NEW YORK, NY, USA, 8 July 2020—One in two companies believe the cost of a third-party risk incident–such as a supply chain failure, data privacy breach or disruption to IT services–has at least doubled in the past five years (2015-2020), according to Deloitte Global. The research shows that companies estimate such an incident would cost them between US$0.5 to $1 billion, or more.
These figures show a marked increase since 2015, when large multinational businesses estimated the cost of a third-party failure at between US$2 to $50 million.
Deloitte Global’s Extended Enterprise Risk Management (EERM) survey was undertaken between November 2019 and January 2020, prior to the outbreak of COVID-19 being declared a global pandemic. The global survey collates results of more than 1,145 respondents in all major industry segments, from 20 countries around the world. At this point in January 2020, 17% of organizations had faced a high-impact third-party risk incident in the past three years (up from 11% of organizations in 2019). High-impact third-party risk incidents relate to incidents with a severe impact on customer service, financial position, regulatory compliance and/or reputation.
Looking at the ways in which they could be financially affected, 30% of organizations surveyed thought share prices could fall by 10% or more if a third-party incident was not adequately managed.
"Despite an increase in incidents, companies are not yet investing sufficiently in managing third-party risk," says Kristian Park, Deloitte Global leader for Extended Enterprise Risk Management. "The COVID-19 pandemic has only highlighted the need for investment in risk management. Companies experienced a wide range of third-party incidents at the peak of the pandemic including supply chain, logistic and financial failures, as well as data breaches resulting in fines–all of which can have a significant impact on customer service, regulatory compliance and reputation."
For the first time in five years, a desire to be a responsible business, that effectively manages social and environmental issues throughout its supply chain, was one of the key reasons companies invest in third-party risk management. Almost half (43%) cited it as a reason for investment. Despite this, a large proportion were still not allocating budget to associated areas - 74% of respondents had not allocated funds to managing climate risk, 57% to environmental risk and 54% to modern slavery and labor.
Over half (59%) of respondents thought they were under-investing in EERM, though this fell from 70% last year. Budget for managing third-party risk was skewed towards certain areas, including information security, cyber risk, data privacy and health and safety. This is largely in line with the largest proportion of third-party incidents, which were related to cyber risk (23%), bribery corruption (23%) and information security (9%).
"The survey showed a desire to develop risk capabilities and to become a responsible business," adds Park. "Whilst efforts were paused at the beginning of the pandemic, these themes are widespread and constant as companies start to recover, particularly around workplace safety and carbon footprint. Given a growing dependence on critical third-party relationships, it’s key that companies act now to protect themselves and their extended enterprise."
Deloitte’s extended enterprise risk management (EERM) global survey collates results of over 1,145 respondents, in all major industry segments, from 20 countries around the world. Survey results in this report reflect responses gathered from participants between November 2019 and January 2020. Since the survey closed, the risk landscape changed significantly with the COVID-19 pandemic impacting organizations globally and across industries. In keeping with these changes, points of view (including COVID-19 commentary) set out in this report reflect the changing circumstances, which are primarily based on subsequent conversations and engagement with clients.
“Deloitte,” “us,” “we” and “our” refer to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte provides industry-leading audit and assurance, tax and legal, consulting, financial advisory, and risk advisory services to nearly 90% of the Fortune Global 500® and thousands of private companies. Our professionals deliver measurable and lasting results that help reinforce public trust in capital markets, enable clients to transform and thrive, and lead the way toward a stronger economy, a more equitable society and a sustainable world. Building on its 175-plus year history, Deloitte spans more than 150 countries and territories. Learn how Deloitte’s approximately 415,000 people worldwide make an impact that matters at www.deloitte.com.
Deloitte Global Communications
Tel: +1 202 738 7586
Mobile: +1 202 734 3207