Third party governance and risk management has been saved
Third party governance and risk management
Extended enterprise risk management survey 2019
Deloitte’s fourth annual extended enterprise risk management (EERM) survey shows there is renewed focus on maturing EERM practices within most organisations. This appears to be driven by a recognition of underinvestment in EERM coupled with mistrust of the wider uncertain economic environment.
Economic and operating environment
The economic environment continues to drive cost reduction and talent investment in extended enterprise risk management. Ongoing uncertainty and distrust in the economic and business environment is having a significant impact on third party risk management. Dramatic shifts at the market level and increased regulatory and internal scrutiny, is driving organisations to focus on cost reduction, talent investment, and revisit existing operating models.
The main drivers for investing in third party risk management are:
• Cost reduction: 62% of respondents
• Reduction of third party related incidents: 50%
• Regulatory scrutiny: 49%
• Internal compliance: 45%.
A piecemeal approach to investment in third party risk management has impaired the speed of the maturity journey, neglected certain risks and adversely affected core basic tasks. Organisations have stalled on their journey to extended enterprise risk management (EERM) maturity. Only 1% of organisations say they address all-important EERM issues, and only another 20% say they address most EERM issues. The majority of organisations surveyed also believe they have underinvested in third party risk management. Fewer than three in ten think their capital expenditure is the ideal amount or more and they spend the ideal amount or more on EERM staff and other operating costs.
Boards and senior leaders are championing an inside-out approach to third party risk management, which includes better engagement, coordination and smarter use of data. Our survey reveals that boards and executive leadership continue to retain ultimate responsibility for extended enterprise risk management (EERM) in the majority of organisations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. More than a third of organisations admit to having a low, insignificant or unknown level of engagement and coordination across organisational units, geographies, risk domains and subject matter experts.
Who has ultimate responsibility for third party risk management?
• 24%: Chief Risk Officer
• 19%: other board members
• 17%: CEO
Our survey reveals that robust central oversight, policies, standards, services, and technologies combined with accountability by business unit and geographical leaders is a pragmatic way to proceed. Federated structures are becoming the most dominant operating model for third party risk management, underpinned by centres of excellence and shared services. More than two-thirds (69%) of respondent organisations say they adopt a federated model and only 11% of organisations are now highly centralized, down from 17% last year. More than half (53%) of organisations are using centres of excellence and 38% have shared service centres. Co-ownership of EERM budgets, where organisations retain centralized control but with stronger engagement and collaboration with business unit leaders, is also emerging as a new trend.
Organisations are streamlining and simplifying third party risk management technology across diverse operating units. Our 2019 survey confirms our prediction last year that a three-tiered approach for third party risk management will continue. Very few organisations want to develop complex bespoke solutions.
Smartly coordinated investments in third party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity, and create a more sustainable operating model.
• More than 59% of the respondents adopt tier one – enterprise resource planning (ERP) or procurement platforms that establish a common foundation and operational discipline for EERM.
• Three quarters (75%) adopt tier two – risk management solutions that are either EERM specific risk management packages (18%) or generic integrated risk management solutions tailored for EERM use (57%)
• Tier three – risk domain specific technologies – such as financial viability, financial crime, sustainability and cyber threats – continue to grow.
Subcontractor and affiliate risk
The 2019 survey exposes that organisations lack of clarity on addressing risks related to subcontractors engaged by their third parties and affiliates.
Subcontractor risk: Our survey respondents accept that they have poor oversight of the risks posed by subcontractors engaged by their third parties. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. In addition, a further 8% only do so for their most critical relationships. The remaining 90% do not recognize the need or have appropriate knowledge, visibility or resources to monitor subcontractors. The lack of appropriate oversight of subcontractors is making it difficult for organisations to determine their strategy and approach to the management of subcontractor risk. Leading organisations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks”.
Affiliate risk: Organisations lack clarity in their approach to monitoring and managing risks related to affiliates. Less than a third (32%) of organisations, evaluate and monitor affiliate risks with the same rigor as they do other third parties. A higher proportion (46%) take an alternative, typically more simplified, approach to affiliate risk management. Furthermore, the remaining 22% said they do not have affiliates.