Skip to main content
Research:
Research
09 Jul 2019

Focusing on the climb ahead

Extended enterprise risk management survey 2018

Download the full report
7 MB PDF

This report shows how extended enterprise risk management (EERM) has continued to benefit from greater executive awareness allowing organizations to tackle the topic with renewed focus and investment. This is even more important due to the threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.

The survey findings reveal organizations are taking an earlier, more strategic view of risk drivers to create value and identify new opportunities. Despite this awareness, and some associated improvements in third-party governance and risk management, six key areas exist where further effort is required by most organizations.

Inherent risk and maturity

  • Organizational self-assessment of overall EERM maturity continues to improve at a slower pace despite a perceived increase in the inherent risks in third-party dependence.

Business case and investment

  • EERM is increasingly focused on exploiting the upside of risk and demonstrating tangible benefits—a significant shift from only managing the downside of risk.

Centralized control

  • Organizations are centralizing many elements of EERM roles, structures, and technologies.
  • Centers of Excellence (COEs) and Shared Service Centers (SSCs) represent the dominant operating model, along with an increased focus on market utility models.

Technology platforms

  • Technology decisions for EERM solutions are now being made centrally and a three-tiered technology architecture is emerging.

Sub-contractor risk

  • Organizations are lacking appropriate visibility and monitoring of sub-contractors engaged by third-parties.

Organizational imperatives and accountability

  • Ultimate ownership and accountability for EERM suggest it is established in the C-suite, with need for improvement in engagement.
  • Challenges over internal coordination, talent and processes represent areas of highest (organizational) concern over EERM.

The survey results reflect a renewed focus in the last year on enhancing extended enterprise risk management maturity amid increasing perceptions of dependence on third-parties, although moving up the maturity curve has been slower than expected. This report also reflects an emerging shift to include more centralized oversight and management for extended enterprise risk management across the more decentralized or federated structures to enable increased risk-awareness and consistency.

Focusing on the climb ahead

Third-party governance and risk management

Extended enterprise risk management global survey 2018

Access our regional highlights across the six key areas and assess how extended enterprise risk management compares across different regions

Regional overview

 

Americas

The Americas has traditionally had the highest level of dependence on third-parties with 60% of respondents reporting some or substantial increase in dependence.

The perception of inherent risks increasing is relatively the lowest with 54% of respondents from the Americas perceiving some or substantial increase in inherent risks related to third-parties.

The proportion of respondents with integrated and optimized EERM mechanisms is 29% in the Americas.

The Americas is likely to see even more dependence being placed on the extended enterprise with a stronger business case for investment in EERM initiatives going forward.

40% of respondents from the Americas feel the most common business case driver for investing in EERM is achieving positive cost reduction in organizational spend on third-parties.

17-18% of respondents from the Americas are focused on increasing confidence in their organizational brand through third-parties.

20% of respondents from the Americas are extremely confident and 48% are somewhat confident about demonstrating the tangible benefits related to their organizational business case for investment in EERM.

The Americas is ahead of the other regions with 82% of respondents having implemented COEs or SSCs for EERM.

21% of respondents from the Americas has utilized utilities/community models.

The Americas is the region with the highest level of centralization with 33% of respondents believing that their EERM initiatives are equally or more decentralized.

Using features of the organizational ERP system or other backbone procurement applications for EERM appears to be most common-place in the Americas with 25% of respondents stating this to be the case.

Three out of four respondents in the Americas lack the knowledge and visibility of sub-contractors.

55% of respondents in the Americas acknowledge that they either do not monitor sub-contractor risks at all or do not know if anyone in their organization does so.

Only 15% of respondents in the Americas monitor sub-contractors on a half-yearly or quarterly basis.

10% of respondents from the Americas have high engagement from their Boards.

Only 20% of respondents experience a high level of engagement of risk owners.

Respondents from the Americas are focused on better articulating business cases and identifying the most strategic third-parties for EERM effort.

Regional overview

 

EMEA

52% of respondents from EMEA state some or a substantial increase in dependence on third-parties.

70% of respondents from EMEA perceive some or a substantial increase in inherent risks related to third-parties.

19% of respondents from EMEA have integrated and optimized EERM mechanisms, which has not changed since last year.

The impact of macro-economic factors and uncertainty from EMEA, such as the outcome of the Brexit vote results may have increased the perception of inherent risks and slowed down investment in EERM initiatives, thus slowing down the increasing level of dependence.

50% of respondents from EMEA feel the most common business case driver for EERM investment is achieving reduced organizational spend on third-parties in the extended enterprise.

17% of respondents from EMEA are more driven by the opportunity to increase revenue, for instance by the identification of unreported or under-reported revenue streams.

21% of respondents from EMEA are focused on unlocking opportunities for innovation through third-parties.

12% of respondents from EMEA are extremely confident and another 52% are somewhat confident about demonstrating the realization of tangible benefits related to their organizational business case for investment in EERM.

74% of respondents from EMEA have implemented COEs or SSCs for EERM.

5% of respondents from EMEA have outsourced EERM substantially to a managed services provider.

EMEA appears to be leading the way on market utilities/community models with 34% uptake.

58% of respondents evaluated their organizations' overall control structures to be equally or more decentralized.

50% of respondents believe that their organizational structures for EERM are also equally or more decentralized.

EMEA appears to be taking the lead on emerging technologies for EERM with 50% of respondents using cloud-related initiatives, 33% exploring robotics, and 20% exploring cognitive analytics.

Three out of four respondents from EMEA lack the knowledge and visibility of sub-contractors.

35% of respondents from EMEA acknowledge that they either do not monitor sub-contractor risks at all or do not know if anyone in their organization does.

Respondents from EMEA appear to have the highest level of engagement from their Boards with 24% demonstrating a high level of engagement and understanding.

Only 16% of respondents have a high level of engagement of risk owners.

Respondents from EMEA share a common priority to identify strategic third-parties for proportionate EERM effort, and are focused on enhancing real-time monitoring of third-parties using emerging technologies.

Regional overview

 

Asia Pacific

44% of respondents from Asia Pacific report some or substantial increase in dependence on third-parties.

57% of respondents from Asia Pacific perceive some or substantial increase in inherent risks related to third-parties.

The proportion of respondents with integrated and optimized EERM mechanisms is 15% from Asia Pacific.

42% of respondents from Asia Pacific state the need to achieve reduced organizational spend on third-parties in the extended enterprise is the most common business case driver for business case for EERM investment.

20% of respondents from Asia Pacific are more driven by the opportunity to increase revenue, for instance by the identification of unreported or under-reported revenue streams.

16% of respondents from Asia Pacific are focused on gaining access to new markets, channels, and products.

7% of respondents from Asia Pacific are extremely confident and 37% are somewhat confident about demonstrating the realization of tangible benefits related to their organizational business case for investment in EERM.

75% of respondents from Asia Pacific have implemented COEs or SSCs for EERM.

No respondents from Asia Pacific have outsourced EERM substantially to a managed services provider.

56% of respondents from Asia Pacific evaluate their organizations' overall control structures to be equally or more decentralized.

54% of respondents from Asia Pacific believe their organizational structures for EERM are decentralized.

Three out of four respondents from Asia Pacific lack the knowledge and visibility of sub-contractors.

34% of respondents from Asia Pacific acknowledge they either do not monitor sub-contractor risks at all or do not know if anyone in their organization does so.

19% of respondents from Asia Pacific state that they monitor sub-contractors on a half-yearly or quarterly basis.

9% of respondents from Asia Pacific have high engagement from their Boards.

Only 15% of respondents have a high level of engagement of risk owners.

Respondents from Asia Pacific are focused on better articulating business cases for EERM and enhancing training and guidance for their organization.

Industry overviews

Inherent risk and maturity

  • 74% of C&IP respondents have a heightened perception of risks inherent in third-parties.
  • 55% of C&IP respondents reported some or a significant increase in dependence on third-parties over the last year.
  • 19% of C&IP respondents have integrated/optimized their EERM processes and technology.

 

Business case and investment

  • 48% of C&IP respondents are motivated by positive cost reduction in overall spend on third-parties.
  • One in four C&IP respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.

 

Centralized control

  • C&IP respondents have one of the highest levels of overall decentralization in their organizations with 61% of respondents stating they are equally or more decentralized than they are centralized; however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
  • 78% of C&IP respondents are adopting the CoEs and SSCs operating model.
  • 4% of C&IP respondents have outsourced to managed service providers.
  • C&IP saw an increase in actual utilization of community models/market utilities from 11% of respondents last year to 18% of respondents stating this to be the case in 2017.

 

Technology platforms

  • Use of niche GRC packages appears to be the dominant trend in C&IP with 69% of respondents stating this to be the case.

 

Sub-contractor risk

  • 75% of C&IP respondents do not have appropriate knowledge and visibility over their fourth and fifth parties.
  • Only 15% of C&IP respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

 

Organizational imperatives and accountability

  • 18% of C&IP respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort, addressing cyber risks, and building stronger resilience to disruption are top imperatives within C&IP.

 

Inherent risk and maturity

  • 73% of LSHC respondents have a heightened perception of risks inherent in third-parties.
  • 58% of LSHC respondents report some or significant increase in the level of dependence on third-parties over the last year.
  • 24% of LSHC respondents have integrated/optimized their EERM processes and technology.
  • 54% of LSHC respondents believe they have the longest journey with at least two to three years or more to achieve desired state in EERM.

 

Business case and investment

  • 46% of LSHC respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • 52% of LSHC respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
  • One in three LSHC respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

 

Centralized control

  • LSHC respondents have one of the highest levels of overall decentralization in their organizations with 63% of respondents stating they are more equally or more decentralized than they are centralized, however, only 45% of respondents feel their EERM initiatives are more decentralized than centralized.
  • 16% of LSHC respondents saw an increase in actual utilization of community models/market utilities.

 

Technology platforms

  • 32% of LSCH respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

 

Sub-contractor risk

  • 85% of LSHC respondents acknowledge that they do not have appropriate knowledge and visibility over their fourth and fifth parties.

 

Organizational imperatives and accountability

  • 15% of LSHC respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • 21% of LSHC respondents state there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort and building stronger resilience to disruption are top imperatives within LSHC.

 

Inherent risk and maturity

  • 71% of FS respondents have a heightened perception of risks inherent in third-parties.
  • The most notable increases in dependence on the extended enterprise have taken place in the FS industry with 59% of respondents reporting some or significant increase over the last year.
  • 57% of FS respondents believe they require at least two to three years or more to achieve the desired state in EERM.

 

Business case and investment

  • 52% of FS respondents are the most motivated by positive cost reduction in its overall spend on third-parties.
  • 48% of FS respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • One in four FS respondents consider the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

 

Centralized control

  • While 53% of FS respondents feel that the overall control structure in their organization is equally or more decentralized than centralized, 56% of respondents feel that their EERM organization structures are equally or more decentralized.
  • 73% of FS respondents are adopting the CoEs and SSCs operating model.
  • 2% of FS respondents have outsourced to managed service providers.

 

Technology platforms

  • 18% of FS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.
  • The uptake of generic GRC packages is highest in FS with 34% of respondents subscribing to this option.

 

Sub-contractor risk

  • 81% of FS respondents do not have appropriate knowledge and visibility over their fourth and fifth parties.
  • Only 15% of FS respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

 

Organizational imperatives and accountability

  • 19% of FS respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • 17% of FS respondents state there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort and addressing cyber risks are top imperatives within FS.

 

Inherent risk and maturity

  • 53% of TMT respondents report some or significant increase in the level of dependence on third-parties over the last year.
  • 49% of TMT respondents believe they require at least two to three years or more to achieve the desired state in EERM.

 

Business case and investment

  • 49% of TMT respondents believe that the ability to increase revenue is one of the important drivers for investment in EERM.
  • One in four TMT respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

 

Centralized control

  • TMT has the highest level of uptake on CoEs and SSCs with 79% of respondent adopting this operating model.
  • TMT saw an increase in actual utilization of community models/market utilities from 12% of respondents last year to 27% of respondents in 2017.

 

Technology platforms

  • 9% of TMT respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

 

Sub-contractor risk

  • 24% of TMT respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

 

Organizational imperatives and accountability

  • 18% of TMT respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • Building stronger resilience to disruption and enhancing the technologies to address EERM requirements are top imperatives within TMT.

 

Inherent risk and maturity

  • 71% of FS respondents have reported a heightened perception of risks inherent in third-parties.
  • More than 45% of PS respondents continue to increase their third-party dependence.
  • 35% of PS respondents have integrated/optimized their EERM processes and technology in the current survey against 20% in the last year.
  • PS has the largest majority of organizations that believe they have the longest journey to achieve desired state in EERM with 75% of respondents believing this to be at least two to three years or more.

 

Business case and investment

  • 50% of PS respondents state that meeting internal compliance requirements is a related driver for EERM initiatives.
  • One in five PS respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for investment in EERM.

 

Technology platforms

  • 18% of PS respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

 

Organizational imperatives and accountability

  • A high level of engagement and knowledge of EERM by the Board appears to be the highest in PS with 35% of respondents stating this to be the case.
  • 30% of PS respondents state there is a high level of engagement and coordination by risk domain owners.
  • Addressing cyber risks and building stronger resilience to disruption are top imperatives within PS.

 

Inherent risk and maturity

  • 52% of E&R respondents reported some or significant increase in the level of dependence on third-parties over the last year.

 

Business case and investment

  • 44% of E&R respondents appears to be motivated by positive cost reduction in their overall spend on third-parties.
  • 40% of E&R respondents state that the strongest drivers for EERM initiatives is reducing the number of third-party related incidents.
  • 58% of E&R respondents state that the reduction in regulatory exposure is a related driver for EERM initiatives.
  • One in three E&R respondents considers the ability to achieve greater agility and flexibility in the marketplace to be the most popular driver for EERM investment.

 

Centralized control

  • 73% of E&R respondents are adopting the CoEs and SSCs operating model.
  • E&R seems to have outsourced the most to managed service providers with 7% of respondents stating this to be the case.
  • E&R saw an increase in actual utilization of community models/market utilities from 28% of respondents last year to 33% of respondents stating this to be the case in 2017.

 

Technology platforms

  • 28% of E&R respondents use features of the existing ERP system or other organization-wide backbone systems for procurement.

 

Sub-contractor risk

  • 75% of E&R respondents acknowledge they do not have appropriate knowledge and visibility over their fourth and fifth parties.
  • Only 15% of E&R respondents review concentration and other risks from their fourth and fifth parties either quarterly or half-yearly.

 

Organizational imperatives and accountability

  • 31% of E&R respondents state there is a high level of engagement and knowledge of EERM by the Board.
  • 18% of E&R respondents state that there is a high level of engagement and coordination by risk domain owners.
  • Identifying the most strategic third-parties to ensure proportionate EERM effort is a top imperative within E&R.

 

Previous reports

 

For many organizations, their third-party ecosystem, or ‘extended enterprise,’ is an important source of business value and strategic advantage. However, as the reliance on third-parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.

Deloitte member firms experienced teams work with clients to develop governance frameworks which effectively identify and manage all forms of third-party risks, looking at both process and technology solutions to deliver value and meet contractual obligations.

2017 EERM survey report 
Overcoming the threats and uncertainty

2016 EERM survey report 
The threats are real

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Get in touch

Alithia Diakatos

Alithia Diakatos

Equity Partner, Assurance Leader
+30 210 6781100
George Trivizas

George Trivizas

Partner, Enterprise Risk and Regulatory and Compliance Leader, Boardroom Program Leader
+30 210 6781100

Our thinking

Risk assessment in practice

This whitepaper developed by Deloitte in collaboration with COSO, presents a process for developing a risk assessment criteria, assessing risks and risk interactions, as well as prioritizing risks. It also discusses how to actually put this process into practice in a simple, practical and easy to understand way.
Research

Global Future of Cyber Survey, 4th Edition

In this edition of the Global Future of Cyber Survey, we explore how leaders across various industries are integrating cybersecurity into more areas of the enterprise, thereby building long-term value. Discover findings from Deloitte’s latest global report, surveying nearly 1,200 decision-makers.
Research
7 minute read

Third-party governance and risk management

As organizations increasingly depend on third-parties to gain competitive advantage, third-party governance and risk management (TPGRM) is emerging as a significant board level topic.
Research

A crisis of confidence

Awareness of threats is not the same as preparation to deal with them. More than three-quarters (76%) of surveyed board members believe their companies would respond effectively if a crisis struck tomorrow. But less than half (49%) of their companies have taken steps to be truly crisis-ready. Deloitte’s global survey report, A crisis of confidence, examines the gap between real and perceived crisis readiness in the eyes of board members and the large companies they direct. Respondents offer their insights and concerns about crisis risks and their companies’ level of crisis management maturity.
Research
Explore our thinking

Let's connect

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of any of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte Business Solutions Societe Anonyme of Business Consultants, a Greek company, registered in Greece with registered number 000665201000 and its registered office at Marousi Attica, 3a Fragkokklisias & Granikou str., 151 25, Deloitte Certified Public Accountants Societe Anonyme, a Greek company, registered in Greece with registered number 0001223601000 and its registered office at Marousi, Attica, 3a Fragkokklisias & Granikou str., 151 25 and Deloitte Alexander Competence CenterSingle Member Societe Anonyme of Business Consultants, a Greek company, registered in Greece with registered number 144724504000 and its registered office at Thessaloniki, Municipality of Pylaia - Chortiatis of Thessaloniki, Vepe Technopolis Thessaloniki (5th and 3rd street), are all companies of the Deloitte Central Mediterranean S.r.l. (“DCM”) geography. DCM, a company limited by guarantee registered in Italy with registered number 09599600963 and its registered office at Via Santa Sofia no. 28, Milan, Italy is one of the Deloitte NSE LLP geographies. Deloitte NSE LLP is a UK limited liability partnership and member firm of DTTL, a UK private company limited by guarantee.

This communication contains general information only, and Deloitte Business Solutions Societe Anonyme of Business Consultants, Deloitte Certified Public Accountants Societe Anonyme and Deloitte Alexander Competence Center Single Member Societe Anonyme of Business Consultants, is not, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication.

© 2025 For more information contact Deloitte Central Mediterranean.