When it Comes to Managing Third-Party Risk, Many Organizations Are Falling Short

Many companies today do business in more complex environments than ever. They work with numerous third-party partners including suppliers, B2B customers, vendors, cloud providers, managed services providers, consulting firms, and others.

How much thought do they give to the security of these third-party relationships? Probably not enough, and that can have disastrous consequences if there are any weak links in the chain.

The extended enterprise risk management (EERM) programs that manage third parties are only now shifting from a manual approach to a more coordinated one that focuses on risk, according to research released earlier this year by consulting firm Deloitte.

The firm considered third-party risk factors in a variety of areas, including cyber security. For its research, Deloitte polled more than 2,390 professionals about their organization’s extended enterprise performance, and found that more than one-third of respondents define their organization’s processes to measure and monitor risks in the extended enterprise as “ad hoc” or “reactive.” They characterized themselves as being in an “initial” or “managed” phase of extended enterprise risk management program development.

That means they are placing minimal effort in addressing risk; they have limited access to third-party data; and are characterized by functional, reactive problem-solving, with responsibilities built into existing roles, according to the firm.

“At a time when third parties are moving closer to the core of businesses, [EERM programs] are just now beginning to shift from a manual and transactional approach to a coordinated, consistent, and transformational approach focusing on risk, financial, and performance aspects,” the report said.

A mere 4% of respondents define their program as “optimized,” with integrated strategy and decision making, executive champions, continuous improvement and investment, and highly customized decision support tools with external data. Nearly one third said their organization’s EERM program was either in a “defined” or “integrated” phase of development, characterized by a focus on issue prevention or value creation; adapted or customized tools for reporting; monitoring and decision making; and coordinated processes with dedicated owners at the enterprise level.

“Many organizations continue to manage risks in the extended enterprise in a decentralized manner that lacks consistent analysis and governance,” noted Dan Kinsella risk and financial advisor partner at Deloitte. “Business units often function autonomously in their oversight of third parties, and this decentralized approach inhibits EERM maturity, which requires a more formalized, ‘federated,’ governance model enabled by an effective mix of technology, people, and policies.”

More than 40% of the survey respondents think risk committees are the best entity to oversee risk governance in their organization’s extended enterprise, while only 11% said boards of directors are the best entity. This finding comes at a time when C-suite and board-level executives are facing questions about their organization’s third-party management that could be more effectively addressed with a deeper understanding of the risks and performance drivers throughout the extended enterprise, the report said.

Other respondents think internal auditors (15%), regulators (7%) or external auditors (4%) are the best entities to oversee risk governance in their organization’s extended enterprise.

Looking ahead, organizations will likely spend more on risk programs related to third parties. The survey found that a majority of respondents think their organization will invest in EERM programs over the next 12 months. Of those that expect to investments, about one quarter think their organization is most likely to invest in exploring and adopting technology, while 15% said their organization is most likely to invest in exploring ongoing monitoring using risk sensing, and 11% think their organization is most likely to explore adoption of shared utility models.

Deloitte is seeing a trend in the use of third-party technology and expects to continue to see organizations investing in this technology over the next year and beyond. “Technology can be a powerful driver, but it can also be a risk if organizations don’t have policies in place to effectively manage it,” added Scott Gauch, principal with Deloitte Risk and Financial Advisory. “Improved maturity of EERM programs, as they relate to technology, not only protect value but also have the potential to expand business opportunities.”

Considering the challenges of managing risk in the extended enterprise, 28% of respondents said gaps in execution of risk management capabilities is their organization’s top challenge, while 13% identified their leadership’s view of EERM as a compliance-driven requirement. Fewer cite as challenges the fact that enterprise-centric risks take priority over EERM, and EERM is anchored at the mid-management level with little board or senior management visibility.

Far more of the organizations surveyed (42%) currently have a business case for investment in EERM than those that do not (18%). On the negative side, only 7% of all the respondents said their organization views EERM as a key driver for value creation.