most likely to invest in exploring ongoing monitoring using risk sensing, and 11.2 percent believe their organization is most likely to explore adoption of shared utility models. Nearly 9 percent said their organization is most likely to invest in evaluating and rethinking their third-party risk management organization for effectiveness.
“We are noticing a trend in the use of third-party technology and we will continue to see organizations investing in this technology over the next year and beyond. Technology can be a powerful driver, but it can also be a risk if organizations don’t have policies in place to effectively manage it,” said Scott Gauch, principal with Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. “Improved maturity of EERM programs, as they relate to technology, not only protect value, but also have the potential to expand business opportunities.”
Considering the challenges of managing risk in the extended enterprise, 27.8 percent of respondents said gaps in execution of risk management capabilities is their organization’s top challenge while 13.3 percent point to their leadership’s view of EERM as a compliance-driven requirement. One in 8 respondents cite enterprise-centric risks taking priority over EERM and 8.6 percent believe their organization’s top challenge to managing risk in the extended enterprise is that EERM is anchored at the mid-management level with little board or senior management visibility.
Among the poll’s other findings, 42.3 percent of respondents believe their organization currently has a business case for investment in EERM while 18.6 percent believe their organization does not. Of those who responded in the affirmative, 19.9 percent said their organization has a balanced business case for investment in EERM that focuses on value creation and value preservation/ compliance. Fifteen percent said their organization views EERM as mainly a necessity to ensure value protection and regulatory compliance, but with limited opportunities for value creation and 7.4 percent said their organization views EERM as a key driver for value creation.
About the online poll
On Feb. 13, 2018, a Deloitte Dbriefs webcast titled, “The New Extended Enterprise: Resetting the Front Line,” polled more than 2,390 professionals about their organization’s extended enterprise performance. Respondents work in industries including banking and securities (27.0 percent); technology (10.6 percent); travel, hospitality and services (9.0 percent); insurance (6.1 percent); investment management (5.4 percent); and others. Answer rates differed by question.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.