Managing Risk in the Extended Enterprise

The whole concept of “enterprise” has changed dramatically in recent years. With ever-growing ecosystems of connected partners, suppliers, customers, and other third parties, companies have opened up new opportunities for business growth.

They’ve also exposed themselves to a number of risks, including those related to cyber security and data management. This is why the idea of extended enterprise risk management (EERM) has become so important.

In a recent report, professional services firm Deloitte said maturing EERM practices are taking center stage for organizations. “As reliance on relationships with outside organizations continues to grow, so do the associated risks, in turn making it crucial that organizations are properly investing in EERM and have visibility into risks that are posed by the extended enterprise,” the report said.

For its research, Deloitte surveyed 1,055 respondents from 19 countries covering all the major industry segments. Many of the respondents are responsible for governance and risk management of the extended enterprise in their organizations.

The survey shows that as better management of third-party risk has been viewed as a transformation opportunity by companies, boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of the respondent organizations.

Just over half of the respondents (53%) said they want a more coordinated and consistent approach to EERM across organizational functions.

But developments in EERM maturity have not kept pace with increasingly critical levels of dependence on third parties since Deloitte began conducting the surveys in 2015. A majority of organizations (83%) experienced a third-party incident within the past three years.

Another key finding is that the economic environment continues to drive cost reduction and talent investment in EERM. The desire to reduce costs has become the biggest driver for investing in EERM maturity (cited by 62% of respondents).

The survey also indicated that federated structures are becoming a dominant operating model for third-party risk management, as boards and executive management continue to take a deep interest in third-party risk management and want to provide more coordinated and responsive input.

More than two thirds of respondent organizations (69%) say they have adopted a federated model that allows for this sharing of responsibility, and only 11% are now highly centralized. More than half of the organizations (53%) are using centers of excellence and 38% have shared service centers.

Only 1% of the organizations surveyed consider themselves optimized to address all important EERM issues. Chronic underinvestment is making it hard for organizations to achieve their desired EERM maturity levels, the report said. And more fundamentally, it has hindered many responding organizations from doing basic core tasks well.

Cyber security and data management are clearly priorities of EERM programs. Annual investments in EERM have typically focused on the largest regulatory issues of the year, the report said, including information security, data privacy, cyber risk, and financial crime).

Organizations most commonly allocate EERM budget to information security (cited by 68%), data privacy (62%), and cyber risk (58%).

Advanced technologies are playing a key role in helping to ensure successful EERM. In the previous year’s survey, many organizations said senior executives were favoring simple dashboards to inform their discussions at board and executive committee meetings. They used these static reports to analyze third-party data periodically.

The latest survey showed that senior leaders are moving from using periodically generated data to more succinct and real-time actionable intelligence, generated online. New risk intelligence tools are assimilating, aggregating, and examining real-time information on all the risks across an entire organization. These tools provide alerts, trend analysis, and scenario analysis.

Many organizations are using or exploring emerging technologies such as the cloud to enhance flexibility, robotics process

automation (RPA) to automate routine administrative tasks, visualization for meaningful interpretation of data, cognitive analytics for interpretive tasks, and blockchain to validate third-party transactions.

This use of the latest technologies, many of which are supported by artificial intelligence and machine learning, is happening at a time when regulators are beginning to encourage innovation in risk management and oversight, the report said.

This forward-thinking approach makes sense, given how important EERM is to enterprises today.

"Organizations are increasingly depending on external entities that might include third, fourth or fifth parties,” noted Dan Kinsella, partner and EERM leader in the Risk & Financial Advisory practice at Deloitte. “However, not many have appropriate oversight into what is happening across their organization, leaving them exposed to potential risks.”

As EERM matures, Kinsella said, it’s important that organizations invest strategically in end-to-end solutions that manage exposures associated with third parties.