Professional Documents
Culture Documents
Home Foreword
Foreword Welcome to our 2018 global survey on Extended Enterprise Risk Management (EERM). This year we had just under
one thousand responses, a significant increase and more than double we received last year. Survey responses reflect
the views of senior leaders from a variety of organizations in 15 countries1 across the Americas, Europe Middle East
and Africa (EMEA), and Asia Pacific. A record number of participants this year is reflective of the ever increasing
Executive summary profile and investment third-party risk management is getting within organizations.
This third annual survey follows last year’s survey entitled “Overcoming the threats and uncertainty” which revealed
Our prior surveys focused on understanding the nature and magnitude of the EERM challenge in large global
organizations. Using this as a backdrop, the current survey aims to capture improvements in maturity of EERM
03 Centralized control frameworks with a specific focus on the business case and investments in EERM. The survey results also reflect an
Kristian Park
EMEA Leader, Extended Enterprise Risk Management
emerging shift to include more centralized oversight and management for EERM across the more decentralized or Global Risk Advisory
federated structures to enable increased risk-awareness and consistency. A more centralized approach to EERM
04 Technology platforms
also enables the aggregation of information at an ‘organization-wide’ level to not only have a cross-risk view of third-
party relationships, but also to address issues around concentration risk. In addition to reporting other leadership
initiatives and concerns, this report sets out our predictions for 2018/2019 and related points of view.
05 Sub-contractor risk As in our previous surveys, survey respondents are typically responsible for governance and risk management of the
extended enterprise in their organizations, including Chief Finance Officers (CFOs), Heads of Procurement/Vendor
Management, Chief Risk Officers (CROs), Heads of Internal Audit, and those leading the Compliance and Information
Organizational imperatives Technology (IT) Risk functions. The respondents represented all the major industry segments2. The majority of these
06 and accountability organizations had annual revenues in excess of US$1 billion. Additional insight was also obtained from subsidiaries of
group organizations operating with higher degrees of decentralization and others with lower annual revenues.
I hope this report will continue to enhance your understanding of what has changed and what lies ahead as you
About the authors
exploit the many opportunities that EERM can yield for your organization.
Jan Corstens
Contacts Global Leader, Extended Enterprise Risk Management
Global Risk Advisory
01
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Foreword As companies continue to adopt, enhance, and grow their business ecosystems, EERM is increasingly becoming an
astute management enabler and value driver rather than a compliance requirement.
Business ecosystems are the new norm and extending the physical and virtual boundaries of organizations to garner
Executive summary competitive advantage through collaboration with third-parties is an imperative. Leading organizations are investing
in EERM to power growth, innovation and business performance in a risk-intelligent way to proactively address brand
and reputation risk, especially important amid prevalent threats of high profile business failure, illegal third-party
Our current survey reveals that organizations are taking an earlier, more strategic view of risk drivers to create
value and surface new opportunities. Seven out of ten respondents believe that business and macro-economic
Business case
02 and investment
uncertainties have increased the risks inherent in managing the extended enterprise, at least by some extent, if not
significantly. However, their overall levels of EERM maturity continue to improve at a much slower pace, which we
believe to reflect awareness of the inherent complexity and challenges of an efficient EERM program.
03 Centralized control Despite the slower pace, I’m encouraged to see an increased emphasis on utilizing risk to power performance and
Sam Balaji
Global Business Leader
drive differentiation as rationale for investment in EERM, with nearly one in two respondents driven by overall cost Financial Advisory | Risk Advisory
reduction and efficiency objectives—truly, a significant shift from the near exclusive focus on the downside of risk, as
04 Technology platforms
reported in our last survey.
This burgeoning confidence reaffirms our belief that risk management is and can be a vital performance lever
going forward.
05 Sub-contractor risk
Deloitte’s Risk Advisory professionals around the world can help you understand more about this survey and how
the findings relate to distinctive opportunities for your organization.
Organizational imperatives
06 and accountability To learn more, please visit us at www.deloitte.com/risk.
Contacts
02 02
ahead| Third-party governance and risk management
Focusing on the climb ahead
Foreword
1. 2.
A record number of Inherent risk and maturity Business case and
participants in our 2018 Organizational self-assessment of
overall EERM maturity continues
investment
EERM is increasingly being focused
Executive summary
survey supports the ever to improve at a slow pace
despite a perceived increase
on exploiting the upside of risk and
demonstrating tangible benefits — a
increasing profile and in the inherent risks in
third-party
significant shift from only managing the
downside of risk.
01 Inherent risk and maturity investment that EERM now 6.
Organizational
dependence.
05 Sub-contractor risk
5. 4.
Sub-contractor risk Technology platforms
Organizational imperatives Technology decisions for EERM
06 and accountability
Organizations are lacking
appropriate visibility and solutions are now being taken
more centrally and a three-tiered
monitoring of sub-contractors
engaged by third-parties. technology architecture is emerging.
Contacts
03
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
5 5%
related incidents/disruption. However in a year where many
organizations stated that they were going to significantly move However, organizational
the dial in EERM maturity, the aggregate results suggests 1%
Business case self-assessment of their overall
02
1
there is still work to do for many organizations to become
and investment fully integrated or optimized in their EERM capabilities (please levels of EERM maturity continues
refer to page 22 for the Deloitte EERM maturity model used Pages
in from print document to be inserted, and centred here at 100% scale...
this report).
to improve at a slow pace.
(297x210mm)
03 Centralized control
That said, the Asia Pacific region has seen some increase
in respondents moving along the maturity scale to reach
42 percent of respondents reported “some” increase in their Impact of changing regulation is considered to be the greatest
04 Technology platforms
integrated or optimized status. This is comparatively higher
than in EMEA which has had very little movement. Similarly,
level of dependence on third-parties in the last year, with a contributory factor to the increased perception of inherent
risks (49 percent of respondents) followed by heightened
further 11 percent reporting a “significant” increase in such
in industries where EERM has more recently come under
dependence (10 percent a year earlier). levels of regulatory scrutiny (45 percent of respondents).
increased regulatory scrutiny (e.g. Life Sciences & Health care
05 Sub-contractor risk (LSHC), Consumer & Industrial Products (C&IP), and Public
Sector (PS)), we have seen significant progress in a similar
2017 2018 49% 45%
upward movement along the EERM maturity scale.
Organizational imperatives
06 and accountability
41%
42%
About the authors
10 % 11%
Contacts
04 04
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
Foreword However, overall only 20 percent of respondents have Asia Pacific have seen some increase in EERM maturity 53 percent of respondents now believe that their journey to
integrated or optimized their EERM mechanisms (same as with 15 percent of respondent organizations now having achieve the desired state of EERM maturity is two to three
last year – see paragraph below) with another 50 percent, integrated their EERM systems as against 11 percent last year. years or more, as against most respondents in earlier surveys
currently in managed status, aspiring to do so within the However regions, such as EMEA, have seen little increase being overly optimistic in believing that this can be achieved in
Executive summary next 1-3 years. (unchanged at 19 percent since last year). six months to a year.
20% 50%
15%
01 Inherent risk and maturity
Business case
02 and investment
2–3
Pages from print document to be inserted, and centred here at 100% scale...
(297x210mm)
03
53%
Centralized control In some cases, respondents, particularly from the Northern
Americas region as well as from the Financial Services (FS) and
Energy and Resources (E&R) industries have lowered their
years
earlier self-assessments of maturity. This seems to reflect
04 Technology platforms their deeper appreciation of the situation and a stronger
understanding of third-party related issues than in the past.
It should also be noted that as newer good practices continue
This significant increase in organizations integrating their
05 Sub-contractor risk to emerge, the goalposts are shifting too; hence in reality
those that stand still are actually moving backwards on the EERM processes and technology during 2017 is also true in
maturity curve. industries such as LSHC (eight percent last year to 24 percent
in the current survey), C&IP (11 percent to 19 percent), and PS
Organizational imperatives
06 and accountability
(20 percent to 35 percent).
LSHC C&IP PS
About the authors
19%
35%
24 %
Contacts
05
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
01 Inherent risk and maturity the almost-exclusive focus earlier by more than 50 FTEs. Those with a significant amount of
third-parties (50,000 or more) spent upwards of US$5 million
48%
on managing the downside, centrally with more than 100 FTEs, while smaller organizations
with serious aspirations to move to higher maturity levels still
Business case with increasing confidence to
02 and investment
demonstrate tangible benefits.
typically invested US$100,000 – 500,000.
Pages from
Theprint document
drivers to beon
for the focus inserted, and centred
EERM continued to be here at 100% scale...
regulatory
requirements (e.g. General(297x210mm)
Data Protection Regulations),
03 Centralized control addressing internal compliance standards or concern around
At the same time, 26 percent of respondents felt that
third-party related incidents, but the need for positive cost
reduction across the business was equally powerful—a they could achieve greater flexibility to address market
uncertainty and 21 percent considered investment in EERM
04 Technology platforms
trend that we have not seen in prior surveys. It is also
heartening to see that the business case for investment a revenue-generating opportunity, for instance by identifying
in EERM is increasingly being driven by other factors that under-reported revenue streams.
exploit the upside of risk, such as enhancing organizational
26%
05 Sub-contractor risk responsiveness and flexibility, innovation, brand confidence,
and increasing revenues—a significant shift from the almost-
21%
exclusive focus earlier on managing the downside (such as
Organizational imperatives regulatory exposure or third-party related incidents). The
06 and accountability majority of respondents had some or significant confidence
in their ability to demonstrate tangible benefits from
such investment.
Contacts
06 06
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Reduction of regulatory exposure (43 percent of Organizations that are integrated or optimized in managing 49 percent of organizations felt “somewhat confident”
respondents); addressing internal compliance requirements their extended enterprise are now typically investing over that they could demonstrate tangible benefits from
(41 percent of respondents); and reducing the number of US$3 million annually on EERM initiatives, managed by more EERM investments, while another 13 percent were
third-party related incidents (34 percent of respondents) were than 50 FTEs. “extremely confident”.
Executive summary the strongest business case drivers focused on managing the
downside of extended enterprise risk.
5 millio
n
13%
04 Technology platforms
S$
41% U
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
07
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
01 Inherent risk and maturity many elements of the EERM role, Qualitative comments provided by respondents seem to
2018 2017
structures and technologies. For suggest that most of these internal utilities are managed by
procurement teams in organizations where supply-chain or 55% 62%
Business case instance, Centers of Excellence
02 and investment
(CoEs) and shared service
“buy-side” has the majority of third-parties. On the other
hand, in organizations where third-parties are distributed
more equitably across the sales and distribution network
models have emerged as the or “sell side,” this management responsibility appears to be
03 Centralized control dominant operating model with progressively shifting to central risk management teams.
an increasing desire to explore At the same time, 34 percent of respondents suggested they
market utility models. Out of these 55 percent, only 47 percent have EERM
04 Technology platforms
either used market utility models5 in some form or intend to
do so in the future to supplement specific aspects of EERM
frameworks that are equally or more decentralized than
centralized. The remaining 53 percent of respondents
activity. Consistent with last year, half of respondents were
thus form the current majority with more centralized
unaware of managed service/utility options available to them,
05
EERM programs.
Sub-contractor risk In 2016 we released our whitepaper on how to manage EERM which is understandable, given that such opportunities are
in decentralized organizations, a theme of which suggested relatively new and are still evolving.
an element of central oversight and management could
Organizational imperatives help accelerate risk awareness and efficiency. The 2018
06 and accountability survey results show that more and more organizations are
adopting this technique with the more decentralized or 55%
highly federated4 EERM models being replaced with some
component of central oversight, where centralized elements
About the authors
in roles/structures and enabling technologies/processes are
becoming more common-place.
47% 53%
Contacts
08 08
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword 44 percent of respondents have now invested in a centralized 21 percent of respondents are already utilizing market utilities
in-house CoE for EERM while another 30 percent utilize a for specific aspects of EERM (up from 13 percent last year)
central shared services organization (whether fully insourced with another 13 percent intending to do so in the near future
or with some elements outsourced). (up from 10 percent last year). Consistent with last year, half
Executive summary of respondents were unaware of managed service/utility
A further 15 percent have established federated structures options available to them.
and 14 percent operate as a “hub-and-spoke” model6
Business case
02 and investment
21%
2018
03 Centralized control
44% 13% 13%
30% 2017 10% 2018
2017
04 Technology platforms
05 Sub-contractor risk
15% 14%
Organizational imperatives
06 and accountability
Contacts
09
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
01 Inherent risk and maturity more centrally and a standard by survey respondents. Robotic Process Automation (RPA)
features second on this list, offering the opportunity to
tiered technology architecture automate routine tasks related to EERM.
Organizational imperatives
06 and accountability
Aligned to this trend, qualitative responses from the survey
indicate that organizations are no longer keen to invest in
developing complex bespoke solutions for EERM, which,
together with the use of its existing ERP platform in the past
About the authors may have significantly lowered the confidence of stakeholders
in the quality and reliability of the overall technical solution
for EERM.
Contacts
10 10
Focusing on the climb ahead
ahead | Third-party governance and risk management
1%
Protection Regulations (GDPR) in Europe, which include
requirements to manage layers of fourth/fifth parties, where
57%
they exist, makes this a matter of increased concern. Other
Business case
02 and investment
global regulators such as the Federal Reserve (Fed) and Office
of the Comptroller of the Currency (OCC) in the US, and the
Hong Kong Monetary Authority, etc. also highlight the need for
organizations to understand this area better.
03 Centralized control
04 Technology platforms Organizations lack visibility of monitor their sub-contractors (fourth/fifth parties) while
another 10 percent do so only for those subcontractors
sub-contractors engaged by identified as critical. The other 88 percent either rely on their
their third-parties making it third-parties to do so; have an unstructured/ad-hoc approach;
82
05 Sub-contractor risk
challenging to apply an appropriate do not do so at all; or do not even know their organizational
policy and practices in this regard.
%
strategy to monitor such fourth/
Organizational imperatives fifth parties.
06 and accountability 2% 10%
88
Contacts %
82 11
%
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
05 Sub-contractor risk
29
33%
%
Organizational imperatives
06 and accountability
Contacts
12 12
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Ownership for EERM vested in CPOs and Vendor/Alliance However, our survey results indicate that 38 percent of Only 22 percent of respondent organizations have Board-level
Managers has reduced from 17 percent last year to Board members and 39 percent of risk domain owners reviews of EERM that include alignment with organizational
13 percent this year with a corresponding increase in such still have lower to insignificant levels of engagement on the strategy and risk appetite on a quarterly or half yearly basis,
responsibility vested in the CFO and CRO by three percent in EERM agenda. while the vast majority of organizations surveyed (78 percent)
Executive summary each case. review this annually or even less frequently.
03 Centralized control
7
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
13
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Our prior surveys had identified an “Execution Gap” in Skills, bandwidth, and competence of talent engaged in EERM-
implementing EERM in organizations, reflecting the inability of related activities appears to be the most significant concern for
people, process, and technology supporting EERM initiatives
Concerns over internal respondents (45 percent), followed by the clarity of roles and
to achieve the intended results. With the emergence of a coordination, talent, responsibilities and EERM processes (41 percent in either case).
Executive summary standardized three-tier technology architecture as described
earlier in this executive summary, this execution gap around
and processes have now
technology seems to have started to narrow down, although overshadowed the technology-
01 Inherent risk and maturity
the gap remains as wide as in earlier years on the people and
process front.
related concerns expressed in
earlier surveys.
Internal coordination (specifically between risk domain
Business case
02 and investment
owners, business unit leaders, functional heads, legal, and
internal audit teams) is now the dominant concern of the 45%
majority of organizations, followed by the need to ensure
ongoing relevance of skills, roles and responsibilities, being
03 Centralized control realistic about availability of staff bandwidth.
04 Technology platforms
processes have now overshadowed the technology-related
concerns expressed in earlier surveys.
05 Sub-contractor risk
Organizational imperatives
06 and accountability
41%
Contacts
14 14
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword As many as 40 percent of respondent organizations have Strengthening due diligence activities prior to on boarding
prioritized the need to establish better coordination between new third-parties is second on the list of top organizational
risk domain owners, business unit leaders, functional heads, imperatives related to EERM (35 percent of respondent
legal, and internal audit teams as their top organizational organizations); followed by building stronger resilience
Executive summary imperative related to EERM. to disruption caused by third-party related incidents (24
percent) and categorizing the most strategic third-parties to
ensure a proportionate EERM approach (24 percent).
Business case
02 and investment
35% 24%
03 Centralized control
40%
04 Technology platforms
24%
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
15
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
04 Technology platforms
We have already seen 2017 suggest that community
models/market utilities will be adopted across
in the UK and Global Data Protection Regulations
(GDPR) in Europe, which include requirements
in EERM, this is likely to be at the expense of reputation,
regulatory scrutiny, and ultimately consumer backlash.
a number of industries with FS leading the way to manage layers of fourth/fifth parties (where
since 2016 with the emergence of four key players. applicable), is likely to make the need for additional
05 Sub-contractor risk Expected industries to follow suit include LSHC (increase
in actual utilization from 16 percent to 24 percent during
investment in the management of fourth/fifth parties a matter
requiring further attention.
2017), CB (e.g. FMCG) (11 percent to 18 percent), and TMT (12
Organizational imperatives percent to 27 percent). E&R (28 percent to 33 percent), while
06 and accountability the leading industry segment in exploring market utilities,
has some way to go to fully embrace the opportunities here
through extensive usage (with only two percent of the latter
33 percent using such models extensively but the vast
About the authors
majority represented by the other 31 percent making only
limited use). But already we have seen movement in this space
at the back end of 2017.
Contacts
16 16
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
1. Inherent risk and
Foreword
maturity
Executive summary
03 Centralized control
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
17
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
1. Organizational self assessment of overall levels of EERM maturity continues to improve at a
slower pace despite a perceived increase in the inherent risks in third-party dependence.
Executive summary achieve the desired state of EERM renewed set of drivers, directly aligned to is still work to do to move from managed to integrated or
long-term value-creation (e.g., business agility, optimized in the maturity scale.
maturity is two to three years or access to specialized skills and knowledge, innovation,
more, as against most respondents and process improvement) in addition to cost-savings, Even with the growing levels of high or critical levels
18 18
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Change in level of dependence on extended enterprise Greatest contributory factors in the perception of Time taken by organizations to achieve the desired level
over the last year heightened inherent risk related to the extended enterprise of EERM optimization
3% 1%
6% Impact of changing regulation
12%
Executive summary (e.g. GDPR and other 49% 32%
cross-border impact) 28%
34% 40%
Heightened level of 25%
45%
regulatory scrutiny
01 Inherent risk and maturity
High levels of uncertainty
42%
41% 42% in the business environment
03 Centralized control
Significant increase
Some decrease
Some increase
Significant decrease
No significant increase
6 months or less
6 months to 1 year 1-2 years 2-3 years > 3 years
05 Sub-contractor risk
Organizational imperatives
06 and accountability
11% 55% 26% 7% 1%
29% 29% 24%
1% 7% 7%
2016 29% 2017 2018
About the authors
1: Initial: None or very few of above elements addressed
2: Defined: Some of the above elements addressed with limited effort with
Significant increase Some increase No significant increase regard to the above elements
3: Managed: Consideration given to addressing all the above elements with
Some decrease Significant decrease room for improvement
Contacts 4: Integrated: Most of the above elements addressed and evolved
5: Optimized: “Best in class” organization – all of the above elements
addressed and evolved
19
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Progress through the levels of maturity increases extended enterprise performance Deloitte point of view
through both (i) controlled risks, and (ii) enhanced benefits. • State of the art Due to changes in the business and macro-
• Focus on preventing practices, linked to economic environment (including regulatory
Executive summary • Focus on preventing issues and creating value drivers
• Minimal effort in issues value • Extended pressure), each organization will need to
• No formal reducing risk • Risk aligns with • Intelligent risk
governance • Risk taking for
enterprise establish what it considers to be its desired optimum
medium-term taking, aligned with embedded in
• Risk taking for quick short-term benefits enterprise-wide enterprise strategy strategic planning state for EERM, making it a moving target, and many
01
fix benefits benefits
Inherent risk and maturity and organizations are continuing “catch-up” with the
Strategy and decision-making
governance emerging set of strategic opportunities and related
risks that third-parties continue to present.
• Awareness of value • Trained professionals
Business case
02 • Responsibilities • Dedicated roles with defined roles
• Indiviual effort of extended This includes:
• Invested executives throughout the life
and investment • Little management
built into existing
within each silo
enterprise across
cycle
roles the organization
input • Some training • Executive champions
• Increased input • Enterprise-wide
• Lack of training offered on both sides, aligning • A broader set of support services delivered
from management roles
People service delivery to innovatively in a rapidly-changing external
03
• Executive
Centralized control ownership at the strategic objectives
environment.
enterprise level
05
some proactive using analytics,
Sub-contractor risk issue resolution improving
responsiveness
• Leveraging predictive
• The increasing use of new technology (such as the
bottom-line and and sensing analytics, cloud and cloud-based applications) that facilitate
performance tools, and dashboards
• Simple and least • Off the shelf tools collaboration and enable businesses to enhance their
expensive tools • Adapted tools used • Customized tools,
used for problem virtual boundaries will further accelerate this trend.
Organizational imperatives
06 Technology used ad-hoc for reporting and used for tactical
solving • Highly customized
monitoring
and accountability • Limited access to decision-making decision support
third-party data • Value additive tools tools It should also be noted that as good practice continues
• Internal data • Integrated external
centralized and data sources that to evolve, the related goalposts are shifting too; hence
easily accessible enhance insights in reality those that stand still are actually sliding
About the authors • Tools and analytics
are key value driver backwards on the maturity curve.
Initial
Managed and differentiator
Defined
Integrated
Contacts Optimized
20 20
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Industry highlights Change in level of risk inherent in managing the extended Level of maturity in EERM by industry
• Respondents from all industry segments, without enterprise by industry
exception, have reported the heightened perception of Overall 7% 24% 49% 19% 1%
1% 1%
risks inherent in third-parties with the highest perceived 4% 3% 5% 11% 11%
Executive summary increase (some or significant) reported by 74 percent of C&IP
14%
C&IP 10% 22% 49% 19%
21% 25% 27%
25%
respondents, 73 percent of LSHC respondents and 71 percent 30%
20% 26% E&R 4% 33% 47% 16%
of FS respondents.
not appear to have deterred organizations from continuing to 60% 53% 57% 58% 65% 49% 47% LSHC 18% 31% 27% 24%
increase their levels of dependence on third-parties. The most
Business case
02 and investment
notable increases in the level of dependence on the extended
enterprise have taken place in the FS industry segment with
PS 5% 15% 45% 35%
04 Technology platforms
respondents said that they continued to increase their
third-party dependence.
Change in level of dependence on extended enterprise
over the last year by industry
Time taken by organizations to achieve the desired level
of EERM optimization by industry
45%
Overall 11% 42% 40% 6% 1%
05 Sub-contractor risk biggest improvement in integrating or optimizing their EERM
39%
38%
processes and technology were LSHC (eight percent integrated/ C&IP 10% 45% 40% 4% 1%
36%
35%
33%
33%
optimized last year to 24 percent in the current survey), C&IP
32%
32%
E&R 15% 36% 42% 7%
30%
29%
Organizational imperatives (11 percent to 19 percent), and PS (20 percent to 35 percent).
06
27%
26%
26%
26%
25%
FS 15% 44% 34%
25%
5% 2%
and accountability
22%
22%
22%
• PS has the largest majority of organizations that believe they LSHC 12% 46% 39% 3%
16%
have the longest journey to achieve desired state in EERM
15%
13%
PS 5% 40% 50% 5%
with 75 percent of respondents believing this to be at least
10%
About the authors
9%
9%
8%
two to three years or more, followed by FS (57 percent of
3%
TMT 9% 43% 40% 5% 3%
2%
2%
5%
4%
0%
0%
0%
respondents) and LSHC (54 percent). TMT is the last one on
Others 5% 53% 26% 5% 11%
this list; however even in this industry segment, as many as 6 months 6 months 1-2 years 2-3 years > 3 years
or less to 1 year
Contacts 49 percent of respondents believe this journey is at least two Significant increase Some increase No significant increase
to three years or more. Some decrease Significant decrease C&IP E&R FS LSHC PS TMT Others
21
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Geography highlights • The Americas region has comparatively the (a) highest level Change in inherent risk levels related to third-party
• The Americas region has traditionally had the of dependence on third-parties; (b) the lowest perception of dependence over the last year by region
highest level of dependence on third-parties followed inherent risk among respondents; and (c) the highest proportion
by EMEA and Asia Pacific respectively. Increase of organizations with integrated or optimized levels of EERM 1% 3%
Executive summary in the level of such dependence over the last year in these maturity. As a result, this region is likely to see even more 7% 1%
8%
regions has taken place in the same relative proportion with dependence being placed on the extended enterprise with a 22%
39%
60 percent respondents in Americas reporting some or stronger business case for investment in EERM initiatives going 38%
01 Inherent risk and maturity substantial increase, compared to EMEA with 52 percent and
Asia Pacific with 44 percent.
forward. On the other hand, the impact of macro-economic
factors and uncertainty in EMEA, such as the outcome of the
Brexit vote results have clearly increased the perception of 57%
• Even with the highest levels of dependence on the extended inherent risks and slowed down investment in EERM initiatives, 52% 45%
Business case
02 and investment
enterprise in the Americas, the perception of inherent risks
increasing is relatively the lowest, albeit with 54 percent of
thus slowing down the increasing level of dependence.
Organizations from the Asia Pacific region continue to catch-up
13% 9%
respondents from that region perceiving some or substantial with their other global counterparts in extending the enterprise, 5%
increase in risks related to third-parties (as against 70 percent given their propensity to traditionally be more of outsourcing EMEA Asia Pacific Americas
03 Centralized control in EMEA and 57 percent in Asia Pacific). providers rather than clients or customers8. Significant increase Some increase No significant increase
Some decrease Significant decrease
• The proportion of respondents with integrated and optimized
04 Technology platforms
EERM mechanisms is also the highest in the Americas (29
percent) followed by EMEA (19 percent) and Asia Pacific
Level of dependence on extended enterprise in the last
year by region
Current level of maturity in EERM by region
(15 percent).
Overall 7% 23% 50% 19% 1%
05 Sub-contractor risk • Asia Pacific have seen some increase in EERM maturity with
15 percent of respondent organizations now having integrated
Overall 11% 42% 40% 6% 1%
their EERM systems as against 11 percent last year. However EMEA 6% 22% 53% 18% 1%
Organizational imperatives the EMEA region have seen little increase (unchanged at EMEA 12% 40% 39% 7% 2%
22 22
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
2. Business case and
Foreword
investment
Executive summary
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
23
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
2. The business case for investment in EERM is increasingly being focused on exploiting
Home the upside of risk—a significant shift from the focus in prior surveys on managing the
downside, with increasing confidence to demonstrate tangible benefits.
Foreword Reduction of regulatory exposure
Key messages
(43 percent of respondents); Comments made by a number of participants It is also heartening to see that business case for
Executive summary addressing internal compliance in our earlier surveys had identified a investment in EERM is increasingly being driven by other
common angst in their inability to objectively factors that exploit the upside of risk, such as enhancing
requirements (41 percent of establish the business case for investment in EERM organizational responsiveness and flexibility, innovation,
respondents); and reducing in their organizations, given their lack of knowledge brand confidence, and increasing revenues.
04 Technology platforms Survey results indicate that the drivers for the focus
on EERM continued to be regulatory requirements, for
significant confidence in their ability to demonstrate at
least some tangible benefits, if not significant returns from
example GDPR in Europe (43 percent of respondents); such investment, supported by the use of performance
addressing internal compliance standards (41 percent measures (see examples set out in the table on page 26).
05 Sub-contractor risk of respondents); or concern around third-party related
incidents (34 percent of respondents); but the need for
positive cost reduction across the business was equally
Organizational imperatives (if not more) powerful (48 percent of respondents) in
06 and accountability organizations which they felt this could be achieved by
43% bringing in efficiencies through the use of third-parties or
by preventing over-payments. This represents an emerging
About the authors 41% trend that we have not seen in prior surveys.
34%
Contacts
24 24
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Key factors driving business case for investment in EERM EERM investment levels per year (estimated spend) Confidence in demonstrating realization of tangible
27% benefits related to their organizations’ business case for
Cost reduction (e.g. through 26%
efficiency or by avoiding 48% investment in EERM
overpayments) 1%
8% 13%
Executive summary Reduction in regulatory
exposure
43%
03
Unlock access to new markets/
15%
Centralized control channels/products
< US$100k US$100k - US$500k - US$1m - US$3m - > US$5m Extremely confident Somewhat confident Neutral
Exploiting upside of risk Managing downside of risk 499k 999k 3m 5m Not much confidence Not at all confident
04 Technology platforms Number of third-parties engaged by organizations Number of full-time equivalent (FTE) staff involved in EERM
44% 53%
05 Sub-contractor risk
31%
Organizational imperatives
06 and accountability 27%
14%
Contacts
> 1,000 1,000 - 10,000 - 50,000 - > 100,000
< 10,000 < 50,000 < 100,000 <10 FTEs 10 - 49 FTEs 50 - 100 FTEs >100 FTEs
25
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Examples of tangible performance measures used by respondents to monitor business case realization
Executive summary Cost reduction • Reducing five percent of total procurement spend through efficiencies in managing third-party suppliers.
• Zero tolerance on duplicate payments to suppliers and third-parties.
• A maximum of two percent overpayment on invoices not matching orders (tolerance level).
• Reduction of insurance premium by eight percent compared to previous year from better movement of goods between third-party locations.
01 Inherent risk and maturity
Increase in revenue • 10 percent increase in revenue from newer geographies enabled by third-party alliances and partnerships.
• At least one new product offering in the financial year contributing to one percent of total revenues introduced using third-party expertise.
Business case
02 and investment Reduction in number of third- • Zero incidence of third-party related disruptions that cannot be addressed in 24 hours or with financial implications greater than US$1 million.
party related incidents • 100 percent third-party adherence to organizational standards.
03 Centralized control
Reduction in regulatory • Zero tolerance to regulatory breach.
exposure • No regulatory fines or penalties.
04 Technology platforms
Addressing internal compliance • 100 percent compliance with HSE standards.
requirements • Zero deviation from internal policies and processes unless covered by specific exemptions.
05 Sub-contractor risk
Better response and • 25 percent flexibility in distribution capacity based on third-party arrangements to address market uncertainty.
increased flexibility to market • Improvement in customer ratings on increased customer flexibility over previous year.
Organizational imperatives
06 and accountability
uncertainty
Unlock access to innovative/ • At least one out of 10 of new third-party arrangements in the financial year focused on bringing new strategic opportunities or have access to new
disruptive technology solutions technology.
About the authors • 10 percent increase in automation through technology solutions for risk management year on year (measured through surveys of risk management
team members).
Increase in confidence in the • Increase in share price by five percent year on year.
Contacts organizational brand
26 26
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
01 Inherent risk and maturity through with a renewed focus to recognize that good governance and risk management
around their extended enterprise is not about eliminating risk, but rather managing it • Several business cases for investment in EERM in the TMT sector (49 percent) appear to be
appropriately. driven by their ability to increase revenue, for instance by identifying unreported or under-
reported revenue streams by third-parties, although this is a significantly less important driver in
Business case
02 and investment
While risk mitigation (value preservation) will continue to remain a driver for investment in the other segments.
EERM, organizations are now increasingly starting to see the exploitation of the opportunity
(value creation) as a driver for investment in EERM. Governance, a higher level process • For LSHC and E&R, the strongest drivers for EERM initiatives appears to be reducing the number
involving directing and managing risk management and related activities to address of third-party related incidents (46 percent and 40 percent of respondents, respectively).
03 Centralized control stakeholder expectations, is therefore finally starting to reinvent itself to focus on maximizing Similarly, reduction in regulatory exposure is a related driver in these two industry segments
this opportunity, while also managing compliance requirements and the downside of risk. with 46 percent and 58 percent of respondents, as well as in FS (48 percent of respondents)
However, in this new thinking, the explicit linkage of risk and strategy, starting at the Board and while respondents from LSHC and PS are most concerned with meeting internal compliance
04 Technology platforms C-suite level must be an integral part of the organizational strategy-setting process. requirements (52 percent and 50 percent of respondents respectively).
With EERM now having a more balanced outlook of addressing the downside of risk • Among the new and emerging drivers for investment in EERM, the ability to achieve greater agility
as well as capturing the upside opportunity, the related annual spend seems to have and flexibility in the marketplace seems to be most popular with one in three respondents from
05 Sub-contractor risk significantly increased. For instance, organizations that are integrated or optimized the E&R and LSHC industry segments, around one in four respondents from FS, TMT, and C&IP
and one in five respondents from PS.
in managing their extended enterprise are now typically investing over US$3 million
annually on EERM initiatives, managed by more than 50 FTEs. Organizations that engage
Organizational imperatives 50,000 or more third-parties in their extended enterprise are now typically investing
06 and accountability over US$5 million annually on EERM initiatives, managed by more than 100 FTEs.
However, ongoing success in being able to achieve this balance should be measured not
About the authors only on how cost efficiently EERM frameworks are designed or operated, but primarily
on how well risk is managed and mitigated with a continuous process of alignment with
strategy and organizational risk appetite. Should organizations lose this strategic insight
and reduce their annual investments in EERM, then that cost is likely to come at the
Contacts expense of reputation, regulatory scrutiny, and ultimately consumer backlash.
27
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Key factors driving business case for investment in EERM Geography highlights Key factors driving business case for investment in EERM
by industry • The need to achieve positive cost reduction in by region
total organizational spend on third-parties in the
Cost reduction (e.g.
48% 40%
44% extended enterprise, either by bringing in efficiencies Cost reduction (e.g. through efficiency
through efficiency or 52% 42%
Executive summary by avoiding 36% or by preventing over-payments, is the most common driver or by avoiding overpayments)
30% 50%
overpayments) 41%
42% for business case for investing in EERM across all the three
Increase in revenue
18%
16%
regions. However, this is relatively the most dominant driver in 42%
Increase in revenue (e.g. identification
01
(e.g. identification 12% EMEA with 50 percent of respondents, followed by Asia Pacific 20%
of under-reported revenue streams)
Inherent risk and maturity of under-reported
18%
25% 17%
revenue streams) 49% (42 percent) and Americas (40 percent).
11%
32% 25%
40% Reduction in number of third-
Reduction in number 35% • Respondents from the Americas are much more driven by 22%
Business case
02
of third-party related 46% party related incidents
incidents 35% the opportunity to increase revenue, for instance by the 38%
and investment 22%
21% identification of unreported or under-reported revenue
42% 28%
58% streams (42 percent of respondents) in comparison to other Reduction in regulatory exposure
Reduction in 48% 16%
46% regions such as Asia Pacific (20 percent of respondents) and
03
regulatory exposure 35%
Centralized control 35%
53% EMEA (17 percent of respondents).
50%
42%
Addressing internal 29% 39%
45% Addressing internal
compliance 52% • In terms of emerging drivers, EMEA is relatively more focused 27%
50% compliance requirements
04
requirements 44% on unlocking opportunities for innovation through third-parties 44%
Technology platforms 32%
23% (21 percent of respondents) while Asia Pacific is more focused
33% 19%
Better response and 27% on gaining access to new markets, channels, and products Better response and increased
increased flexibility 33% 24%
20% (16 percent of respondents). All the three regions are flexibility to market uncertainty
to market uncertainty 27%
24%
05 Sub-contractor risk
11%
18%
almost equally focused on increasing the confidence in their
organizational brand through third-parties (17-18 percent of 12%
Unlock access to 22% Unlock access to innovative/disruptive
innovative/disruptive 12%
25%
respondents). technology solutions 15%
technology solutions
18% 21%
Organizational imperatives
06
16%
and accountability
16%
20%
• Respondents from the Americas are the most confident about
Unlock access to 12%
11%
new markets/ 9% demonstrating the realization of tangible benefits related to Unlock access to new markets/
20% channels/products 16%
channels/products 19% their organizational business case for investment in EERM with 15%
5%
20 percent extremely confident and another 48 percent
About the authors 18%
27%
Increase in 14% somewhat confident. However, EMEA respondents are not far Increase in confidence in the
17%
confidence in the 21%
35% behind in this regard with 12 percent extremely confident organizational brand 18%
organizational brand 21% 17%
16% and another 52 percent somewhat confident. However, Asia
Contacts Pacific is less confident with seven percent and 37 percent
C&IP E&R FS LSHC PS TMT Others respondents in each of these categories respectively. Americas Asia Pacific EMEA
28 28
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Confidence in demonstrating realization of tangible benefits related to their organizations’ business case for
investment in EERM by region
03
48%
Centralized control
Extremely confident Somewhat confident Neutral Not much confidence Not at all confident
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
29
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
3. Centralized control
Foreword
01 Inherent risk and maturity 3b. COEs and shared service models represent the
dominant operating model, along with an increased
Business case focus on market utility models.
02 and investment
03 Centralized control
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
30
31
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home 3a. Organizations are centralizing many elements of EERM roles, structures and technologies.
Executive summary than centralized (down from a common theme in our earlier surveys. Both prior of decentralization’ which focused on managing EERM in
surveys had reconfirmed that the majority of global decentralized organizations had also suggested that an
62 percent last year). organizations were equally or more decentralized than they element of central oversight and management could help
were centralized (75 percent and 62 percent of respondents accelerate risk awareness and efficiency. The 2018 survey
01 Inherent risk and maturity from the 2016 and 2017 surveys respectively), across operating
units/entities.
results show that more and more organizations are adopting
this technique, resulting in the more decentralized EERM
models being adapted with some component of central
However, the increasing dominance of third-parties oversight. Accordingly, centralized elements in roles/structures
Business case
02 and investment
forming the extended enterprise in these decentralized and enabling technologies/processes are becoming more
operating units/entities presented potential concerns. Many common-place.
respondents felt that a critical organization-wide matter such
as EERM should not be left to the discretion of a divergent Out of the above 54 percent, only 48 percent of organizations
03 Centralized control group of operational-level personnel and represented a now have EERM elements (roles/structures/technologies/
potential challenge to a holistic and unified approach to processes) that are equally or more decentralized. The
third-party risk management, unless they scaled back on remaining 53 percent forms the current majority with more
55% EERM framework.
05 Sub-contractor risk 2018 In line with this thinking, current survey results indicate
Contacts
32 31
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
01
18%
Inherent risk and maturity levels with decision-making authority.
14% At one end of this scale of choices are organizations which
operate through a greater degree of command and control • Implementing appropriate tools and technologies across
with direct (referred to as “solid line”) reporting relationships centralized and decentralized operations, together with
Business case
02 and investment 5%
with their operating units, fewer levels between the leaders the availability of appropriate management information
in the corporate center and operating unit executives and to facilitate the EERM framework.
formal task descriptions with authority specifications.
• Articulating robust and achievable processes to
03 Centralized control 1 = Highly
centralized
2 = More 3 = Equal mix of 4 = More
centralized than centralized and decentralized
5 = Highly
decentralized
At the other end of this scale are those organizations manage third-party risk throughout the decentralized
decentralized decentralized than centralized that operate with decentralization following the “spirit” organization, integrating both group-wide and local
rather than the “letter of the law” with greater operational requirements.
Irrespective of the degree of formality in decentralization, In general, the growing trend towards more centralized
Organizational imperatives specific issues that must be addressed include the following: models for EERM appears to be a sensible way to proceed
06 and accountability
17%
16% as there is much value (financial, efficiency, consistency,
• Establishing robust governance structures to manage third- quality, etc.), to be gained from structuring a framework in
party risk pervasively through the entire organization that this way. However, it should be noted that this is a general
About the authors flow down for decentralized business units to align to. view and may not represent the most appropriate solution
5% for all organizations.
• Creating clear accountability on ownership of activities
for EERM at the group level and across the decentralized
Contacts 1 = Highly 2 = More 3 = Equal mix of 4 = More 5 = Highly business units.
centralized centralized than centralized and decentralized decentralized
decentralized decentralized than centralized
33
32
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Industry highlights • An unexpected trend emerged in responses from the FS Overall control structure by industry
• The following diagrams to the right set out a industry where it was identified that while 53 percent of
comparative analysis across the major industry respondents feel that the overall control structure in their 10%
sectors between the overall control structure in organization is equally or more decentralized than centralized, 13%
Executive summary organizations as compared to the organization structure for a higher number of respondents (56 percent) feel that 14%
1 = Highly centralized 6%
EERM from a decentralization perspective. As can be seen: their EERM organization structures are equally or more 15%
decentralized, in contrast to the relationship between these 14%
01 • LSHC and C&IP represent the two industry segments metrics in other industry sectors. Upon closer inspection 10%
Inherent risk and maturity
with the highest relative level of overall decentralization it was noted that the proportional increase in the number
in their organizations, with 64 percent and 60 percent of respondents from the smaller and relatively new non- 30%
29%
of respondents stating they are more equally or more traditional players in the FS marketplace (such as the new 34%
Business case
02
2 = More centralized
decentralized than they are centralized. breed of “fintechs”, challenger banks, etc.) in comparison to the than decentralized 30%
and investment larger, more traditional organizations has driven this outlier 35%
40%
However, only 45 percent of respondents in both these in the results. The structures and operational processes in 32%
segments felt that their EERM initiatives were more these non-traditional FS organizations are typically leaner
03 Centralized control decentralized than centralized. This, in turn, implies that with a lower appetite to establish large central utilities/teams 29%
that the balance 18 percent and 16 percent respectively and instead a desire to drive autonomy to end users in the 33%
of respondent organizations have now incorporated various business, with consistency obtained through organization-wide 3 = Equal mix of 29%
centralized 43%
04 Technology platforms
aspects of centralized ownership and management in their
EERM frameworks.
technology solutions, policies, guidance materials, and central
oversight.
and decentralized 15%
30%
26%
17%
4 = More decentralized
15%
than centralized
30%
Organizational imperatives
06 and accountability
13%
16%
6%
5%
About the authors 6%
5 = Highly
6%
decentralized
5%
3%
16%
Contacts
C&IP E&R FS LSHC PS TMT Others
34 33
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Organization structure for EERM by industry Geography highlights Overall control structure by region
• The Americas is clearly the region with the highest 46%
15%
level of centralization with only 35 percent of 41%
11% respondent organizations believing that they are
Executive summary 15% equally or more decentralized. This, in turn, corresponds to
1 = Highly centralized 18%
the related EERM initiatives also being largely centralized (with 30%
15% 28%29%
only a minority i.e. 33 percent of respondent organizations 26%
18%
22%
01
32% believing that their EERM initiatives are equally or more
Inherent risk and maturity 19%
17%
decentralized).
40% 13%
38% 9% 9%
30% • Asia Pacific with its regional diversity has evolved to be far 6% 6%
Business case
02
2 = More centralized
than decentralized 36% more decentralized in general with 56 percent of respondents
and investment 40% from that region evaluating their organizations’ overall
0%
41% 1 = Highly 2 = More 3 = Equal mix of 4 = More 5 = Highly
21% control structures to be equally or more decentralized. In
centralized centralized than centralized and decentralized decentralized
line with this, 54 percent of respondents believe that their
03
decentralized decentralized than centralized
Centralized control organizational structures for EERM are also in this same
25%
36% decentralized position. Americas Asia Pacific EMEA
3 = Equal mix of 26%
centralized 25%
24% 26%
4 = More decentralized
than centralized
12% organizational structures for EERM are also equally or more
15%
Organizational imperatives decentralized, implying business unit led silos still dominates
06 and accountability
14%
16% EERM initiatives in this region (also reflected by the lowest
13%
15% 16%
18%
34
35
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
3b. COEs and shared service models represent the dominant operating
model, along with an increased focus on market utility models.
Executive summary EERM (up from 13 percent last year) in the current survey, most respondents (sharing of information across organizations) is rapidly
(75 percent) told us that their centralized EERM gaining popularity as a key enabler for successful
with another 13 percent intending operations sat either in a CoE or shared service center governance and risk management in the networked
to do so in the near future (up from (whether fully operated by in-house teams or with some world. In keeping with this top trend, information hubs
Organizational imperatives
06 and accountability
Contacts
36 35
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
01 Inherent risk and maturity However, a managed service option can enable an
organization to achieve the desired level of customization In addition to compliance with minimum standards for
15% it requires (not deliverable from most market utilities), pre-qualification based on criticality of the third-party,
14%
while keeping the cost lower than that of an internal team. potential areas where information related to ongoing
Business case
02 and investment
governance and risk management of third-parties can be
4% CoEs and managed services models enable setting shared include, for instance, data privacy and protection,
consistent standards, defining uniform process, cybersecurity, regulatory compliance, corporate social
implementing common technology across business units responsibility (CSR), ethics and sustainability, supply
03 Centralized control In-house Center of Excellence (CoEs)
Hub-and-spoke model
In-house shared service center
Federated structure with a longer term strategic focus, providing training, disruption and continuity, anti-bribery and corruption,
External managed services provider executing risk assessments and providing guidance. safety and quality, EU procurement compliance, and
However, business leadership retains the responsibility for financial distress. Some of the available market utilities
36
37
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Industry highlights Operating models to coordinate operational, oversight and assurance roles for EERM talent by industry
• The uptake on CoEs and SSCs are fairly consistent
across the various industry segments, with the range
being 69-79 percent. C&IP E&R LSHC PS
Executive summary
4% 7% 3%
• TMT has the highest level of uptake on CoEs and SSCs with 12%
9% 18% 25%
79 percent of respondent organizations adopting this
45%
01 Inherent risk and maturity
operating model, followed by C&IP with 78 percent and then
by E&R and FS with 73 percent in each case. 12%
46%
13%
39%
51% 15%
• E&R seems to have outsourced the most to managed service 15%
Business case
02 and investment
providers (seven percent of respondents), followed by C&IP
(four percent) while those doing so the least are FS with
22%
32%
two percent and PS with NIL. 30% 25%
03 Centralized control • FS has been leading the way with regard to community
2%
FS TMT Others
04 Technology platforms
(increase in actual utilization from 16 percent to 24 percent
during 2017), CB (e.g. FMCG) (11 percent to 18 percent), 42% 10%
and TMT (12 percent to 27 percent). E&R (28 percent to
33 percent), while the leading industry segment in exploring 17%
16%
05
57%
Sub-contractor risk market utilities, has some way to go to fully embrace the
opportunities here through extensive usage (with only two 22%
percent of the latter 33 percent using such models extensively 31% 32%
Organizational imperatives but the vast majority represented by the other 31 percent
06 and accountability making only limited use). But already we have seen movement In-house (centralized) Center of Exellence (CoEs) with specialized talent for EERM
to progress in this space at the back end of 2017. In-house (centralized) Shared Service Center (SSC) with adminstrative staff for EERM support processes
Hub-and-spoke model
Federated structure
About the authors EERM operations are managed fully or predominantly by an external managed services provider (with centralized decision-making retained in the organization)
Contacts
38 37
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
01 provider is still a relatively new concept across all the three 16%
Inherent risk and maturity 8%
regions. While none of the respondents from Asia Pacific 43%
57%
have done this, three percent of respondents from the
Americas and five percent of respondents from EMEA are
Business case
02 and investment
following that approach, possibly due to these fully integrated
managed service models only recently becoming available in
25% 32%
the marketplace.
04 Technology platforms
either unaware or lack the clarity at this stage to be able to take
a decision at this stage. 43%
14%
05 Sub-contractor risk
31%
Organizational imperatives
06 and accountability In-house (centralized) Center of Exellence (CoEs) with specialized
talent for EERM
In-house (centralized) Shared Service Center (SSC) with adminstrative staff for
EERM support processes
Contacts
38
39
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
4. Technology platforms
Foreword
Business case
02 and investment
03 Centralized control
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
39
41
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home 4. Technology decisions for EERM solutions are now being taken more centrally
and a three-tiered technology architecture is emerging.
Executive summary for EERM, a sharp drop from just somewhat disorganized approach to the use of
technology to enable EERM processes from end-
over 20 percent last year.
ERP — used for end-to-end procurement and/or
to-end, using a combination of more than one platform third-party management
01 Inherent risk and maturity even different types of third-parties, in some cases, across
multiple business units in a piecemeal manner.
GRC or TPRM technology — providing TPRM specific funtionality
However, in keeping with the new trend of increased Risk domain specific technologies and/or data feeds
Business case
02 and investment
centralized oversight of EERM activities revealed by the
current survey, technology decisions are now being
ERP systems or other backbone applications for procurement
taken more centrally and a standard tiered technology (ERP + Procurement)
architecture is emerging, particularly among those
03
Generic GRC software or EERM – specific risk management packages
Centralized control organizations that have an integrated or optimized status or those tailored from specialized risk domains
(GRC + TPRM utility + TPRM solutions)
in their EERM maturity scale.
Other niche packages for specific EERM processes or risks with feeds
from specialized risk domains
04 Technology platforms
42 40
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
01 Inherent risk and maturity technical solution for EERM. Less than 10 percent of
respondents are currently using bespoke systems for
Generic GRC software or
EERM-specific risk management
In fact, as outlined in our whitepaper titled “Unlock the
value in your technology investments”, organizations
packages or those tailored from 28%
EERM, a sharp drop from just over 20 percent last year. specialized risk domains
with a well-defined technology-enabled EERM
(GRC + TPRM Utility + framework typically tend to realize an additional four
Business case
02 and investment
Standardization of technology architecture for EERM TPRM Solutions) to five percent return on equity.
using a combination of ERP systems and other backbone
Other niche packages for
applications for procurement packaged solutions is specific EERM processes or Better tools and technology can significantly reduce the
78%
supported by an increasing intent by management time spent on pre-contract, post-contract, and ongoing
03
risks with feeds from
Centralized control to invest in emerging technologies for EERM. Cloud specialized risk domains tracking/monitoring activities, thus making available
technologies that enable agile business operations with time for focusing on the broader strategic areas of risk
standardization represent the most popular emerging management and value creation (e.g. performance,
the opportunity to automate routine tasks related to Most survey respondents desire integrated technology
Cloud technologies to
EERM. 46 percent of respondents are planning to utilize 46% that would address as many of the dimensions of
05
enhance flexibility
Sub-contractor risk standardized cloud technologies for EERM while 31 EERM as possible (e.g. performing due diligence and
percent are considering using RPA for routine EERM tasks ongoing risk assessments, recording and presenting
Robotics automation for routine 31%
across the organization. administrative tasks KPIs and other performance data through dashboards,
Organizational imperatives facilitating documentation and escalation of issues
06 and accountability Visualization technologies for
20%
etc.). The current tiered approach has its advantages in
meaningful interpretation of data leveraging multiple dimensions of available technology,
but those organizations in managed status or below
About the authors Cognitive analytics for are still being compelled to build in some spreadsheet
19%
interpretive tasks or manual process-based intervention to bridge
the gaps.
Blockchain technologies to
16%
validate third-party transactions
Contacts
43
41
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Industry highlights Evolving tiered architechture for EERM tools and Emerging technologies for EERM by industry
• The use of features of the existing ERP system technologies by industry
or other organization-wide backbone systems for 18%
procurement seem to be the highest in E&R and 20% 18%
26% Visualization
Executive summary LSHC industries (26 percent and 32 percent of respondents,
ERP systems or other 18% technologies 26%
backbone applications 32% 15%
18% for meaningful
respectively) and the lowest in FS, PS, and TMT (18 percent, for procurement
9% 25%
interpretation of data
18 percent, and nine percent of respondents, respectively). 6% 19%
11%
01
Generic GRC software 11%
Inherent risk and maturity or EERM-specific risk 16%
34%
• The uptake of generic GRC packages is highest in FS with management packages 13% 14%
or those tailored from 15%
34 percent of respondents subscribing to this option, followed 29% 11%
specialized risk domains 18% Blockchain
by TMT (29 percent) but lowest in C&IP (11 percent of technologies to
22%
Business case
02 Other niche packages 69% 12%
respondents). 58% validate third-party
and investment for specific EERM 48% transactions 25%
processes or risks with 55%
67% 11%
feeds from specialized
• Use of other niche packages appears to be the dominant 62% 5%
risk domains 76%
trend in C&IP (69 percent of respondents) and lowest in FS
03 Centralized control (48 percent). C&IP E&R FS LSHC PS TMT Others
48%
47%
52%
Cloud technologies to
• The overall average of organizations using all of the three-tiers 36%
enhance flexibility
20%
16%
22%
About the authors Cognitive analytics for
15%
interpretive tasks
25%
22%
5%
Contacts
C&IP E&R FS LSHC PS TMT Others
44 42
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
03
to validate third-party
Centralized control across the three regions with some limited exceptions. transactions 16%
05
25%
Sub-contractor risk ERP systems or other
backbone applications 18%
for procurement
17%
Generic GRC software
19%
Organizational imperatives or EERM-specific risk
06 and accountability
management packages
or those tailored from 21%
specialized 22%
risk domains
Other niche packages 56%
for specific EERM
About the authors processes or risks with 62%
feeds from specialized
risk domains 61%
43
45
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
5. Sub-contractor risk
Foreword
Business case
02 and investment
03 Centralized control
04 Technology platforms
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
44
47
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home 5. Organizations are lacking appropriate visibility and monitoring of sub-contractors engaged by third-parties.
Executive summary their sub-contractors (fourth/ organizations lack appropriate visibility of their strategy and approach to the management of sub-
instances where sub-contractors are engaged contractor risk and to apply the appropriate amount of
fifth parties) while another by their third-parties. The majority (57 percent) of discipline and stringency. Recent regulation such as the
10 percent do so only for those survey respondents do not have adequate knowledge Modern Slavery Act and GDPR, which include requirements
04 Technology platforms
88
do not know their organizational policy and practices in
this regard.
%
05 Sub-contractor risk
Organizational imperatives
06 and accountability
Contacts
48 45
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
Foreword Adequate knowledge and an appropriate level of visibility Frequency of periodic review of the concentration risk
over sub-contractors engaged by third-parties
31%
57%
27%
Executive summary
03 Centralized control
Yes No I don’t know Quarterly Half-yearly Annually Once in Never Don't know
2-3 years
05 Sub-contractor risk
18%
Organizational imperatives
06 and accountability 9%
44%
46
49
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
01 Inherent risk and maturity extended enterprise of suppliers and service providers
to the focal organizations covered by the survey. Their
attention of the regulators who are holding organizations
accountable for lack of oversight of third-parties and their
(in relative terms) such as FS and LSHC are the weakest
performers in this regard with as many as 81 percent and
suppliers and service-providers have also been motivated sub-contractors. Where these risks have been realized, this 85 percent of respondents, respectively, acknowledging that
by the desire to gain competitive advantage through the has compromised organizational reputation, broken down they do not have appropriate knowledge and visibility over
Business case
02 and investment
involvement of third-parties, i.e. enable better product or business continuity, and attracted substantial penalties and their fourth/fifth parties. C&IP and E&R, both with 75 percent
of respondents in this position follow in their footsteps.
service innovation, facilitate expansion to new markets, regulatory enforcement action.
and provide access to skills and capabilities not available
internally, while they (as suppliers of goods and services) We understand most organizations are focusing on • Similarly, only 15 percent of the respondents from FS as well
03 Centralized control continue to focus on their core business processes. identifying, assessing, and managing the risk in their third- as an equal proportion of respondents from C&IP review
Sometimes the sub-contractor (referred to as fourth parties and believe that, for the moment, just having an concentration and other risks from their fourth and fifth
parties to the focal organization) may also be further sub- awareness of sub-contractor relationships is sufficient. The parties either quarterly or half-yearly, followed by 24 percent
Contacts
50 47
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Adequate knowledge and an appropriate level of visibility Geography highlights Frequency of periodic review of the concentration
over sub-contractors engaged by third-parties by industry • The lack of knowledge and visibility of sub- risk by region
contractors is fairly consistent across all the three
42%
geographic regions spanning around three out of
64%
64%
Executive summary four respondents in each region.
36%
58%
55%
54%
31%
51%
51%
• The periodicity of monitoring is however the least in Americas
25%
25%
Inherent risk and maturity
23%
that they either do not monitor such sub-contractor risks at
all or do not know if anyone in their organization does so as
30%
15%
against 35 percent of respondents being in that position in
27%
25%
Business case 24%
24%
02
13%
22%
EMEA and 34 percent in Asia Pacific. However, even in the
21%
21%
21%
21%
11%
19%
10%
10%
10%
and investment
9%
9%
9%
17%
8%
latter geographies, only 19 percent of respondents monitor
15%
15%
7%
7%
this half-yearly or quarterly (15 percent in Americas), implying
far more needs to be done in this regard.
03 Centralized control Yes No I don’t know
Quarterly Half-yearly Annually Once in 2-3 years Never Don't know
04 Frequency of periodic review of the concentration over sub-contractors engaged by third-parties by region
Technology platforms
risk by industry
62%
42%
05 Sub-contractor risk
50%
34%
43%
32%
32%
31%
29%
28%
28%
32%
25%
25%
24%
Organizational imperatives
24%
06
22%
21%
25% 25% 25%
and accountability
20%
20%
22%
18%
17%
16%
15%
15%
16%
13%
12%
12%
12%
11%
11%
11%
10%
10%
10%
10%
10%
9%
9%
8%
8%
4%
4%
Quarterly Half-yearly AnnuallyOnce in 2-3 years Never Don't know Yes No I don't know
48
51
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
6. Organizational
Foreword
imperatives and
Executive summary
accountability
01 Inherent risk and maturity
Business case
02 and investment
6a. Ultimate ownership and accountability for EERM
suggests it is well and truly established in the
C-suite roles with need for improvement in
03 Centralized control
engagement.
Organizational imperatives
06 and accountability
Contacts
53
49
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
6a. Ultimate ownership and accountability for EERM suggests it is well and truly
established in the C-suite roles with need for improvement in engagement.
Executive summary ultimately accountable for EERM in accountability for EERM suggests it is well and risk domain owners is also not very encouraging.
truly established in the C-suite with 78 percent Only 16 percent of risk domain owners had a high level
78 percent of the organizations, of organizations suggesting that either the CEO, CFO, CPO, of engagement and understanding of EERM with the
up from 75 percent last year. CRO, or a member of the Board is ultimately accountable vast majority represented by the remaining 84 percent
01 Inherent risk and maturity for this topic. This includes a member of the Board being
ultimately accountable for EERM in 19 percent of the cases
of respondents who felt risk domain owners had at
best moderate (45 percent), low (17 percent) or levels
and 33 percent suggested the CEO (21 percent) or CFO of engagement that were absent (seven percent) or
(12 percent) had a similar responsibility. unknown (15 percent). Survey respondents believe that
Business case
02 and investment
relatively lower levels of engagement and understanding
In some cases, there appears to be a small shift in ultimate by risk domain owners negatively impacted the level of
accountability from CPOs and Vendor/Alliance Managers coordination with other stakeholders as discussed in our
to Heads of Risk and CFOs under Board/CEO supervision, finding 6(b) on page 58.
03 Centralized control although this is not still true where the organizational
supply-chain forms the most significant component of the Survey respondents believe that a key underlying factor for
extended enterprise. In such organizations which still form this limited engagement is the lack of regular supervisory
04 Technology platforms the majority, the CoEs and shared services are also largely
owned by procurement teams.
review by the Board. Only 11 percent of organizations
surveyed have formal Board reviews on a quarterly basis
with at best another 10 percent doing this on a half-yearly
78% Survey respondents however believe that there is room basis. For 35 percent, this is just another annual processes
05 Sub-contractor risk
2018 for improvement in the level of engagement on the EERM to be completed while 38 percent do not know when they
agenda by Board members and risk domain owners. had such a review or whether they had it at all.
Only 20 percent of Board members have a high level
Organizational imperatives 75% of engagement, where a member of the Board has
06 and accountability 2017 ultimate accountability. This, in turn, implies that levels of
engagement in the remaining 80 percent of organizations
where the Board operates in an oversight or supervisory
About the authors role are at best moderate (42 percent of respondents) if
not low (19 percent), absent or unknown (seven percent
and 12 percent respectively).
Contacts
54 50
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Ultimate accountability for EERM Frequency of board-level EERM review focused on
alignment with strategic plan and risk appetite Deloitte point of view
CEO 27% 20% 21% As extended enterprise risks grow, along with
11%
Member(s) of shareholder, political, legal, and regulatory
Executive summary the Board
20% 19% 19%
24% activism, there is likely to be a greater
CRO 8% 12% 15% 10% demand placed on management and boards to be
CFO 5% 9% 12% accountable for major risk events, whether the events
Board of directors Risk domain owners Don’t know Today, a large number of global Boards carry out their
05 Sub-contractor risk
16%
No significant
engagement or
risk oversight responsibilities either by themselves or
20% understanding at best with some support from CFOs and its audit
/coordination committee. As extended enterprises grow in complexity
Lower level of and scale, we predict that more Boards globally may
Organizational imperatives
06 and accountability
42%
45%
engagement
and understanding
be considering the establishment of risk committees
/coordination or similar focus groups to assist them in ensuring a
Moderate level more systematic and broader oversight of strategic and
of engagement
About the authors operational risks, as is currently an emerging trend in
and understanding
19% 17% North America.
/coordination
7% High level of
7%
engagement
12% 15% and understanding
Contacts /coordination
Level of engagement Level of engagement
55
51
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Industry highlights Level of engagement and coordination between risk Geography highlights
• The level of engagement and knowledge of domain owners and the EERM team by industry • Organizations from EMEA appear to have the
EERM by the Board appears to be the highest in PS highest level of engagement in relative terms from
(35 percent of respondents) and E&R (31 percent) their Boards with 24 percent demonstrating a high
55%
53%
Executive summary and the lowest in LSHC (15 percent), C&IP (18 percent), and level of engagement and understanding, as compared to
TMT (18 percent), followed closely by FS (19 percent). only 10 percent in the Americas and nine percent in Asia
45%
42%
Pacific. The lack of awareness by respondents on the level of
40%
01 Inherent risk and maturity
• High levels of engagement and coordination by risk domain Board engagement in EERM is also the highest in the Americas
32%
owners is once again the highest in PS (30 percent of with as many as 37 percent respondents unaware of the
30%
30%
respondents), followed however by LSHC (21 percent), E&R (18 actual position, as against only seven percent in EMEA and
21%
21%
21%
21%
percent), and FS (17 percent). 11 percent in Asia Pacific.
20%
20%
19%
18%
18%
18%
18%
Business case
02
17%
16%
16%
15%
14%
13%
and investment
11%
5%
5%
• This diversity across regions is supported by the fact that
10%
10%
4%
9%
7%
6%
Level of engagement and understanding of board of
0%
only seven percent of respondents from the Americas have
directors with risks relating to the extended enterprise High Moderate Low None Don’t know quarterly or half-yearly supervisory reviews of EERM by the
03 Centralized control of their organization by industry Board, compared to 24 percent in Asia Pacific and 23 percent
C&IP E&R FS LSHC PS TMT Others in EMEA.
58%
04 Technology platforms
• The engagement of risk domain owners however is relatively
much higher in the Americas with 20 percent of respondents
48%
44%
35%
05
33%
30%
29%
Americas are not aware of the position in this regard, as against
24%
19%
18%
18%
16%
16%
16%
15%
Organizational imperatives
06
5%
5%
10%
11%
4%
10%
9%
9%
9%
9%
9%
and accountability
7%
0%
0%
High Moderate Low None Don’t know
Contacts
56 52
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Level of engagement of board members and risk domain Frequency of board-level EERM review focused on
owners in EERM by region alignment with strategic plan and risk appetite by region
01
engagementand 44% 42%
Inherent risk and maturity understanding 44% 49%
27%
Lower level of 16% 17%
engagement and 26% 19%
understanding 18% 17%
56%
Business case
02
No significant 7% 5% 17%
engagement or 9% 6%
and investment understanding 7% 7% 3%
37% 26% 30%
Don't know 18% 7% 8%
11%
11%
03
7%
Centralized control EMEA
16%
05 Sub-contractor risk
6%
37%
Organizational imperatives
06 and accountability Quarterly Half-yearly Annually Once in 2-3 years
Never Don’t know
Contacts
53
57
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
6b. Challenges over internal coordination, talent and processes represent
areas of highest (organizational) concern over EERM.
Executive summary significant concern related to and competence of talent engaged in EERM- 40 percent of respondent organizations have prioritized
related activities appears to be the most the need to establish better coordination between
EERM (45 percent of respondent significant concern for respondents (45 percent), followed risk domain owners, business unit leaders, functional
organizations); followed by the by the clarity of roles and responsibilities and EERM heads, legal, and internal audit teams, etc. as the top
(41 percent), EERM processes Stakeholder awareness and commitment to third-party Aligned to the concern of non-standardized processes
risks have emerged as a newer area of concern with and lack of clear roles/responsibilities, the need to
02
Business case (41 percent), stakeholder 38 percent of respondents, an issue that we have not strengthen due diligence activities prior to onboarding
and investment
awareness and commitment to seen in the forefront in our earlier surveys in general new third-parties is second on the list of top organizational
terms, although a more specific need to get attention of imperatives related to EERM (35 percent of respondent
third-party risks (38 percent). the Board and feature as an ongoing priority item in the organizations). This, in turn, is followed by the need
03 Centralized control related agenda had been expressed by respondents. to build stronger resilience to disruption caused by
third-party related incidents (24 percent) and ensure a
Other areas of emerging concern include achieving proportionate EERM approach based on the categorization
Contacts
58 54
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home
Foreword Leadership concerns around EERM Top organizational imperatives related to EERM
Skills, bandwidth and competence in Better in-house coordination with risk domain
45% owners, business unit leaders, functional heads, 40%
extended enterprise risk management
legal teams, internal audit, etc.
Executive summary
Processes for extended Strengthening due diligence prior
41% 35%
enterprise risk management to onboarding third-parties
Clarity of related roles
41% Building stronger resilience to disruption
01 Inherent risk and maturity
and responsibilities
03 Centralized control
Structure of third-party
management organization 30%
Enhancing assurance activities
17%
over third-parties
05
Enhancing clarity in business case
Sub-contractor risk 14%
articulation requirements
Greater alignment with organization-wide crisis
prevention/management team to increase 13%
resilience to third-party related disruption
Organizational imperatives
06 and accountability
Enhancing technology to
manage third-parties
12%
55
59
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword
Deloitte point of view
There has been a significant change in As risk management and governance becomes an Each of these players brings a unique set of perspectives
organizational priorities and underlying leadership overarching strategic issue, aligned to business strategy and skill-sets to risk management and governance which can
Executive summary
concerns since our previous survey where and operations drilling down to individual business units, be an invaluable asset to every business, provided they are
tools and technologies used for EERM had concerned a it is natural that more and more people at various levels, orchestrated to ensure that:
vast majority (more than 90 percent) of respondents. functional areas, and stakeholders will have a role to
01 Inherent risk and maturity Respondents to our previous survey had indicated that this
concern around the lack of a single unifying technology to
play. Further, a much broader and newer set of risks and
strategic assets which are more difficult to leverage, manage,
• There is complete clarity on who does what in the area of
risk management.
manage EERM, together with the disparity of third-party and protect will continue to emerge—including people,
management processes across the depth and breadth of intellectual property, customers, marketing efforts, and • There are neither overlaps nor underlaps in who
Business case
02 and investment
increasingly decentralizing organizations had created an even, for example, “the crowd” in emerging phenomena does what.
“execution gap” that came in the way of integrating and like crowdsourcing. This will need new skills to be infused
optimizing EERM. into the organization and roles to be redefined. Apart from • Limited risk management resources are deployed
the emerging risk domains as well as the owners of these effectively across the organization to address the most
03 Centralized control Deloitte specialists believe that two trends over the last new risk domains, organizations should consider external significant areas of concern and opportunity across
12 months, both discussed earlier in this report, have stakeholders who herald a more outside-in perspective the business.
been key to reducing this overwhelming concern. First, the including, for instance, customers, bloggers, information
Contacts
60 56
Focusing on the climb ahead
ahead | Third-party governance and risk management
Home
Foreword Industry highlights Top five organizational imperatives related to EERM by industry
The need to build better in-house coordination
with risk domain owners, business unit leaders,
functional heads, legal, and internal audit teams, etc. Better in-house coordination with risk domain Better in-house coordination with risk domain
Executive summary consistently features as a top organizational imperative within
owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
46% owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
42%
Strengthening due diligence prior Strengthening due diligence prior
all the key industry sectors, followed by the need to strengthen to onboarding third-parties 32% to onboarding third-parties 39%
due diligence prior to onboarding third-parties and more Enhancing monitoring of third-parties (e.g. real-time
Identifying the most strategic third-parties to ensure 25% monitoring, risk) using emerging technologies 27%
proportionate effort in EERM processes
01 generally enhance assurance activities or monitoring within the such as robotics automation, cognitive
Inherent risk and maturity Addressing cyber risks at third party locations 22% Identifying the most strategic third-parties to 27%
extended enterprise. ensure proportionate effort in EERM processes
Building stronger resilience to disruption and uncertainty Building stronger resilience to disruption and uncertainty
resulting from third-parties in the extended enterprise 19% 24%
resulting from third-parties in the extended enterprise
• Identifying the most strategic third-parties to ensure
Business case
02 and investment
proportionate EERM effort is a top imperative across the C&IP,
E&R, FS, and LSHC industry segments.
Better in-house coordination with risk domain
owners, business unit leaders, functional 49%
Better in-house coordination with risk domain
owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
40%
heads, legal teams, internal audit, etc.
Strengthening due diligence prior 31% Building stronger resilience to disruption and uncertainty
to onboarding third-parties resulting from third-parties in the extended enterprise 35%
• Addressing cyber risks is a top organizational imperative in the
03
Identifying the most strategic third-parties to ensure 29% Addressing cyber risks at third party locations 30%
Centralized control C&IP, FS, and PS industry segments.
proportionate effort in EERM processes
Enhancing assurance activities over third-parties 27% Enhancing clarity in business case 25%
articulation requirements
Enhancing monitoring of third-parties (e.g. real-time
• Building stronger resilience to disruption is a key action item for monitoring, risk sensing) using emerging technologies 24% Enhancing assurance activities over third-parties 20%
such as RPA, cognitive processes
04 Technology platforms
respondents from C&IP, LSHC, PS, and TMT industry groups.
Strengthening due diligence prior Better in-house coordination with risk domain
• Enhancing technology to address EERM requirements, however to onboarding third-parties 37% owners, business unit leaders, functional 40%
Better in-house coordination with risk domain heads, legal teams, internal audit, etc.
remains a top imperative for TMT, possibly due to the growth owners, business unit leaders, functional 34% Strengthening due diligence prior
to onboarding third-parties 38%
05
heads, legal teams, internal audit, etc.
Sub-contractor risk of online or platform-based collaboration in this industry Enhancing monitoring of third-parties (e.g. real-time Building stronger resilience to disruption and uncertainty
monitoring, risk sensing) using emerging technologies 30% resulting from third-parties in the extended enterprise 29%
segment. such as RPA, cognitive processes
Addressing cyber risks at third-party locations 25% Enhancing technology to manage third-parties 19%
Identifying the most strategic third-parties to Enhancing monitoring of third-parties (e.g. real-time
Organizational imperatives 22%
06
ensure proportionate effort in EERM processes monitoring, risk sensing) using emerging technologies 18%
such as RPA, cognitive processes
and accountability
Strengthening due diligence prior
to onboarding third-parties 63%
Better in-house coordination with risk domain
About the authors owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
42%
Identifying the most strategic third-parties to 32%
ensure proportionate effort in EERM processes
Addressing cyber risks at third-party locations 26%
57
61
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Geography highlights Top five organizational imperatives related to EERM by region
• Regional analysis of top organizational imperatives
Better in-house coordination with risk domain
related to EERM also indicate the need to build better owners, business unit leaders, functional
heads, legal teams, internal audit, etc. 46%
in-house coordination with risk domain owners,
Executive summary business unit leaders, functional heads, legal, and internal Strengthening due diligence prior
to onboarding third-parties 32%
audit teams, etc. as a common imperative across all the key
Building stronger resilience to disruption
regions, followed by the need to strengthen due diligence prior and uncertainty resulting from third-parties 25%
in the extended enterprise
01 Inherent risk and maturity to onboarding third-parties and the need for strengthening
resilience over disruption and uncertainty arising from the
Enhancing clarity in business
case articulation requirements 24%
extended enterprise. Additionally: Identifying the most strategic third-parties to
ensure proportionate effort in EERM processes 20%
Business case
02 and investment
• Respondents from the Americas are focused on the need to
articulate better business cases for investment in EERM and
identifying the most strategic third-parties for proportionate Strengthening due diligence prior
36%
to onboarding third-parties
EERM effort.
03 Centralized control Better in-house coordination with risk domain
owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
30%
• Respondents from Asia Pacific share the Americas’ need to
Building stronger resilience to disruption
articulate better business cases for EERM and additionally and uncertainty resulting from third 25%
parties in the extended enterprise
04 Technology platforms
enhance training and guidance for their retained organization.
Enhancing training and guidance
for the retained organization 19%
• Respondents from EMEA share a common priority to identify Enhancing clarity in business
19%
the most strategic third-parties for proportionate EERM effort, case articulation requirements
62 58
Focusing on the climb ahead
ahead | Third-party governance and risk management
Foreword Kristian Park leads the Extended Enterprise Risk Management team in the EMEA region, as well as leads Deloitte’s
Global Third-party Risk Management (TPRM) group. As a partner in Deloitte UK, Kristian works with his clients to
develop governance frameworks to identify and manage all types of third-party risks, looking at both process and
technology solutions; performs inspections of third-party business partners on his client’s behalf; and assesses
Executive summary third-party compliance with contractual terms and conditions.
In addition, Kristian is responsible for Deloitte UK’s Software Asset Management and Software Licensing teams and
Business case
02 and investment
Kristian Park
03 Centralized control EMEA Leader, Extended Enterprise Risk Management
Global Risk Advisory
04 Technology platforms Danny Griffiths is a Director in our London based EERM team. He has 11 years of experience providing assurance
and advisory services to his clients in the area of third-party risk. Danny leads the Third-party Advisory (TPA)
proposition within our UK EERM team, and specializes in supporting clients in the development of Third-party
05 Sub-contractor risk
Governance & Risk Management frameworks. He has worked extensively in the Financial Services sector in
this regard as well as advising organizations across many of the other industry sectors and he regularly hosts
roundtables and presents at forums on this topic.
Organizational imperatives
06 and accountability
In addition, Danny has significant experience leading compliance programs for large national and multi-national
organizations, assessing third-party compliance against contractual obligations. Danny has led inspections across
a range of third-parties including suppliers, outsourcers, marketing agencies, distributors, resellers, and licensees.
He has practical experience working in a broad range of industries including Financial Services, Technology &
About the authors Media. Consumer Business, Sports Business, Energy & Utilities, Real Estate, and Public Sector. He has led projects in
multiple jurisdictions within EMEA, the Americas, and Asia.
Danny Griffiths
Contacts Director, Extended Enterprise Risk Management
Deloitte LLP
63
59
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home
Foreword Mark Bethell is a Director in the UK EERM practice. Mark re-joined Deloitte in June 2015 having spent 4 years
working in industry at a global oil major. While at the oil major Mark led the design and implementation of a global
risk management framework designed specifically for joint ventures operated by others. Mark’s other roles at the
major included membership of the Internal Audit Leadership Team, with accountability for all internal audit work
Executive summary performed in relation to the extended enterprise (contractors, suppliers and non-joint ventures).
Since returning to Deloitte, Mark has led a number of projects to help clients, across multiple industries, manage the
Mark Bethell
03 Centralized control Director, Extended Enterprise Risk Management
Deloitte LLP
04 Technology platforms Sanjoy Sen is the Head of Research and Eminence for EERM at Deloitte LLP, based in the UK. He is a Chartered
Accountant (FCA), a Cost and Management Accountant, and a Certified Information Systems Auditor (CISA) with
over 29 years of experience, which includes 17 years of partner-level experience at Deloitte and another competing
05 Sub-contractor risk
Big 4 firm.
Sanjoy is currently enhancing his experience in strategic governance and risk management around outsourcing and
shared services through a Doctoral Research Scholarship at Aston Business School, Birmingham, while continuing
Organizational imperatives
06 and accountability
to provide professional advice to Boards, senior leadership, Heads of Risk, and Internal Audit. His ongoing research
has been published globally through various academic and professional channels with over 200 citations in frontline
newspapers, professional journals, and conference papers since 2014 in addition to co-authorship with Deloitte’s global
EERM leaders.
About the authors
His prior experience in strategic governance and risk management of the extended enterprise, outsourcing, and
shared services spans the UK, Gibraltar, India, and various countries in the Middle East. This includes assisting clients
Sanjoy Sen in strengthening their business strategy frameworks through effective strategic outsourcing and shared services
Contacts Doctoral Research Scholar initiatives through a combination of risk advisory and internal audit roles in client engagements.
Aston Business School
64 60
ahead| Third-party governance and risk management
Focusing on the climb ahead
Home Contacts
Executive summary EMEA Kristian Park +44 20 7303 4110 krpark@deloitte.co.uk China Yvonne Wu +86 21 614 115 70 yvwu@deloitte.com.cn
Americas Dan Kinsella +1 312 486 2937 dankinsella@deloitte.com Hong Kong Hugh Gozzard +852 2852 5662 huggozzard@deloitte.com.hk
Country contacts India Sachin Paranjape +91 22 6185 4903 saparanjape@deloitte.com
03 Centralized control Germany Jan Minartz +49 403 2080 4915 jminartz@deloitte.de Thailand Weerapong Krisadawat +66 2034 0145 wkrisadawat@deloitte.com
Greece Alithia Diakatos +30 2106 78 1176 adiakatos@deloitte.gr Vietnam Philip Chong +65 6216 3113 pchong@deloitte.com
Hungary Zoltan Szollosi +36 (1) 428 6701 zszollosi@deloitte.com Americas
05
Netherlands Jina Calmaz +31 8828 81871 jcalmaz@deloitte.nl Chile Christian Duran +56 22 72 98 286 chrduran@deloitte.com
Sub-contractor risk
Poland Mariusz Ustyjanczuk +48 22 511 0939 mustyjanczuk@deloittece.com LATCO Esteban Enderle +54 11 43 2027 eenderle@deloitte.com
Portugal Joao Frade +351 2104 27 558 jfrade@deloitte.pt Mexico Ricardo Bravo +52 55 508 06 159 ribravo@deloittemx.com
Solvenia Polona Klep Cufer +386 1 307 29 87 pcuferklep@deloittece.com United States Dan Kinsella +1 312 486 2937 dankinsella@deloitte.com
Organizational imperatives
06 and accountability Southern Africa Dean Chivers +27 1180 51159 dechivers@deloitte.co.za
Spain Oscar Martín +34 914432660 omartinmoraleda@deloitte.es
Sweden Charlotta Wikström + 46 73 397 11 19 cwikstroem@deloitte.se
About the authors Switzerland Ronan Langford +41 58 279 9135 rlangford@deloitte.ch
Turkey Cuneyt Kirlar +90 212 366 60 48 ckirlar@deloitte.com
United Arab Emirates Tariq Ajmal +971 2 408 2424 tajmal@deloitte.com
United Arab Emirates Huzaifa Hussain +97 1043 7688 88 HuzHussain@deloitte.com
Contacts
United Kingdom Kristian Park +44 20 7303 4110 krpark@deloitte.co.uk
65
61
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Foreword 1. In preparing our report, we have considered both fully as well as partially completed survey responses (to the
extent survey questions have been answered by these respondents). However, the increased proportion of
respondents from regions where levels of understanding and organizational maturity in third-party risk is starting
to increase, compared to more mature territories, has limited our ability to compare current results with last year’s
survey in some cases.
Executive summary
2. Industry segments covered by the survey include Financial Services (FS), Energy & Resources (E&R), Public Sector
(PS), Technology, Media and Telecommunications (TMT), Consumer and Industrial Products (C&IP), Life Sciences
& Health care (LSHC), and others. Other industries relates to survey responses where the respondent did not
01
indicate the nature of their industry or did so ambiguously.
Inherent risk and maturity
3. Figures set out on page 7 relate to centralized spending on EERM as estimated by respondents. Some respondents
have indicated that their organizations may be spending significantly higher amounts related to EERM, given the
decentralized nature of spend and activity.
Business case
02 and investment
4. This model presents a hybrid of various characteristics of centralized and decentralized structures combining the
benefits of some standardization and centralized planning with (decentralized) local leadership and some flexibility.
03
6. This typically operates with a centralized in-house specialist pool supported by representatives from this pool
Centralized control co-located geographically across multiple “hubs” to support business/departmental functions or regions within its
purview on EERM-related issues.
7. Nearly three out of four respondents had experienced a third-party related disruptive incident in the last three
04
years as per our Global EERM Survey, 2017.
Technology platforms
8. Excluding Australia and New Zealand from where we also had a very limited participation in this survey.
05 Sub-contractor risk 10. The Business Dictionary defines an infomediary as an information intermediary, typically a trusted third-party
provider of information or advice on selection of goods or services, competitor information or research data (also
called knowledge broker).
Organizational imperatives
06 and accountability
Contacts
66 62
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related entities. DTTL (also referred to as “Deloitte Global”) and each
of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and
territories serves four out of five Fortune Global 500 ® companies. Learn how Deloitte’s approximately 264,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by
means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a
qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.