Circle of illustrated people


Managing third-party intermediaries and the extended enterprise

How to balance the risks and rewards

In the evolving global marketplace, leveraging third-party business partners (a concept Deloitte Risk and Financial Advisory calls the “extended enterprise”) can help companies find innovative ways to bring products to market, enter new geographies, access specialized talent not available in-house, reduce time to market, and lower service delivery costs. To do all those things more effectively, many companies are working with third-party intermediaries (TPIs) for logistics, sales, distribution, marketing/research, licensing/permitting, human resources, and more.

Benefits and challenges of third-party intermediaries

Relationships with third-party intermediaries may be crucial to boosting sales, increasing efficiencies, and furthering a company’s vision and growth strategies.

These relationships also come with risks, such as:

  • Compliance: Potential violations of US and international law
  • Financial: Potential revenue leakage and increased costs
  • Business continuity: Service interruption
  • Reputational: Reduced brand perception
  • Operational: Decreased control over processes and service levels
  • Cyber: Poor data security and over-reliance on third-party safeguards
  • Strategic: Misalignment of an organization’s strategic objectives

Making the extended enterprise web even more complex, there are often “fourth parties”—entities engaged by TPIs—that can present risks to a company.

Recent enforcement trends have shown that global regulators aren’t shying away from large fines, penalties, and sanctions (such as deferred prosecution agreements and corporate integrity agreements) where third-party relationships are concerned. In 2014, for example, 100 percent of all US Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission and Department of Justice involved some form of TPI relationship. In the same year, according to a report by Shearman and Sterling LLP, corporate penalties and fines from FCPA enforcement actions totaled over $1.5 billion, with the average corporate penalty amounting to $157 million—the highest average in history.

Companies are also becoming more aware of the value a robust compliance program can provide in identifying, managing, and mitigating potential risks throughout the extended enterprise. According to Deloitte Consulting LLP’s Global Outsourcing and Insourcing Survey, only 22 percent of respondents indicated that their company’s extended enterprise risk management and compliance function was “above average.” The survey also found that 72 percent of respondents didn’t have adequate tools and processes in place to manage TPIs.

Back to top

Extended enterprise risks and options

To establish and maintain effective (and compliant) relationships with third-party intermediaries across the globe—and particularly in emerging markets—a company should understand the underlying risks.

Factors that should be considered and addressed in potential TPI engagements throughout the extended enterprise include:

  • Local regulatory standards
  • Contract deficiencies and lack of visibility
  • Local business practices and culture
  • Response to change

Companies doing business in and with emerging markets should consider aligning their approach to TPI arrangements with their risk objectives, including those relating to risk management, integrity, ethical, and compliance values.

Examples of how companies may potentially mitigate or transfer risks include:

  • Apply local and global standards consistently to TPI arrangements
  • Perform due diligence
  • Consider implementing clear, specific right-to-audit clauses
  • Structure applicable and specific contract language
  • Conduct in-depth market assessments
  • Maintain a contract management system
  • Conduct ongoing risk monitoring
  • Document business need and purpose
  • Establish fair market value
  • Customize practical policies, processes, and internal controls
  • Implement an effective training and anti-corruption program
  • Introduce applicable payment and performance processes
  • Be prepared for contingencies

Back to top


Companies doing business in and with emerging markets should consider aligning their approach to third-party intermediary arrangements with their risk objectives.

An end-to-end approach

​​More and more organizations are becoming increasingly dependent on the extended enterprise, and regulatory bodies are focusing more heavily on enforcement activity. As a result, implementing processes, procedures, and controls to identify and mitigate regulatory and business risks associated with third-party intermediaries is taking on greater significance.

Given the breadth, depth, and complexity of managing TPIs, it’s critical that organizations implement an end-to-end approach to improve the maturity of their extended enterprise programs. This may include expertise and resources to assist in:

  • Strategy and program development
  • Evaluation and continuous monitoring
  • Technology enablement.

Knowing how to recognize and respond to the risk warning signs when working with TPIs may help organizations realize both practical and competitive advantage—from better managing their extended enterprise and increasing shareholder value to reducing the scrutiny of regulators and avoiding reputational damage.

To learn more, read the full report: Who are you doing business with? How to balance the risk and rewards of third-party intermediaries.

Back to top


Knowing how to recognize and respond to the risk warning signs when working with third-party intermediaries may help organizations realize both practical and competitive advantage.

How Deloitte Risk and Financial Advisory can help

Deloitte Risk and Financial Advisory’s extended enterprise risk management (EERM) framework presents a detailed approach for managing third-party intermediary relationships. Our capabilities and suite of solutions are designed to increase the performance of the extended enterprise. This enables us to help organizations achieve their strategic business objectives while appreciating the associated risks.

Our EERM framework is supported by three pillars:

  1. Strategy and program development
  2. Evaluation and continuous monitoring
  3. Technology enablement

This framework may be integrated across the organization, as well as to specific risk domain relationships. It can also help management address key TPI relationship challenges.

Let's talk

If you’re interested in learning more, please contact us. We’d be happy to schedule a meeting with you and your team.

Krissy Davis
Partner | Deloitte Risk and Financial Advisory Extended Enterprise Risk
Deloitte & Touche LLP
+1 617 437 2648

Dan Kinsella
Partner | Deloitte Risk and Financial Advisory Extended Enterprise Risk
Deloitte & Touche LLP
+1 402 997 7851

Kevin Corbett
Partner | Deloitte Risk and Financial Advisory
Deloitte Financial Advisory Services LLP
+1 212 436 6509

Back to top

Did you find this useful?