Extended enterprise risk management

Driving performance through the third-party ecosystem

In a globalized business environment, no company is an island. The ecosystem of a typical company comprises an exceedingly large number of entities with which the company does business, including customers, partners, agents, affiliates, vendors, and service providers. Taken together, these third parties constitute what we have termed “the extended enterprise.”

Definition of extended enterprise risk management

Extended enterprise risk management (EERM) is the practice of anticipating and managing exposures associated with third parties across the organization’s full range of operations as well as optimizing the value delivered by the third-party ecosystem. What does third-party risk look like? While one often thinks of data breaches involving IT providers, the tentacles of third-party risk extend into the farthest corners of the extended enterprise ecosystem.

Consider these scenarios:

  • An outsourced vendor for transaction processing decides to exit the business and provides little notice or transitional support.
  • An important distributor does not provide the amount of prime shelf space that had been agreed upon and instead leads with a competitor’s product.
  • A contracted supplier does not deliver merchandise on-time, thus disappointing customers and damaging the company’s brand reputation.
  • A customer organizes a boycott of the company’s products via social media.
  • A sales agent routinely favors a competitor, causing revenue and market share to decline in an important region.
  • Several franchisees do not spend co-op advertising dollars as instructed, resulting in a poor consumer response to holiday promotions.

Clearly, the spectrum of third-party risk is broad. It is challenging to define and catalog the full range of exposure because third-party risk is not a risk unto itself; rather, it is a combination of diverse risks with various degrees of severity based on the nature of the relationships an organization has with its third parties.

Taken together, these third parties—who may hail from around the corner or around the globe—constitute what we have termed 'the extended enterprise.'

Back to top

Cost: Escalation vs. containment

Most companies know that a third-party incident can cost them dearly, but few realize just by how much. In terms of downside losses, there are several ways in which companies can incur unnecessary expenses, expose themselves to fines, or be held responsible for restitution—not to mention the opportunity costs associated with not being able to serve existing customers or to pursue new business in the wake of a disruptive event. However, one of the more prominent and more costly risks associated with third parties is regulatory non-compliance. This pressure is unlikely to ease anytime soon since regulatory scrutiny and associated penalties are intensifying throughout the world.

Back to top


Revenue: Contraction vs. expansion

The consumer relationship is fragile. Customers are more prone to take their business elsewhere when they are disappointed or feel betrayed—even when the offending action was made by a third party several steps removed from company headquarters.

While driving away customers is an unpleasant prospect, the revenue implications of a company’s third-party risk management practices can just as well be positive. For instance, proactive efforts to manage the extended enterprise can open doors to revenue opportunities by qualifying a company to do business with other entities. For instance, a leading multinational retailer recently tightened its sourcing standards to include a “zero tolerance policy” for unauthorized subcontracting. Additionally, the retailer now requires its suppliers to validate that all input materials and components have been obtained from permissible harvests consistent with international treaties and protocols. 

From the supplier’s point of view, tighter sourcing standards such as these could be a blessing or a curse—precluding some, while including others. From the buyer’s standpoint, well-defined supplier standards, along with governance processes and enabling technologies, can form the backbone of a supply chain compliance optimization program. Such programs not only seek to ensure third-party adherence to policies and standards but also to drive revenue by aligning the extended enterprise with the company’s broader business objectives such as improving product quality, entering new markets, and satisfying customer demands for sustainable sourcing.

Back to top


Brand: Diminishment vs. enhancement

Every type of third-party exposure discussed thus far ties into an overarching risk: the ever-present threat of brand damage. In today’s interconnected world, trust equals value, with business leaders increasingly acknowledging the high financial impact of brand image and reputation. According to a study by the World Economic Forum, on average more than 25 percent of a company’s market value is directly attributable to its reputation. Furthermore, Deloitte Touche Tohmatsu Limited’s 2014 Global Survey on Reputation Risk found 87 percent of executives rated reputation risk as more important than other strategic risks, and 88 percent said their companies are explicitly focusing on managing reputation risk. Despite this focus, companies are still concerned about their readiness, saying they are least prepared to manage reputation risk drivers in areas beyond their direct control, such as third-party ethics and competitive attacks. These types of situations, should they come to pass, require effective crisis management and decisive leadership not only to “fix the problem” but also to take advantage of associated opportunities to improve processes, strengthen vendor relations, and uphold the brand by being transparent and responsive.

Back to top


Four cornerstone capabilities

Many companies believe they cannot take an end-to-end approach to managing the extended enterprise because securing executive sponsorship and getting people to take ownership can be an uphill climb. Furthermore, many businesses assume the task is too vast and they do not have the expertise and resources to build, execute and sustain a comprehensive third-party oversight program. In our experience, these barriers are more perception than reality. It is neither necessary nor possible to do everything at once. It is rather a matter of identifying some practical steps to take toward establishing an extended enterprise risk management program or evolving an existing one.

Most organizations can get a sense of what those steps might be by considering the extent to which they have developed the following cornerstone capabilities: 

  1. Strategy and governance: Creating an agile and flexible governance model
    Does your organization link its risk management practices to value drivers? Does it have a formal strategy and governance model for managing third-party risk? Does it understand where the breakpoints are in its third-party relationships? Does it have a prescribed means of assessing and staying ahead of them? Does you organization proactively seek to bridge the gap between business executives and compliance & risk professionals?
  2. People: Managing relationships, compliance and regulations.
    Does your company have dedicated roles for managing third-party risk across the extended enterprise? Has your organization aligned and strengthened its three lines of defense? Does executive ownership exist at the enterprise level? Are employees keeping up with emerging regulatory requirements? Are your third parties keeping up?
  3. Process: Navigating events that shape the extended enterprise
    Does your organization react to third-party events or does it actively seek to prevent them? Are risk management processes standardized across the enterprise and integrated with tools and data? Does your organization regularly consider how evolving technologies, market trends, and disruptive forces present opportunities and challenges to its third-party relationships? Does your organization have appropriate contracts in place with its third parties? Do you know if they are meeting expectations and complying with their contractual commitments? Can you readily assess the appropriateness of future delivery models? Are executives confident in their decisions to outsource or insource, build or buy?
  4. Technology: Using data and analytics to make informed decisions
    What tools and technologies does your organization leverage to make informed decisions about its third-party relationships? What data does your organization already have access to? Can leaders make real-time decisions? If so, what key performance indicators does your organization monitor and analyze to support those decisions?

Back to top

How did you respond to the capabilities questions?

Mostly "no": If you answered “no” to most of these questions, your company’s extended enterprise risk management program is likely in the earlier stages of development, where the organization may be managing some third-party risks on an ad-hoc basis, using a few off-the-shelf tools, and perhaps beginning to implement dedicated roles and processes.

Mostly "yes": More “yes” answers suggest it is further along the path toward integration and optimization—later stages of maturity that are generally characterized by greater use of customized tools, proactive monitoring and decision-making, and the connection of leading practices to value drivers.

How does your approach stack up?

Extend enterprise risk management maturity model is designed to help you understand where you are today, your ideal future state, and the value the future state can bring to your organization.

Back to top

Destination known: Improved business performance

Third-party risk is increasing for many enterprises, as are stakeholder demands for accountability and ROI. When existing or impending regulations in certain industries are added into the mix, the potential cost of inaction becomes high. In this environment, complexity and resource constraints are no longer sufficient reasons to avoid taking an integrated approach to third-party risk management across the extended enterprise—neither is fear of the unknown. Wherever your organization stands on the maturity curve, there are some “next logical steps” that can be taken now to establish an extended enterprise risk management program or to move your existing risk-management practices to the next level. While the journey may be different, the destination is the same: improved business performance through controlled risks and enhanced benefits.

Risk management solutions
Deloitte Risk and Financial Advisory brings together the full breadth of its capabilities into a comprehensive suite of solutions designed to help you increase the performance of the extended enterprise and help your organization achieve your strategic business objectives.

Back to top

Visit "Next Steps" (on the right) to contact us for more information.

Did you find this useful?