As dependence on third-parties grows, Deloitte Global study reveals 70% of organisations recognise an increase in risk but remain ill-equipped to deal with them

NEW YORK, NY, USA, 24 April 2018—Organisations are placing a renewed focus on enhancing extended enterprise risk management (EERM) amid increasing dependence on third-parties. Yet progress towards EERM maturity has been slower than expected according to Deloitte Global’s third annual EERM survey, Focusing on the climb ahead.

Dependence on third-parties continues to grow, with 53 percent of respondents reporting ‘some’ or ‘significant’ increase in their level of dependence on third-parties. Yet, seven out of ten survey respondents believe that business and macro-economic uncertainties have increased the risks inherent in managing the extended enterprise.

Despite critical levels of third-party dependency, only 20 per cent of organisations have streamlined their EERM systems and processes. 53 percent of respondents now believe their journey to achieve EERM maturity is two to three years or more.

"This reflects a more realistic time-frame, and we’d expect organisations to be closely aligning plans to address the expected regulatory outlook over this period."

While the main drivers for EERM focus on mitigating risk and compliance, there is an increasing focus on driving value. The business case for investment in EERM is now being driven by other factors that exploit the upside of risk, such as enhancing organisational responsiveness and flexibility, innovation, brand confidence and increasing revenues.

“This is a significant shift from the almost exclusive focus in the past on managing the downside of risk,” continued Park. “Organisations are now taking the concept of the extended enterprise to new levels of critical dependence to exploit untapped opportunities and power organisational performance.”

Overall, the aggregate survey results suggests there is still work to do for many organisations to become fully integrated or optimised in their EERM capabilities.

In addition to a focus on increasing maturity and making a renewed business case for investment, the report explores four other key areas where most organisations could benefit from further effort.

• Centralised control: An increasing number of organisations are adopting central oversight and management to accelerate risk awareness and efficiency. 55 per cent of organisations are now equally or more decentralised than centralised (down from 62 per cent last year). This reflects that organisations are starting to scale back on decentralisation in the overall organisation. Out of these 55 per cent, only 47 per cent have EERM frameworks that are equally or more decentralised than centralised. The remaining 53 per cent of respondents thus form the current majority with more centralised EERM programs.
• Technology platforms: In keeping with the trend of increased centralised oversight of EERM activities, technology decisions are now being taken more centrally and a standard tiered technology architecture is emerging. Less than ten per cent of respondents are currently using bespoke systems for EERM, a sharp drop from just over 20 per cent last year. Cloud technologies that enable agile business operations with standardisation represent the most popular emerging technology platform being investigated by survey respondents. 46 per cent of respondents are planning to utilise standardised cloud technologies for EERM while 31 per cent are considering using Robotic Process Automation for routine EERM tasks across the organisation.
• Sub-contractor risk: Organisations lack appropriate visibility of sub-contractors engaged by their third-parties as well as the discipline and rigor to frequently monitor such fourth/fifth parties. 57 percent of survey respondents feel they do not have adequate knowledge and appropriate visibility of sub-contractors engaged by their third-parties and a further 21 percent are unsure of their oversight practices. Only two percent of respondents regularly identify and monitor their sub-contractors (fourth/fifth parties) while another ten percent do so only for those sub-contractors identified as critical.
• Organisational imperatives and accountability: Ownership and accountability for EERM seems to be well and truly established in the C-suite with 78 per cent of organisations suggesting that either the CEO, CFO, CPO, CRO or a member of the Board is ultimately accountable for this topic. Survey respondents however believe that there is room for improvement in the level of engagement on the EERM agenda by Board members and risk domain owners. Skills, bandwidth and competence of talent engaged in EERM-related activities appears to be the most significant concern for respondents (45 per cent), followed by the clarity of roles and responsibilities and EERM processes (41 per cent in both cases). As many as 40 per cent of respondent organisations have prioritised the need to establish better coordination between risk domain owners, business unit leaders, functional heads, legal and internal audit teams as their top organisational imperative related to EERM.

About Deloitte Global’s Extended Enterprise Risk Management survey

Deloitte Global’s 2018 EERM survey, “Focussing on the climb ahead,” is based on 975 responses from a variety of organisations across major industry segments and from 15 countries across the Americas, Europe Middle East and Africa (EMEA) and Asia Pacific (APAC). A record number of participants this year is reflective of the ever increasing profile and investment third-party risk management is getting within organisations.