maze sphere


Extended enterprise risk with Dan Kinsella

Leader's Corner | Perspectives from the front lines

Organizations’ use of third parties is greater than ever and growing. Third parties are no longer brought in simply to cut costs. They’re now executing core activities that are critical to operations, business models, and value propositions. Given the increased usage and elevated nature of third-party involvement, extended enterprise risk has become a strategic risk for C-suite executives and board members.

Extended enterprise risk Q&A

Q. What are the benefits of robust extended enterprise risk management and oversight?

We consistently see organizations drive 2 percent to 3 percent to the bottom line by reducing risk events and losses; improving performance; and exercising greater diligence in contract oversight, audits, and enforcement. It’s true that the extended enterprise may bring risks, but it’s also a tremendous source of untapped cost management and performance potential. For example, over time, many contracts with third parties are subject to revenue leakage or overpayments. Also, executives and boards now realize that they own the risks presented by third-party vendors, whereas before they often believed those risks were transferred to their outsourcing vendor. They now have a greater stake in how the extended enterprise affects their governance and oversight responsibilities.

In their governance role, boards need better visibility into their third-party ecosystem and the risks they present. I recently saw a board member ask senior management how many third-party relationships the organization had, and he was shocked at the huge number. Boards need a much clearer line of sight into the entire ecosystem, which goes beyond vendors, suppliers, and service providers to include joint venture and alliance partners, and sales agents and brokers—as well as the fourth- and fifth-party subcontractor organizations with whom they engage. They also need ways of understanding the interconnections of their network, such as visualization tools, mapping, and risk attribution.

Q. What are the implications of extended enterprise risk for other risk domains?

Leadership should consider third parties when they examine any risk domain. I’d say that over one-third of cyber incidents and one-third to one-half of reputation risk events originate in the extended enterprise.

Extended enterprise risk also relates to culture risk because organizations should promulgate a culture across their entire ecosystem in which people own, understand, and manage risk. I’d like to see organizations within an ecosystem leverage each other’s strengths to address risks in the most effective ways. Many organizations aren’t there yet, but that is, hopefully, where they are headed.

Q. How can leaders improve management of these risks?

It’s useful to take any “islands of goodness” and extend them across the ecosystem. Most organizations certainly have some kind of third-party risk management program—maybe for IT providers or a preferred supplier program, and maybe an anti-bribery/anti-corruption program. Extending those programs can be a starting point. It’s also essential to have someone responsible for this risk and for connecting activities into an integrated model. When you have consistent risk management policies, procedures, and data, you can then consolidate the information into an integrated third-party risk and risk management view. The result can be dramatic.

More organizations are moving to a managed services model to improve their management of extended enterprise risk. Here’s why. If you’re working with the right managed services vendor, it can bring true risk domain knowledge, technology, and the right talent. This is important in cyber, anti-bribery/anti-corruption, business continuity, contract risk, human trafficking, and other areas. Many organizations don’t possess the domain expertise of a managed services provider or an understanding of the right technologies to invest in. So, leveraging that knowledge enables them to manage the entire third-party management life cycle rather than trying to hire, develop, and sustain it in-house. By adopting a managed services model, organizations can shift the responsibilities to their third parties, lower costs, reduce risk, and refocus their time and attention on more business-critical initiatives.

Dan Kinsella | Partner, Deloitte Risk and Financial Advisory

Dan serves as the extended-enterprise and third-party assurance leader in Deloitte & Touche LLP. He combines business and technology experience to help clients create and optimize their extended enterprise through cost and revenue recovery services. He specializes in creating efficient exchange of risk information synergies in the marketplace.

The view from the C-suite

Third parties that make up the extended enterprise can make or break an organization. We see news coverage about damaged corporate reputations on a regular basis. In many cases, the cause wasn’t the organization itself but an entity within the extended enterprise.

Like culture and cyber risks, the toll a third-party risk can extract on reputation is big. Take, for example, a vendor that inadvertently makes confidential client information available to the public. In many cases, the stakeholders won’t come down on the vendor; they’ll come down on the organization that vendor is serving as well as its leaders.

At a time when third parties are moving closer to the core of businesses, the potential for risk increases. Many leading organizations are using advanced technology to analyze vendor behavior to identify risks associated with procurement. The key is to take a proactive approach to understanding if a third party could expose an organization to risks and take action before a problem surfaces.

Boards play a key role in this oversight, but based on a recent report, they’re not fully aware of the strength of their extended enterprise risk approach. In Illuminating a path forward on strategic risk—Deloitte’s survey of 400 CEOs and board members in organizations of more than $1 billion—62 percent of CEOs saw their enterprise partners’ risk practices as weaker than those in their own organizations, compared with only 39 percent of board members.

The disparity between the two groups’ perspectives—with many more CEOs taking a dimmer view than board members—is cause for concern. This gap may reflect inconsistent reporting to the two sets of leaders and potentially a lack of alignment over risk strategy. Regardless, boards need a better understanding of extended enterprise risk.

The first step in enhancing an approach to extended enterprise risk may seem obvious, but it’s often the most difficult: determining the vendors who are in the network. Once the third parties are identified, an organization can develop questionnaires to evaluate which parties they believe pose a risk and take steps to mitigate the risk or, in some cases, sever ties with the vendor.

Leaders responsible for the extended enterprise can then proceed with several risk reduction initiatives such as enhanced monitoring, assurance activities, and transparency. They can adopt a more disciplined approach for making a business case for using a third party, and they can make visits to third-party locations.

As organizations continue to enhance their risk management programs, they should view such programs as strategic enablers of innovation and look for ways to connect risk management to their business vision. When I talk with C-suite executives and board members, I suggest that they ask a simple, direct question about a potential vendor: “Has this vendor earned the privilege of doing business with us?” The bar for being included in the extended enterprise should be high, given that a third party’s actions can impact the reputation of the organization.

Chuck Saia | Former CEO, Deloitte Risk and Financial Advisory

Chuck previously led a risk consulting and financial advisory business comprising 12,500+ professionals. As CEO from October 2016 through May 2019, he oversaw a practice that is considered a global leader in risk and financial advisory services.

Need a path forward on strategic risk?

Explore the CEO and board risk management survey and Leader's Corner perspectives.

Did you find this useful?