Analysis

Vendor risk management and mitigation strategies

Upgrading extended enterprise risk management programs with technologies

See how technology investments in your vendor risk management program can help leverage third-party relationships to create value across the enterprise.

Investing in the right technology

As business environments become more complex, organizations are focusing on core competencies and increasingly outsourcing non-core functions to third-party providers.

Extending the enterprise by outsourcing these functions can make good business sense. But the associated risk levels must be carefully identified and managed. At the highest level, third-party incidents can result in reputational damage, non-compliance, or even criminal activity, which can negatively impact earnings and shareholder value.

To address this challenge, many organizations are investing in technology to support vendor risk management. Technology isn’t the entire answer to managing third-party risk. But the right technology or collection of technologies, coupled with optimal processes, can enable organizations to:

  • Create an inventory of third-party providers
  • Assess those providers based on levels of risk
  • Incorporate controls
  • Provide ongoing oversight and management

Back to top

The ROI from technology investments

Many organizations that have invested heavily in risk management technologies still struggle to maximize the value of those investments. Risk executives have turned to technology solutions to help them manage third-party risk. But in many cases, they’re underwhelmed by the results.

According to a 2016 Deloitte Global survey, 94.3 percent of executives had low to moderate confidence in their third-party risk management tools and technology, and 88.6 percent had low to moderate confidence in the quality of the underlying risk management processes.

Even sophisticated organizations with extended enterprise risk management programs often end up with process-heavy, workflow-driven technologies when they align technology decisions to broken processes. As a result, risk managers still spend the majority of their time gathering data, leaving little time to actually manage risk.

So how do risk managers use technology to help reduce the manual effort involved in collecting risk data? Integrating robust data feeds and innovative, cognitive technologies, such as robotic process automation and artificial intelligence, into a vendor risk management program can greatly reduce time-consuming manual labor and analysis. Incorporating risk sensing using advanced analytics to gather information from private and public sources allow organizations to create a near-time, comprehensive view of the risks related to their third-party relationships or engagements at any given time. This enables risk managers to focus significantly more time on analyzing data rather than gathering it, so they can aggressively manage those risks most critical to the organization.

Back to top

Start with the end in mind

Defining the capabilities needed to achieve the desired outcomes helps create a structure and process for evaluating technology options that fit the needs of the organization. Before selecting a technology or set of technologies, it’s critical to first define:

  • The business requirements in terms of the problem that needs to be solved
  • The areas of risk within the lifecycle
  • The types of third parties that need to be managed

Rather than mapping technology needs to current business processes and functional or technical requirements, organizations must identify the capabilities that need to be enabled through technology and work backward to identify the proper tools and technologies. Understanding how well (or how poorly) processes are working today can make the difference between using technology as a true enabler versus merely automating a broken process. This is also an opportunity to streamline existing processes.

Back to top

Rather than mapping technology needs to current business processes and functional or technical requirements, organizations must identify the capabilities that need to be enabled through technology and work backward to identify the proper tools and technologies.

An integrated, capabilities approach

When building a third-party risk management program, executives should consider several dimensions of technologies:

  • Architecture-enabling technologies
  • Risk assessments and controls testing
  • End-to-end risk and control management

Regardless of the scenario, a capabilities approach to technology investment decisions can achieve far better results than automating broken processes. With the right technologies in place, companies can implement and manage vendor risk management programs that drive efficiency, reduce costs, improve service levels, and increase return on equity. In our experience, organizations with a sound extended enterprise risk management program realize an average four percent to five percent return on equity.

Back to top

Take action, proceed with caution

As with any new investment in transformative solutions, executives need to be clear about goals, objectives, and the ideal end state. What many have called a failure of third-party risk management technologies can most closely be attributed to ineffective technology implementation, adoption, and integration.

As organizations elevate their extended enterprise risk management program with technologies and analytic enabling solutions, they should prepare to:

  • Start with the end in mind and clearly define the desired outcomes, business case, key performance indicators, and return on investment metrics.
  • Get key stakeholder buy-in and address the change management required to achieve success.
  • Assess the impacts on functional areas of your organization and gain organizational sponsorship.
  • Define the business architecture by identifying the core capabilities required to achieve the desired outcome and mapping those enabling tools and technologies.
  • Leverage the opportunity that extended vendor risk management brings to reinvent, streamline, and simplify processes instead of automating broken ones.
  • Determine a risk tolerance threshold. Risk is inherent and can’t be eliminated. But it can be managed to an acceptable level when enabled by tools and technologies that optimize the time spent on managing third-party risk versus gathering data.
  • Don’t expect to address everything with one technology product.
  • Make sure the extended vendor risk management program is tied to other risk programs within the organization, such as operations, to maintain consistency.

With heightening regulatory expectations, compliance-related sanctions, and increased scrutiny relative to third parties, extended enterprise risk management is increasingly top of mind. Developing an integrated enterprise technology infrastructure, coupled with clear processes, can optimize vendor risk management and enable organizations to leverage third-party relationships to create value across the enterprise.

Back to top

Let's talk

If you’re interested in learning more, please contact us. We’d be happy to schedule a meeting with you and your team.

 

Jan Corstens
Partner | Deloitte Risk and Financial Advisory
Global Extended Enterprise Risk
Management Leader
Deloitte Belgium
+32 2800 2439

 

 

Kristina (Krissy) Davis
Partner | Deloitte Risk and Financial Advisory
US Extended Enterprise Risk
Management Leader
Deloitte & Touche LLP
+1 617 437 2648

 

 

Kristian Park
Partner | Deloitte Audit
EMEA Extended Enterprise Risk
Management Leader
Deloitte UK
+44 7920 591507

 

 

Adam Thomas
Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+ 1 773 677 1074

 
Did you find this useful?