GX Ra Eerm Survey 2018

Focusing on the climb ahead
Third-party governance and risk management

Extended enterprise risk management global survey 2018
ahead | Third-party governance and risk management
Home Foreword
Foreword Welcome to our 2018 global survey on Extended Enterprise Risk Management (EERM). This year we had just under
one thousand responses, a significant increase and more than double we received last year. Survey responses reflect
the views of senior leaders from a variety of organizations in 15 countries1 across the Americas, Europe Middle East
and Africa (EMEA), and Asia Pacific. A record number of participants this year is reflective of the ever increasing
Executive summary profile and investment third-party risk management is getting within organizations.
This third annual survey follows last year’s survey entitled “Overcoming the threats and uncertainty” which revealed
01 Inherent risk and maturity

how EERM in many organizations had continued to benefit from greater executive awareness. However significant
changes in the external environment (such as the Brexit result in the UK and the US presidential election) had slowed
down progress in implementing holistic, integrated frameworks and risk management mechanisms. After this
stagnation during 2016 in addressing EERM maturity, 2017 seems to have allowed organizations to tackle the topic
Business case
02 and investment
with a renewed focus and investment.
Our prior surveys focused on understanding the nature and magnitude of the EERM challenge in large global
organizations. Using this as a backdrop, the current survey aims to capture improvements in maturity of EERM
03 Centralized control frameworks with a specific focus on the business case and investments in EERM. The survey results also reflect an
Kristian Park
EMEA Leader, Extended Enterprise Risk Management
emerging shift to include more centralized oversight and management for EERM across the more decentralized or Global Risk Advisory
federated structures to enable increased risk-awareness and consistency. A more centralized approach to EERM
04 Technology platforms
also enables the aggregation of information at an ‘organization-wide’ level to not only have a cross-risk view of third-
party relationships, but also to address issues around concentration risk. In addition to reporting other leadership
initiatives and concerns, this report sets out our predictions for 2018/2019 and related points of view.
05 Sub-contractor risk As in our previous surveys, survey respondents are typically responsible for governance and risk management of the
extended enterprise in their organizations, including Chief Finance Officers (CFOs), Heads of Procurement/Vendor
Management, Chief Risk Officers (CROs), Heads of Internal Audit, and those leading the Compliance and Information
Organizational imperatives Technology (IT) Risk functions. The respondents represented all the major industry segments2. The majority of these
06 and accountability organizations had annual revenues in excess of US$1 billion. Additional insight was also obtained from subsidiaries of
group organizations operating with higher degrees of decentralization and others with lower annual revenues.
I hope this report will continue to enhance your understanding of what has changed and what lies ahead as you
About the authors
exploit the many opportunities that EERM can yield for your organization.
Jan Corstens
Contacts Global Leader, Extended Enterprise Risk Management
Global Risk Advisory
01
Focusing on the climb ahead | Third-party governance and risk management Focusing on the climb ahead| Third-party governance and risk management
Home Revealing untapped opportunities in extending your enterprise
Foreword As companies continue to adopt, enhance, and grow their business ecosystems, EERM is increasingly becoming an
astute management enabler and value driver rather than a compliance requirement.
Business ecosystems are the new norm and extending the physical and virtual boundaries of organizations to garner
Executive summary competitive advantage through collaboration with third-parties is an imperative. Leading organizations are investing
in EERM to power growth, innovation and business performance in a risk-intelligent way to proactively address brand
and reputation risk, especially important amid prevalent threats of high profile business failure, illegal third-party

actions, or regulatory action with punitive fines.
Our current survey reveals that organizations are taking an earlier, more strategic view of risk drivers to create
value and surface new opportunities. Seven out of ten respondents believe that business and macro-economic
Business case
02 and investment
uncertainties have increased the risks inherent in managing the extended enterprise, at least by some extent, if not
significantly. However, their overall levels of EERM maturity continue to improve at a much slower pace, which we
believe to reflect awareness of the inherent complexity and challenges of an efficient EERM program.
03 Centralized control Despite the slower pace, I’m encouraged to see an increased emphasis on utilizing risk to power performance and
Sam Balaji
Global Business Leader
drive differentiation as rationale for investment in EERM, with nearly one in two respondents driven by overall cost Financial Advisory | Risk Advisory
reduction and efficiency objectives—truly, a significant shift from the near exclusive focus on the downside of risk, as
reported in our last survey.
This burgeoning confidence reaffirms our belief that risk management is and can be a vital performance lever
going forward.
05 Sub-contractor risk
Deloitte’s Risk Advisory professionals around the world can help you understand more about this survey and how
the findings relate to distinctive opportunities for your organization.
Organizational imperatives
06 and accountability To learn more, please visit us at www.deloitte.com/risk.
About the authors
Contacts
02 02
ahead| Third-party governance and risk management
Home Executive summary
Foreword
1. 2.
A record number of Inherent risk and maturity Business case and
participants in our 2018 Organizational self-assessment of
overall EERM maturity continues
investment
EERM is increasingly being focused
Executive summary
survey supports the ever to improve at a slow pace
despite a perceived increase
on exploiting the upside of risk and
demonstrating tangible benefits — a
increasing profile and in the inherent risks in
third-party
significant shift from only managing the
downside of risk.
01 Inherent risk and maturity investment that EERM now 6.
Organizational
dependence.
has within organizations. imperatives and

accountability
Business case
02 and investment
Our survey has identified six
a) Ultimate ownership
and accountability for EERM 3.
suggests it is well and truly Centralized control
Pages from print document
established into
thebe inserted,
C-suite roles and centred here at 100% scale...
key areas of focus for most a) Organizations are centralizing
with need for improvement
(297x210mm) in
2018 many elements of EERM roles,
03 Centralized control organizations. engagement.
b) Challenges over internal
Key findings
structures and technologies.
b) COEs and shared service
coordination, talent and processes models represent the
represent areas of highest dominant operating model,
(organizational) concern over EERM. along with an increased
focus on market utility
models.
5. 4.
Sub-contractor risk Technology platforms
Organizational imperatives Technology decisions for EERM
06 and accountability
Organizations are lacking
appropriate visibility and solutions are now being taken
more centrally and a three-tiered
monitoring of sub-contractors
engaged by third-parties. technology architecture is emerging.
About the authors
Contacts
03

Inherent risk and maturity
Foreword After the slowdown in 2016 to address EERM maturity, 2017 55 percent of respondents perceived “some” increase in
seems to have allowed organizations to tackle the topic risks inherent in EERM while another 11 percent perceived a
with a renewed focus and investment. This has taken place
Seven out of ten respondents “significant” increase in such risks.
amid an increase in the inherent risk of dependence on believe that risks inherent
Executive summary third-parties. This increased perception of inherent risk has
been caused by continuing uncertainty in the business and
in managing their extended
macro-economic environment; concerns around emerging enterprise have increased at least
regulation and regulatory scrutiny; and threats of third-party
by some extent if not significantly.
5 5%
related incidents/disruption. However in a year where many
organizations stated that they were going to significantly move However, organizational
the dial in EERM maturity, the aggregate results suggests 1%
Business case self-assessment of their overall
02
1
there is still work to do for many organizations to become
and investment fully integrated or optimized in their EERM capabilities (please levels of EERM maturity continues
refer to page 22 for the Deloitte EERM maturity model used Pages
in from print document to be inserted, and centred here at 100% scale...
this report).
to improve at a slow pace.
(297x210mm)
03 Centralized control
That said, the Asia Pacific region has seen some increase
in respondents moving along the maturity scale to reach
42 percent of respondents reported “some” increase in their Impact of changing regulation is considered to be the greatest
integrated or optimized status. This is comparatively higher
than in EMEA which has had very little movement. Similarly,
level of dependence on third-parties in the last year, with a contributory factor to the increased perception of inherent
risks (49 percent of respondents) followed by heightened
further 11 percent reporting a “significant” increase in such
in industries where EERM has more recently come under
dependence (10 percent a year earlier). levels of regulatory scrutiny (45 percent of respondents).
increased regulatory scrutiny (e.g. Life Sciences & Health care
05 Sub-contractor risk (LSHC), Consumer & Industrial Products (C&IP), and Public
Sector (PS)), we have seen significant progress in a similar
2017 2018 49% 45%
upward movement along the EERM maturity scale.
41%
42%
About the authors
10 % 11%
Contacts
04 04
Home
Foreword However, overall only 20 percent of respondents have Asia Pacific have seen some increase in EERM maturity 53 percent of respondents now believe that their journey to
integrated or optimized their EERM mechanisms (same as with 15 percent of respondent organizations now having achieve the desired state of EERM maturity is two to three
last year – see paragraph below) with another 50 percent, integrated their EERM systems as against 11 percent last year. years or more, as against most respondents in earlier surveys
currently in managed status, aspiring to do so within the However regions, such as EMEA, have seen little increase being overly optimistic in believing that this can be achieved in
Executive summary next 1-3 years. (unchanged at 19 percent since last year). six months to a year.
20% 50%
15%
Business case
02 and investment
2–3
Pages from print document to be inserted, and centred here at 100% scale...
(297x210mm)
03
53%
Centralized control In some cases, respondents, particularly from the Northern
Americas region as well as from the Financial Services (FS) and
Energy and Resources (E&R) industries have lowered their
years
earlier self-assessments of maturity. This seems to reflect
04 Technology platforms their deeper appreciation of the situation and a stronger
understanding of third-party related issues than in the past.
It should also be noted that as newer good practices continue
This significant increase in organizations integrating their
05 Sub-contractor risk to emerge, the goalposts are shifting too; hence in reality
those that stand still are actually moving backwards on the EERM processes and technology during 2017 is also true in
maturity curve. industries such as LSHC (eight percent last year to 24 percent
in the current survey), C&IP (11 percent to 19 percent), and PS
(20 percent to 35 percent).
LSHC C&IP PS
About the authors
19%
35%
24 %
Contacts
05

Business case and investment
Foreword In order to achieve their desired stage of maturity in EERM, As many as 48 percent of respondents were driven by overall
organizations have invested an average of US$0.5 – 1.5 million cost reduction objectives in investing in EERM, which they felt
The business case for investment per annum either in full time equivalants (FTEs) or in designing could be achieved by bringing in efficiencies through the use
in EERM is increasingly being programs on a centralized basis (please refer to endnote 3 on of third-parties or by preventing over-payments.
Executive summary page 66). Where EERM is considered integrated or optimized
focused on exploiting the upside the average centralized operating costs are around US$3
of risk—a significant shift from million for a majority of organizations, managed typically
01 Inherent risk and maturity the almost-exclusive focus earlier by more than 50 FTEs. Those with a significant amount of
third-parties (50,000 or more) spent upwards of US$5 million
48%
on managing the downside, centrally with more than 100 FTEs, while smaller organizations
with serious aspirations to move to higher maturity levels still
Business case with increasing confidence to
02 and investment
demonstrate tangible benefits.
typically invested US$100,000 – 500,000.
Pages from
Theprint document
drivers to beon
for the focus inserted, and centred
EERM continued to be here at 100% scale...
regulatory
requirements (e.g. General(297x210mm)
Data Protection Regulations),
03 Centralized control addressing internal compliance standards or concern around
At the same time, 26 percent of respondents felt that
third-party related incidents, but the need for positive cost
reduction across the business was equally powerful—a they could achieve greater flexibility to address market
uncertainty and 21 percent considered investment in EERM
trend that we have not seen in prior surveys. It is also
heartening to see that the business case for investment a revenue-generating opportunity, for instance by identifying
in EERM is increasingly being driven by other factors that under-reported revenue streams.
exploit the upside of risk, such as enhancing organizational
26%
05 Sub-contractor risk responsiveness and flexibility, innovation, brand confidence,
and increasing revenues—a significant shift from the almost-
21%
exclusive focus earlier on managing the downside (such as
Organizational imperatives regulatory exposure or third-party related incidents). The
06 and accountability majority of respondents had some or significant confidence
in their ability to demonstrate tangible benefits from
such investment.
About the authors
Contacts
06 06
Home
Foreword Reduction of regulatory exposure (43 percent of Organizations that are integrated or optimized in managing 49 percent of organizations felt “somewhat confident”
respondents); addressing internal compliance requirements their extended enterprise are now typically investing over that they could demonstrate tangible benefits from
(41 percent of respondents); and reducing the number of US$3 million annually on EERM initiatives, managed by more EERM investments, while another 13 percent were
third-party related incidents (34 percent of respondents) were than 50 FTEs. “extremely confident”.
Executive summary the strongest business case drivers focused on managing the
downside of extended enterprise risk.
01 Inherent risk and maturity US$ 3, 0 0 0, 0 0 0

Business case
02 and investment
43% Organizations that engage 50,000 or more third-parties in 49%
their
Pages from extended
print enterprise
document to be are now typically
inserted, investing
and centred over
here at 100% scale...
US$5 million annually on(297x210mm)
EERM initiatives, managed by more
03 Centralized control than 100 FTEs.
5 millio
n
13%
S$
41% U
About the authors

34%
Contacts
07

Centralized oversight and management
Foreword Furthermore, most respondents told us that an internal utility 55 percent of organizations are now equally or more
for EERM, which was either a CoE or shared service center in decentralized than centralized (down from 62 percent last
Many organizations, regardless some form (whether operated fully by in-house teams or with year). This reflects that organizations are starting to scale back
of their broader organizational some coordination with outsourced service providers), was on decentralization in the overall organization.
Executive summary where the centralized operations sat, with just four percent
structure (decentralized vs. in a fully outsourced managed services environment as an
centralized), are centralizing external utility for EERM.
01 Inherent risk and maturity many elements of the EERM role, Qualitative comments provided by respondents seem to
2018 2017
structures and technologies. For suggest that most of these internal utilities are managed by
procurement teams in organizations where supply-chain or 55% 62%
Business case instance, Centers of Excellence
02 and investment
(CoEs) and shared service
“buy-side” has the majority of third-parties. On the other
hand, in organizations where third-parties are distributed
more equitably across the sales and distribution network
models have emerged as the or “sell side,” this management responsibility appears to be
03 Centralized control dominant operating model with progressively shifting to central risk management teams.
an increasing desire to explore At the same time, 34 percent of respondents suggested they
market utility models. Out of these 55 percent, only 47 percent have EERM
either used market utility models5 in some form or intend to
do so in the future to supplement specific aspects of EERM
frameworks that are equally or more decentralized than
centralized. The remaining 53 percent of respondents
activity. Consistent with last year, half of respondents were
thus form the current majority with more centralized
unaware of managed service/utility options available to them,
05
EERM programs.
Sub-contractor risk In 2016 we released our whitepaper on how to manage EERM which is understandable, given that such opportunities are
in decentralized organizations, a theme of which suggested relatively new and are still evolving.
an element of central oversight and management could
Organizational imperatives help accelerate risk awareness and efficiency. The 2018
06 and accountability survey results show that more and more organizations are
adopting this technique with the more decentralized or 55%
highly federated4 EERM models being replaced with some
component of central oversight, where centralized elements
About the authors
in roles/structures and enabling technologies/processes are
becoming more common-place.
47% 53%
Contacts
08 08
Home
Foreword 44 percent of respondents have now invested in a centralized 21 percent of respondents are already utilizing market utilities
in-house CoE for EERM while another 30 percent utilize a for specific aspects of EERM (up from 13 percent last year)
central shared services organization (whether fully insourced with another 13 percent intending to do so in the near future
or with some elements outsourced). (up from 10 percent last year). Consistent with last year, half
Executive summary of respondents were unaware of managed service/utility
A further 15 percent have established federated structures options available to them.
and 14 percent operate as a “hub-and-spoke” model6

where centralized elements of EERM are becoming more
common-place.
Business case
02 and investment
21%
2018
44% 13% 13%
30% 2017 10% 2018
2017
15% 14%
About the authors
Contacts
09

Technology platforms
Foreword Less than 10 percent of respondents are currently using Standardization of technology architecture for EERM using a
bespoke systems for EERM, a sharp drop from just over combination of ERP systems and other backbone applications
In keeping with the trend of 20 percent last year (please also refer to our subsequent for procurement packaged solutions is supported by an
increased centralized oversight section on predictions for 2018/2019 on technology). increasing intent by management to invest in emerging
Executive summary technologies for EERM. Cloud technologies that enable agile
of EERM activities, technology business operations with standardization represent the most
decisions are now being taken popular emerging technology platform being investigated
01 Inherent risk and maturity more centrally and a standard by survey respondents. Robotic Process Automation (RPA)
features second on this list, offering the opportunity to
tiered technology architecture automate routine tasks related to EERM.
Business case is emerging.

02 and investment 20%
46 percent of respondents are planning to utilize
standardized cloud technologies for EERM while 31 percent
2017
are considering using RPA for routine EERM tasks across the
organization.
10%
03 Centralized control The 2018 survey suggests that a three-tier technology
2018
architecture will increasingly form a common 46%
setup for organizations around EERM and typically 31%
comprises of (i) ERP systems or other backbone
04 Technology platforms applications for procurement; (ii) generic GRC
software or EERM-specific risk management packages
tailored to the organization and (iii) other niche
05 Sub-contractor risk packages for specific EERM processes or risks with

feeds from specialized risk domains.
Aligned to this trend, qualitative responses from the survey
indicate that organizations are no longer keen to invest in
developing complex bespoke solutions for EERM, which,
together with the use of its existing ERP platform in the past
About the authors may have significantly lowered the confidence of stakeholders
in the quality and reliability of the overall technical solution
for EERM.
Contacts
10 10

Sub-contractor risk
Foreword Despite the continued investment and renewed focus on 57 percent of survey respondents feel they do not have Only 18 percent of organizations periodically review the
EERM, respondent organizations were found to be lacking adequate knowledge and appropriate visibility of sub-contractors concentration risk associated with their fourth/fifth parties
appropriate visibility of instances where sub-contractors engaged by their third-parties and a further 21 percent quarterly or half-yearly; while the vast majority (82 percent)
are engaged by their third-parties. This is making it difficult are unsure on their organization’s level of understanding. review this annually or even less frequently.
Executive summary for organizations to determine their strategy and approach
to the management of sub-contractor risk and to apply the
appropriate amount of discipline and rigor. Recent regulation
2
18%
such as the Modern Slavery Act in the UK and Global Data
1%
Protection Regulations (GDPR) in Europe, which include
requirements to manage layers of fourth/fifth parties, where
57%
they exist, makes this a matter of increased concern. Other
Business case
02 and investment
global regulators such as the Federal Reserve (Fed) and Office
of the Comptroller of the Currency (OCC) in the US, and the
Hong Kong Monetary Authority, etc. also highlight the need for
organizations to understand this area better.
Only two percent of respondents regularly identify and
04 Technology platforms Organizations lack visibility of monitor their sub-contractors (fourth/fifth parties) while
another 10 percent do so only for those subcontractors
sub-contractors engaged by identified as critical. The other 88 percent either rely on their
their third-parties making it third-parties to do so; have an unstructured/ad-hoc approach;
82
challenging to apply an appropriate do not do so at all; or do not even know their organizational
policy and practices in this regard.
%
strategy to monitor such fourth/
Organizational imperatives fifth parties.
06 and accountability 2% 10%
About the authors
88
Contacts %
82 11
%

Organizational imperatives and accountability
Foreword Ownership and accountability for EERM suggests it is well Either the CEO, CFO, CPO, CRO, or a member of the Board
and truly established in the C-suite with 78 percent of is ultimately accountable for EERM in 78 percent of
organizations suggesting that either the Chief Executive
Ownership and accountability for organizations, up from 75 percent last year.
Officer (CEO), CFO, Chief Procurement Officer (CPO), CRO, EERM suggests it is well and truly
Executive summary or a member of the Board is ultimately accountable for 2017 2018
this topic. 33 percent suggested the CEO or CFO was
established in the C-suite with
responsible for EERM. In some cases, there appears to some need for improvement in
be a small shift in ultimate accountability from CPOs and
Vendor/Alliance Managers to Heads of Risk and CFOs
levels of engagement.
under Board/CEO supervision, although this is not a trend
where the organizational supply-chain forms the most
Business case
02 and investment
significant component of the extended enterprise. In such
organizations which still form the majority, the CoEs and
75% 78%
shared services are also largely owned by procurement teams.
Survey respondents however believe that there is room for
03 Centralized control improvement in the level of engagement on the EERM agenda
by Board members and risk domain owners.
The CEO or CFO is now accountable for EERM in 33 percent of
organizations, up from 29 percent last year.
2017 2018
29
33%
%
About the authors
Contacts
12 12
Home
Foreword Ownership for EERM vested in CPOs and Vendor/Alliance However, our survey results indicate that 38 percent of Only 22 percent of respondent organizations have Board-level
Managers has reduced from 17 percent last year to Board members and 39 percent of risk domain owners reviews of EERM that include alignment with organizational
13 percent this year with a corresponding increase in such still have lower to insignificant levels of engagement on the strategy and risk appetite on a quarterly or half yearly basis,
responsibility vested in the CFO and CRO by three percent in EERM agenda. while the vast majority of organizations surveyed (78 percent)
Executive summary each case. review this annually or even less frequently.

22
%
17% 38%
Business case 13%
02
2017
and investment 2018
04 Technology platforms 39%

8%
7
About the authors
Contacts
13
Home
Foreword Our prior surveys had identified an “Execution Gap” in Skills, bandwidth, and competence of talent engaged in EERM-
implementing EERM in organizations, reflecting the inability of related activities appears to be the most significant concern for
people, process, and technology supporting EERM initiatives
Concerns over internal respondents (45 percent), followed by the clarity of roles and
to achieve the intended results. With the emergence of a coordination, talent, responsibilities and EERM processes (41 percent in either case).
Executive summary standardized three-tier technology architecture as described
earlier in this executive summary, this execution gap around
and processes have now
technology seems to have started to narrow down, although overshadowed the technology-
the gap remains as wide as in earlier years on the people and
process front.
related concerns expressed in
earlier surveys.
Internal coordination (specifically between risk domain
Business case
02 and investment
owners, business unit leaders, functional heads, legal, and
internal audit teams) is now the dominant concern of the 45%
majority of organizations, followed by the need to ensure
ongoing relevance of skills, roles and responsibilities, being
03 Centralized control realistic about availability of staff bandwidth.
In summary, concerns over coordination, talent, and
processes have now overshadowed the technology-related
concerns expressed in earlier surveys.
41%
About the authors
Contacts
14 14
Home
Foreword As many as 40 percent of respondent organizations have Strengthening due diligence activities prior to on boarding
prioritized the need to establish better coordination between new third-parties is second on the list of top organizational
risk domain owners, business unit leaders, functional heads, imperatives related to EERM (35 percent of respondent
legal, and internal audit teams as their top organizational organizations); followed by building stronger resilience
Executive summary imperative related to EERM. to disruption caused by third-party related incidents (24
percent) and categorizing the most strategic third-parties to
ensure a proportionate EERM approach (24 percent).
Business case
02 and investment
35% 24%
40%
24%
About the authors
Contacts
15

Predictions
Foreword We believe that the investments made in EERM in The focus on people described in the section on Finally, EERM now has a more balanced outlook
2017 will begin to pay dividends in either 2018 or organizational priorities above is driving a boom in establishing the business case for investment
2019—in line with respondents’ realistic assessment in the market for EERM talent. In turn, the current in EERM initiatives. On the one hand, it continues
that it takes two to three years for organizations to scarcity of this talent is driving competition and in to mitigate the threats of “bad things happening”
Executive summary be integrated or optimized in EERM. turn may further assist in building the business case and trend or the downside of risk, for instance the operational impact
for community models, utilities, and managed services. of critical third-party failures or the reputational impact
Technology will continue to play a significant role of bribery and corruption by third-parties to large global

in driving efficiency—although this may not be
associated with big in house implementations but
We anticipate 2018 will see more design/
implementation of frameworks (Capex) through
organizations. On the other hand, however, such balanced
business cases are enabling calculated risk-taking aligned to
rather leveraging managed service technology either continuing design work or further refining the realization of strategic opportunities such as innovation
platforms. As a first step in this direction, less than 10 percent frameworks, but expect by 2020 that most EERM and positive cost-reduction across the entire organization to
Business case
02 and investment
of respondents are currently using bespoke systems for
EERM, a sharp drop from just over 20 percent last year and a
expenditure will be in the operational (Opex) space—where
the use of community models will further drive costs
capture the upside opportunity. However the critical success
factors for achieving this will be measured not only on how
standardized three-tier technology architecture comprising down. Interestingly, survey respondents did not specifically cost efficient or effective the frameworks are designed or
(i) ERP and other backbone procurement system; (ii) GRC or distinguish between Capex and Opex in reporting their operated, but primarily on how well risk is managed and
03 Centralized control EERM package; and (iii) other niche EERM solutions for specific estimated annual spend centrally. mitigated with a continuous process of alignment with
needs have already become the norm. strategy and organizational risk appetite. Should organizations
Recent regulation such as the Modern Slavery Act lose this strategic insight and reduce their annual investments
We have already seen 2017 suggest that community
models/market utilities will be adopted across
in the UK and Global Data Protection Regulations
(GDPR) in Europe, which include requirements
in EERM, this is likely to be at the expense of reputation,
regulatory scrutiny, and ultimately consumer backlash.
a number of industries with FS leading the way to manage layers of fourth/fifth parties (where
since 2016 with the emergence of four key players. applicable), is likely to make the need for additional
05 Sub-contractor risk Expected industries to follow suit include LSHC (increase
in actual utilization from 16 percent to 24 percent during
investment in the management of fourth/fifth parties a matter
requiring further attention.
2017), CB (e.g. FMCG) (11 percent to 18 percent), and TMT (12
Organizational imperatives percent to 27 percent). E&R (28 percent to 33 percent), while
06 and accountability the leading industry segment in exploring market utilities,
has some way to go to fully embrace the opportunities here
through extensive usage (with only two percent of the latter
33 percent using such models extensively but the vast
About the authors
majority represented by the other 31 percent making only
limited use). But already we have seen movement in this space
at the back end of 2017.
Contacts
16 16
Home
1. Inherent risk and
Foreword
maturity
Executive summary
Organizational self assessment of overall levels of EERM

maturity continues to improve at a slower pace despite
Business case
a perceived increase in the inherent risks in third-party
02 and investment dependence.
About the authors
Contacts
17
Home
1. Organizational self assessment of overall levels of EERM maturity continues to improve at a
slower pace despite a perceived increase in the inherent risks in third-party dependence.
Foreword 53 percent of respondents

Key messages
now believe that their journey to Our earlier surveys demonstrated how a significant progress, the aggregate results suggests there
Executive summary achieve the desired state of EERM renewed set of drivers, directly aligned to is still work to do to move from managed to integrated or
long-term value-creation (e.g., business agility, optimized in the maturity scale.
maturity is two to three years or access to specialized skills and knowledge, innovation,
more, as against most respondents and process improvement) in addition to cost-savings, Even with the growing levels of high or critical levels

in earlier surveys being overly
were beginning to motivate organizations to increase
dependence on third-parties forming the extended
of dependence on third-parties, only 20 percent have
integrated or optimized their EERM mechanisms (same
optimistic in believing that this can enterprise. The current survey indicates that this strategic proportion as last year), with another 50 percent,
dependence on third-parties continues to increase with currently in managed status, aspiring to achieve integrated
02
Business case be achieved in six months to a year. 41 percent of respondents reporting “some” increase in or optimized status within the next one to three years.
and investment
their level of dependence on third-parties in the last year
(no change from our last survey) and a further 11 percent Respondents recognize that these current levels of
reporting a “significant” increase in such dependence integration or optimization are far below aspirational
03 Centralized control (10 percent in our last survey). levels. There are therefore aspirations to further integrate
and optimize the related risk management mechanisms.
High or even critical levels of dependence on third-parties, 52 percent of respondents now believe that their journey
04 Technology platforms together with the increasing frequency of significant

third-party incidents7 with various adverse consequences
to achieve the desired state of EERM maturity is two to
three years or more, as against most respondents in
and regulatory intervention, had increased board-level earlier surveys being overly optimistic in believing that this
53% awareness on EERM, making them consider investing in can be achieved in six months to a year.
05 Sub-contractor risk holistic and integrated programs to manage extended
enterprise risks. Following a brief slowdown in 2016, It was interesting to note that some respondents had
organizations now seem to be returning back to tackle the lowered their earlier self-assessments of maturity. This
Organizational imperatives topic with renewed focus and investment. This has taken seems to reflect their deeper appreciation of the situation
06 and accountability place amid a perception by respondents that the inherent and a stronger understanding of third-party related issues
risk of dependence on third-parties has increased. This than in the past.
increased perception of inherent risk has been caused by
About the authors continuing uncertainty in the business and macro-economic As a result, many respondent organizations have indicated,
environment; concerns around emerging regulation through qualitative comments that they are still not
and regulatory scrutiny; and threats of third-party managing the risks that third-parties present to them in a
related incidents/disruption. However in a year where holistic and coordinated manner and this position has only
Contacts many organizations stated that they were going to make slightly changed since last year.
18 18
Home
Foreword Change in level of dependence on extended enterprise Greatest contributory factors in the perception of Time taken by organizations to achieve the desired level
over the last year heightened inherent risk related to the extended enterprise of EERM optimization
3% 1%
6% Impact of changing regulation
12%
Executive summary (e.g. GDPR and other 49% 32%
cross-border impact) 28%
34% 40%
Heightened level of 25%
45%
regulatory scrutiny
High levels of uncertainty
42%
41% 42% in the business environment
Business case 11%

02
Increasing threat of
third-party related incidents 42%
and investment and disruption
10% 11%
4%
2017 2018 Impact of external events
(e.g. Brexit vote) 24%
Significant increase
Some decrease
Some increase
Significant decrease
No significant increase
6 months or less
6 months to 1 year 1-2 years 2-3 years > 3 years
04 Technology platforms Change in the level of risk inherent in managing the

extended enterprise over the last year
Change in level of maturity in approaching third–party risk
management (2016–18)
2% 2% 1%
20% 18% 19%
48% 44% 49%
11% 55% 26% 7% 1%
29% 29% 24%
1% 7% 7%
2016 29% 2017 2018
About the authors
1: Initial: None or very few of above elements addressed
2: Defined: Some of the above elements addressed with limited effort with
Significant increase Some increase No significant increase regard to the above elements
3: Managed: Consideration given to addressing all the above elements with
Some decrease Significant decrease room for improvement
Contacts 4: Integrated: Most of the above elements addressed and evolved
5: Optimized: “Best in class” organization – all of the above elements
addressed and evolved
19
Home
Foreword Deloitte EERM Maturity Model
Progress through the levels of maturity increases extended enterprise performance Deloitte point of view
through both (i) controlled risks, and (ii) enhanced benefits. • State of the art Due to changes in the business and macro-
• Focus on preventing practices, linked to economic environment (including regulatory
Executive summary • Focus on preventing issues and creating value drivers
• Minimal effort in issues value • Extended pressure), each organization will need to
• No formal reducing risk • Risk aligns with • Intelligent risk
governance • Risk taking for
enterprise establish what it considers to be its desired optimum
medium-term taking, aligned with embedded in
• Risk taking for quick short-term benefits enterprise-wide enterprise strategy strategic planning state for EERM, making it a moving target, and many
01
fix benefits benefits
Inherent risk and maturity and organizations are continuing “catch-up” with the
Strategy and decision-making
governance emerging set of strategic opportunities and related
risks that third-parties continue to present.
• Awareness of value • Trained professionals
Business case
02 • Responsibilities • Dedicated roles with defined roles
• Indiviual effort of extended This includes:
• Invested executives throughout the life
and investment • Little management
built into existing
within each silo
enterprise across
cycle
roles the organization
input • Some training • Executive champions
• Increased input • Enterprise-wide
• Lack of training offered on both sides, aligning • A broader set of support services delivered
from management roles
People service delivery to innovatively in a rapidly-changing external
03
• Executive
Centralized control ownership at the strategic objectives
environment.
enterprise level
• Processes aligned • A growing number of alliance and joint venture

• Few activities • Defined processes • Coordinated • Fully standardized
04
with strategy, partners and an increasing proportion of third-
Technology platforms defined in siloes processes across processes, integrated into
• Fire fighting mode • Functional, reactive the business integrated with parties in newer areas beyond the traditional focus
third-parties
Process problem solving • Monitoring and tools and data • Continuous
alerting leveraging • Proactive on the direct supply chain (suppliers and vendors).
improvement and
dashboards, with decision-making proactive
05
some proactive using analytics,
Sub-contractor risk issue resolution improving
responsiveness
• Leveraging predictive
• The increasing use of new technology (such as the
bottom-line and and sensing analytics, cloud and cloud-based applications) that facilitate
performance tools, and dashboards
• Simple and least • Off the shelf tools collaboration and enable businesses to enhance their
expensive tools • Adapted tools used • Customized tools,
used for problem virtual boundaries will further accelerate this trend.
06 Technology used ad-hoc for reporting and used for tactical
solving • Highly customized
monitoring
and accountability • Limited access to decision-making decision support
third-party data • Value additive tools tools It should also be noted that as good practice continues
• Internal data • Integrated external
centralized and data sources that to evolve, the related goalposts are shifting too; hence
easily accessible enhance insights in reality those that stand still are actually sliding
About the authors • Tools and analytics
are key value driver backwards on the maturity curve.
Initial
Managed and differentiator
Defined
Integrated
Contacts Optimized
Maturity of extended enterprise program
20 20
Home
Foreword Industry highlights Change in level of risk inherent in managing the extended Level of maturity in EERM by industry
• Respondents from all industry segments, without enterprise by industry
exception, have reported the heightened perception of Overall 7% 24% 49% 19% 1%
1% 1%
risks inherent in third-parties with the highest perceived 4% 3% 5% 11% 11%
Executive summary increase (some or significant) reported by 74 percent of C&IP
14%
C&IP 10% 22% 49% 19%
21% 25% 27%
25%
respondents, 73 percent of LSHC respondents and 71 percent 30%
20% 26% E&R 4% 33% 47% 16%
of FS respondents.

• However, this heightened perception of inherent risks does
FS 2% 22% 56% 20%
not appear to have deterred organizations from continuing to 60% 53% 57% 58% 65% 49% 47% LSHC 18% 31% 27% 24%
increase their levels of dependence on third-parties. The most
Business case
02 and investment
notable increases in the level of dependence on the extended
enterprise have taken place in the FS industry segment with
PS 5% 15% 45% 35%
TMT 3% 21% 52% 21% 3%

59 percent of respondents reporting some or significant 14% 13% 14% 15% 5% 10% 16%
increase over the last year, followed by LSHC (58 percent), C&IP
03
C&IP E&R FS LSHC PS TMT Others Others 16% 42% 32% 10%
Centralized control (55 percent), TMT (52 percent), and E&R (52 percent). Even
Significant increase Some increase No significant increase
in the industry segment with the lowest increase in the level of Some decrease Significant decrease Initial Defined Managed Integrated Optimized
dependence on third-parties, i.e. PS, more than 45 percent
respondents said that they continued to increase their
third-party dependence.
Change in level of dependence on extended enterprise
over the last year by industry
Time taken by organizations to achieve the desired level
of EERM optimization by industry
Against this backdrop, the industry segments that made the
45%
Overall 11% 42% 40% 6% 1%
05 Sub-contractor risk biggest improvement in integrating or optimizing their EERM
39%
38%
processes and technology were LSHC (eight percent integrated/ C&IP 10% 45% 40% 4% 1%
36%
35%
33%
33%
optimized last year to 24 percent in the current survey), C&IP
32%
32%
E&R 15% 36% 42% 7%
30%
29%
Organizational imperatives (11 percent to 19 percent), and PS (20 percent to 35 percent).
06
27%
26%
26%
26%
25%
FS 15% 44% 34%
25%
5% 2%
and accountability
22%
22%
22%
• PS has the largest majority of organizations that believe they LSHC 12% 46% 39% 3%
16%
have the longest journey to achieve desired state in EERM
15%
13%
PS 5% 40% 50% 5%
with 75 percent of respondents believing this to be at least
10%
About the authors
9%
9%
8%
two to three years or more, followed by FS (57 percent of
3%
TMT 9% 43% 40% 5% 3%
2%
2%
5%
4%
0%
0%
0%
respondents) and LSHC (54 percent). TMT is the last one on
Others 5% 53% 26% 5% 11%
this list; however even in this industry segment, as many as 6 months 6 months 1-2 years 2-3 years > 3 years
or less to 1 year
Contacts 49 percent of respondents believe this journey is at least two Significant increase Some increase No significant increase
to three years or more. Some decrease Significant decrease C&IP E&R FS LSHC PS TMT Others
21
Home
Foreword Geography highlights • The Americas region has comparatively the (a) highest level Change in inherent risk levels related to third-party
• The Americas region has traditionally had the of dependence on third-parties; (b) the lowest perception of dependence over the last year by region
highest level of dependence on third-parties followed inherent risk among respondents; and (c) the highest proportion
by EMEA and Asia Pacific respectively. Increase of organizations with integrated or optimized levels of EERM 1% 3%
Executive summary in the level of such dependence over the last year in these maturity. As a result, this region is likely to see even more 7% 1%
8%
regions has taken place in the same relative proportion with dependence being placed on the extended enterprise with a 22%
39%
60 percent respondents in Americas reporting some or stronger business case for investment in EERM initiatives going 38%
01 Inherent risk and maturity substantial increase, compared to EMEA with 52 percent and
Asia Pacific with 44 percent.
forward. On the other hand, the impact of macro-economic
factors and uncertainty in EMEA, such as the outcome of the
Brexit vote results have clearly increased the perception of 57%
• Even with the highest levels of dependence on the extended inherent risks and slowed down investment in EERM initiatives, 52% 45%
Business case
02 and investment
enterprise in the Americas, the perception of inherent risks
increasing is relatively the lowest, albeit with 54 percent of
thus slowing down the increasing level of dependence.
Organizations from the Asia Pacific region continue to catch-up
13% 9%
respondents from that region perceiving some or substantial with their other global counterparts in extending the enterprise, 5%
increase in risks related to third-parties (as against 70 percent given their propensity to traditionally be more of outsourcing EMEA Asia Pacific Americas
03 Centralized control in EMEA and 57 percent in Asia Pacific). providers rather than clients or customers8. Significant increase Some increase No significant increase
Some decrease Significant decrease
• The proportion of respondents with integrated and optimized
EERM mechanisms is also the highest in the Americas (29
percent) followed by EMEA (19 percent) and Asia Pacific
Level of dependence on extended enterprise in the last
year by region
Current level of maturity in EERM by region
(15 percent).
Overall 7% 23% 50% 19% 1%
05 Sub-contractor risk • Asia Pacific have seen some increase in EERM maturity with
15 percent of respondent organizations now having integrated
Overall 11% 42% 40% 6% 1%
their EERM systems as against 11 percent last year. However EMEA 6% 22% 53% 18% 1%
Organizational imperatives the EMEA region have seen little increase (unchanged at EMEA 12% 40% 39% 7% 2%
06 and accountability 19 percent since last year).

Asia Pacific 17% 35% 33% 15%
Asia Pacific 4% 40% 54% 2%
About the authors Americas 4% 24% 44% 26% 2%

Americas 10% 50% 37% 3%
Initial Defined Managed Integrated Optimized

Contacts Significant increase Some increase No significant increase
Some decrease Significant decrease
22 22
Home
2. Business case and
Foreword
investment
Executive summary
The business case for investment in EERM is

increasingly being focused on exploiting the upside of
Business case
risk—a significant shift from the focus in prior surveys
02 and investment on managing the downside, with increasing confidence
to demonstrate tangible benefits.
About the authors
Contacts
23
2. The business case for investment in EERM is increasingly being focused on exploiting
Home the upside of risk—a significant shift from the focus in prior surveys on managing the
downside, with increasing confidence to demonstrate tangible benefits.
Foreword Reduction of regulatory exposure
Key messages
(43 percent of respondents); Comments made by a number of participants It is also heartening to see that business case for
Executive summary addressing internal compliance in our earlier surveys had identified a investment in EERM is increasingly being driven by other
common angst in their inability to objectively factors that exploit the upside of risk, such as enhancing
requirements (41 percent of establish the business case for investment in EERM organizational responsiveness and flexibility, innovation,
respondents); and reducing in their organizations, given their lack of knowledge brand confidence, and increasing revenues.

the number of third-party
and understanding of key business drivers influencing
similar articulations of business case in their peer group 26 percent of respondents felt that they could achieve
related incidents (34 percent of of organizations. Participants had also indicated that greater flexibility to address market uncertainty and
they lacked the availability of relevant data around total 20 percent considered investment in EERM a revenue-
02
Business case respondents) were the strongest investment in EERM, both in monetary terms as well as generating opportunity, for instance by identifying
and investment
business case drivers focused on in terms of headcount of full-time staff involved in EERM- under-reported revenue streams. This represents another
related activities. Our 2018 survey aimed to address these significant shift from the almost-exclusive focus earlier on
managing the downside of extended knowledge gaps, as well as capture the level of confidence managing the downside (such as regulatory exposure or
enterprise risk. of respondents in being able to achieve tangible benefits third-party related incidents).
as compared to their articulated business case.
The majority of respondents (62 percent) had some or
04 Technology platforms Survey results indicate that the drivers for the focus
on EERM continued to be regulatory requirements, for
significant confidence in their ability to demonstrate at
least some tangible benefits, if not significant returns from
example GDPR in Europe (43 percent of respondents); such investment, supported by the use of performance
addressing internal compliance standards (41 percent measures (see examples set out in the table on page 26).
05 Sub-contractor risk of respondents); or concern around third-party related
incidents (34 percent of respondents); but the need for
positive cost reduction across the business was equally
Organizational imperatives (if not more) powerful (48 percent of respondents) in
06 and accountability organizations which they felt this could be achieved by
43% bringing in efficiencies through the use of third-parties or
by preventing over-payments. This represents an emerging
About the authors 41% trend that we have not seen in prior surveys.
34%
Contacts
24 24
Home
Foreword Key factors driving business case for investment in EERM EERM investment levels per year (estimated spend) Confidence in demonstrating realization of tangible
27% benefits related to their organizations’ business case for
Cost reduction (e.g. through 26%
efficiency or by avoiding 48% investment in EERM
overpayments) 1%
8% 13%
Executive summary Reduction in regulatory
exposure
43%
Addressing internal compliance 41%

requirements 18%
Reduction in number of third-
01
34%
Inherent risk and maturity party related incidents
14%
Better response and increased 29%
flexibility to market uncertainty 26%
Increase in revenue (e.g.
identification of under- 20%
Business case reported revenue streams)
02
8%
Unlock access to innovative/ 7%
and investment disruptive technology solutions 19%
Increase in confidence in the

organizational brand 18% 49%
03
Unlock access to new markets/
15%
Centralized control channels/products
< US$100k US$100k - US$500k - US$1m - US$3m - > US$5m Extremely confident Somewhat confident Neutral
Exploiting upside of risk Managing downside of risk 499k 999k 3m 5m Not much confidence Not at all confident
04 Technology platforms Number of third-parties engaged by organizations Number of full-time equivalent (FTE) staff involved in EERM
44% 53%
31%
06 and accountability 27%
14%
About the authors

12%
5% 6%
8%
Contacts
> 1,000 1,000 - 10,000 - 50,000 - > 100,000
< 10,000 < 50,000 < 100,000 <10 FTEs 10 - 49 FTEs 50 - 100 FTEs >100 FTEs
25
Home
Foreword Examples of tangible performance measures used by respondents to monitor business case realization
Business case driver Tangible performance measures
Executive summary Cost reduction • Reducing five percent of total procurement spend through efficiencies in managing third-party suppliers.
• Zero tolerance on duplicate payments to suppliers and third-parties.
• A maximum of two percent overpayment on invoices not matching orders (tolerance level).
• Reduction of insurance premium by eight percent compared to previous year from better movement of goods between third-party locations.
Increase in revenue • 10 percent increase in revenue from newer geographies enabled by third-party alliances and partnerships.
• At least one new product offering in the financial year contributing to one percent of total revenues introduced using third-party expertise.
Business case
02 and investment Reduction in number of third- • Zero incidence of third-party related disruptions that cannot be addressed in 24 hours or with financial implications greater than US$1 million.
party related incidents • 100 percent third-party adherence to organizational standards.
Reduction in regulatory • Zero tolerance to regulatory breach.
exposure • No regulatory fines or penalties.
Addressing internal compliance • 100 percent compliance with HSE standards.
requirements • Zero deviation from internal policies and processes unless covered by specific exemptions.
Better response and • 25 percent flexibility in distribution capacity based on third-party arrangements to address market uncertainty.
increased flexibility to market • Improvement in customer ratings on increased customer flexibility over previous year.
uncertainty
Unlock access to innovative/ • At least one out of 10 of new third-party arrangements in the financial year focused on bringing new strategic opportunities or have access to new
disruptive technology solutions technology.
About the authors • 10 percent increase in automation through technology solutions for risk management year on year (measured through surveys of risk management
team members).
Increase in confidence in the • Increase in share price by five percent year on year.
Contacts organizational brand
26 26
Home
Foreword Industry highlights

Deloitte point of view • While organizations across industry segments appear to be motivated by similar
Risk management has long been associated with mitigating adverse financial drivers of business case for investment in EERM, certain industry segments stand out:
consequences of “bad things happening,” which has historically positioned
Executive summary • FS appears to be the most motivated by positive cost reduction in its overall spend on
governance-related activities to avoid or mitigate risk.
third-parties with 52 percent respondents, closely followed by C&IP (48 percent) and E&R
Survey results reflect the transformation that respondent organizations are now going (44 percent).
01 Inherent risk and maturity through with a renewed focus to recognize that good governance and risk management
around their extended enterprise is not about eliminating risk, but rather managing it • Several business cases for investment in EERM in the TMT sector (49 percent) appear to be
appropriately. driven by their ability to increase revenue, for instance by identifying unreported or under-
reported revenue streams by third-parties, although this is a significantly less important driver in
Business case
02 and investment
While risk mitigation (value preservation) will continue to remain a driver for investment in the other segments.
EERM, organizations are now increasingly starting to see the exploitation of the opportunity
(value creation) as a driver for investment in EERM. Governance, a higher level process • For LSHC and E&R, the strongest drivers for EERM initiatives appears to be reducing the number
involving directing and managing risk management and related activities to address of third-party related incidents (46 percent and 40 percent of respondents, respectively).
03 Centralized control stakeholder expectations, is therefore finally starting to reinvent itself to focus on maximizing Similarly, reduction in regulatory exposure is a related driver in these two industry segments
this opportunity, while also managing compliance requirements and the downside of risk. with 46 percent and 58 percent of respondents, as well as in FS (48 percent of respondents)
However, in this new thinking, the explicit linkage of risk and strategy, starting at the Board and while respondents from LSHC and PS are most concerned with meeting internal compliance
04 Technology platforms C-suite level must be an integral part of the organizational strategy-setting process. requirements (52 percent and 50 percent of respondents respectively).
With EERM now having a more balanced outlook of addressing the downside of risk • Among the new and emerging drivers for investment in EERM, the ability to achieve greater agility
as well as capturing the upside opportunity, the related annual spend seems to have and flexibility in the marketplace seems to be most popular with one in three respondents from
05 Sub-contractor risk significantly increased. For instance, organizations that are integrated or optimized the E&R and LSHC industry segments, around one in four respondents from FS, TMT, and C&IP
and one in five respondents from PS.
in managing their extended enterprise are now typically investing over US$3 million
annually on EERM initiatives, managed by more than 50 FTEs. Organizations that engage
Organizational imperatives 50,000 or more third-parties in their extended enterprise are now typically investing
06 and accountability over US$5 million annually on EERM initiatives, managed by more than 100 FTEs.
However, ongoing success in being able to achieve this balance should be measured not
About the authors only on how cost efficiently EERM frameworks are designed or operated, but primarily
on how well risk is managed and mitigated with a continuous process of alignment with
strategy and organizational risk appetite. Should organizations lose this strategic insight
and reduce their annual investments in EERM, then that cost is likely to come at the
Contacts expense of reputation, regulatory scrutiny, and ultimately consumer backlash.
27
Home
Foreword Key factors driving business case for investment in EERM Geography highlights Key factors driving business case for investment in EERM
by industry • The need to achieve positive cost reduction in by region
total organizational spend on third-parties in the
Cost reduction (e.g.
48% 40%
44% extended enterprise, either by bringing in efficiencies Cost reduction (e.g. through efficiency
through efficiency or 52% 42%
Executive summary by avoiding 36% or by preventing over-payments, is the most common driver or by avoiding overpayments)
30% 50%
overpayments) 41%
42% for business case for investing in EERM across all the three
Increase in revenue
18%
16%
regions. However, this is relatively the most dominant driver in 42%
Increase in revenue (e.g. identification
01
(e.g. identification 12% EMEA with 50 percent of respondents, followed by Asia Pacific 20%
of under-reported revenue streams)
Inherent risk and maturity of under-reported
18%
25% 17%
revenue streams) 49% (42 percent) and Americas (40 percent).
11%
32% 25%
40% Reduction in number of third-
Reduction in number 35% • Respondents from the Americas are much more driven by 22%
Business case
02
of third-party related 46% party related incidents
incidents 35% the opportunity to increase revenue, for instance by the 38%
and investment 22%
21% identification of unreported or under-reported revenue
42% 28%
58% streams (42 percent of respondents) in comparison to other Reduction in regulatory exposure
Reduction in 48% 16%
46% regions such as Asia Pacific (20 percent of respondents) and
03
regulatory exposure 35%
Centralized control 35%
53% EMEA (17 percent of respondents).
50%
42%
Addressing internal 29% 39%
45% Addressing internal
compliance 52% • In terms of emerging drivers, EMEA is relatively more focused 27%
50% compliance requirements
04
requirements 44% on unlocking opportunities for innovation through third-parties 44%
Technology platforms 32%
23% (21 percent of respondents) while Asia Pacific is more focused
33% 19%
Better response and 27% on gaining access to new markets, channels, and products Better response and increased
increased flexibility 33% 24%
20% (16 percent of respondents). All the three regions are flexibility to market uncertainty
to market uncertainty 27%
24%
11%
18%
almost equally focused on increasing the confidence in their
organizational brand through third-parties (17-18 percent of 12%
Unlock access to 22% Unlock access to innovative/disruptive
innovative/disruptive 12%
25%
respondents). technology solutions 15%
technology solutions
18% 21%
06
16%
and accountability
16%
20%
• Respondents from the Americas are the most confident about
Unlock access to 12%
11%
new markets/ 9% demonstrating the realization of tangible benefits related to Unlock access to new markets/
20% channels/products 16%
channels/products 19% their organizational business case for investment in EERM with 15%
5%
20 percent extremely confident and another 48 percent
About the authors 18%
27%
Increase in 14% somewhat confident. However, EMEA respondents are not far Increase in confidence in the
17%
confidence in the 21%
35% behind in this regard with 12 percent extremely confident organizational brand 18%
organizational brand 21% 17%
16% and another 52 percent somewhat confident. However, Asia
Contacts Pacific is less confident with seven percent and 37 percent
C&IP E&R FS LSHC PS TMT Others respondents in each of these categories respectively. Americas Asia Pacific EMEA
28 28
Home
Foreword Confidence in demonstrating realization of tangible benefits related to their organizations’ business case for
investment in EERM by region
Americas Asia Pacific EMEA

Executive summary
3% 2% 4% 7% 9% 1% 12%
6%
18%

29%
26%
37%
Business case
02 and investment
46%
52%
03
48%
Centralized control
Extremely confident Somewhat confident Neutral Not much confidence Not at all confident
About the authors
Contacts
29
Home
3. Centralized control
Foreword
3a. Organizations are centralizing many elements of EERM roles,

Executive summary
structures and technologies.
01 Inherent risk and maturity 3b. COEs and shared service models represent the
dominant operating model, along with an increased
Business case focus on market utility models.
02 and investment
About the authors
Contacts
30
31
Home 3a. Organizations are centralizing many elements of EERM roles, structures and technologies.
Foreword 55 percent of organizations are

Key messages
now equally or more decentralized Decentralization in global organizations had been Our 2016 whitepaper titled ‘Addressing the challenges
Executive summary than centralized (down from a common theme in our earlier surveys. Both prior of decentralization’ which focused on managing EERM in
surveys had reconfirmed that the majority of global decentralized organizations had also suggested that an
62 percent last year). organizations were equally or more decentralized than they element of central oversight and management could help
were centralized (75 percent and 62 percent of respondents accelerate risk awareness and efficiency. The 2018 survey
01 Inherent risk and maturity from the 2016 and 2017 surveys respectively), across operating
units/entities.
results show that more and more organizations are adopting
this technique, resulting in the more decentralized EERM
models being adapted with some component of central
However, the increasing dominance of third-parties oversight. Accordingly, centralized elements in roles/structures
Business case
02 and investment
forming the extended enterprise in these decentralized and enabling technologies/processes are becoming more
operating units/entities presented potential concerns. Many common-place.
respondents felt that a critical organization-wide matter such
as EERM should not be left to the discretion of a divergent Out of the above 54 percent, only 48 percent of organizations
03 Centralized control group of operational-level personnel and represented a now have EERM elements (roles/structures/technologies/
potential challenge to a holistic and unified approach to processes) that are equally or more decentralized. The
third-party risk management, unless they scaled back on remaining 53 percent forms the current majority with more
04 Technology platforms the degree of decentralization by introducing centralized

ownership and management of the various elements in their
centralized EERM programs.
55% EERM framework.
05 Sub-contractor risk 2018 In line with this thinking, current survey results indicate
62% that 55 percent of organizations are now equally or more

decentralized than they are centralized (down from 62 percent
Organizational imperatives 2017 last year), indicating a potential new trend of the diminishing
06 and accountability dominance of decentralization in the overall organization.
About the authors
Contacts
32 31
Home
Foreword Overall control structure

32% Deloitte point of view
31%
Deloitte experience indicates that global • Creating awareness and engaging key stakeholders related
organizations have several choices in how they to third-party risk at the group and local entity level.
Executive summary
set themselves up from an EERM perspective to
achieve the intended balance between centralized control • Allocating activity ownership around EERM to
and marketplace agility. appropriately capable individuals at the group and local
01
18%
Inherent risk and maturity levels with decision-making authority.
14% At one end of this scale of choices are organizations which
operate through a greater degree of command and control • Implementing appropriate tools and technologies across
with direct (referred to as “solid line”) reporting relationships centralized and decentralized operations, together with
Business case
02 and investment 5%
with their operating units, fewer levels between the leaders the availability of appropriate management information
in the corporate center and operating unit executives and to facilitate the EERM framework.
formal task descriptions with authority specifications.
• Articulating robust and achievable processes to
03 Centralized control 1 = Highly
centralized
2 = More 3 = Equal mix of 4 = More
centralized than centralized and decentralized
5 = Highly
decentralized
At the other end of this scale are those organizations manage third-party risk throughout the decentralized
decentralized decentralized than centralized that operate with decentralization following the “spirit” organization, integrating both group-wide and local
rather than the “letter of the law” with greater operational requirements.
04 Technology platforms Organization structure for EERM

35%
flexibility, taller organization structures between the
corporate center and operating units and a combination • Appropriately resourcing the governance structures,
of direct (solid line), indirect (referred to as “grey line”) and supported by the establishment of a common culture to
coordinating (referred to as “dotted line”) relationships facilitate communication and training to have a shared
05 Sub-contractor risk 27% with varying levels of clarity. understanding of risk.
Irrespective of the degree of formality in decentralization, In general, the growing trend towards more centralized
Organizational imperatives specific issues that must be addressed include the following: models for EERM appears to be a sensible way to proceed
17%
16% as there is much value (financial, efficiency, consistency,
• Establishing robust governance structures to manage third- quality, etc.), to be gained from structuring a framework in
party risk pervasively through the entire organization that this way. However, it should be noted that this is a general
About the authors flow down for decentralized business units to align to. view and may not represent the most appropriate solution
5% for all organizations.
• Creating clear accountability on ownership of activities
for EERM at the group level and across the decentralized
Contacts 1 = Highly 2 = More 3 = Equal mix of 4 = More 5 = Highly business units.
centralized centralized than centralized and decentralized decentralized
decentralized decentralized than centralized
33
32
Home
Foreword Industry highlights • An unexpected trend emerged in responses from the FS Overall control structure by industry
• The following diagrams to the right set out a industry where it was identified that while 53 percent of
comparative analysis across the major industry respondents feel that the overall control structure in their 10%
sectors between the overall control structure in organization is equally or more decentralized than centralized, 13%
Executive summary organizations as compared to the organization structure for a higher number of respondents (56 percent) feel that 14%
1 = Highly centralized 6%
EERM from a decentralization perspective. As can be seen: their EERM organization structures are equally or more 15%
decentralized, in contrast to the relationship between these 14%
01 • LSHC and C&IP represent the two industry segments metrics in other industry sectors. Upon closer inspection 10%
with the highest relative level of overall decentralization it was noted that the proportional increase in the number
in their organizations, with 64 percent and 60 percent of respondents from the smaller and relatively new non- 30%
29%
of respondents stating they are more equally or more traditional players in the FS marketplace (such as the new 34%
Business case
02
2 = More centralized
decentralized than they are centralized. breed of “fintechs”, challenger banks, etc.) in comparison to the than decentralized 30%
and investment larger, more traditional organizations has driven this outlier 35%
40%
However, only 45 percent of respondents in both these in the results. The structures and operational processes in 32%
segments felt that their EERM initiatives were more these non-traditional FS organizations are typically leaner
03 Centralized control decentralized than centralized. This, in turn, implies that with a lower appetite to establish large central utilities/teams 29%
that the balance 18 percent and 16 percent respectively and instead a desire to drive autonomy to end users in the 33%
of respondent organizations have now incorporated various business, with consistency obtained through organization-wide 3 = Equal mix of 29%
centralized 43%
aspects of centralized ownership and management in their
EERM frameworks.
technology solutions, policies, guidance materials, and central
oversight.
and decentralized 15%
30%
26%
05 Sub-contractor risk 20%

25%
17%
4 = More decentralized
15%
than centralized
30%
13%
16%
6%
5%
5 = Highly
6%
decentralized
5%
3%
16%
Contacts
C&IP E&R FS LSHC PS TMT Others
34 33
Home
Foreword Organization structure for EERM by industry Geography highlights Overall control structure by region
• The Americas is clearly the region with the highest 46%
15%
level of centralization with only 35 percent of 41%
11% respondent organizations believing that they are
Executive summary 15% equally or more decentralized. This, in turn, corresponds to
1 = Highly centralized 18%
the related EERM initiatives also being largely centralized (with 30%
15% 28%29%
only a minority i.e. 33 percent of respondent organizations 26%
18%
22%
01
32% believing that their EERM initiatives are equally or more
Inherent risk and maturity 19%
17%
decentralized).
40% 13%
38% 9% 9%
30% • Asia Pacific with its regional diversity has evolved to be far 6% 6%
Business case
02
2 = More centralized
than decentralized 36% more decentralized in general with 56 percent of respondents
and investment 40% from that region evaluating their organizations’ overall
0%
41% 1 = Highly 2 = More 3 = Equal mix of 4 = More 5 = Highly
21% control structures to be equally or more decentralized. In
line with this, 54 percent of respondents believe that their
03
Centralized control organizational structures for EERM are also in this same
25%
36% decentralized position. Americas Asia Pacific EMEA
3 = Equal mix of 26%
centralized 25%
04 Technology platforms and decentralized

22%
30% • 58 percent of respondents from EMEA evaluated their
organizations’ overall control structures to be equally or more
Organization structure for EERM by region
44%
21%
decentralized, reversing the trend of higher decentralization
39%
in structure observed up to and including last year. More
35%
13%
15%
surprisingly though, a large number of respondents from
this region (as many as 50 percent) believe that their 29%
33%
24% 26%
4 = More decentralized
than centralized
12% organizational structures for EERM are also equally or more
15%
Organizational imperatives decentralized, implying business unit led silos still dominates
14%
16% EERM initiatives in this region (also reflected by the lowest
13%
15% 16%
18%
proportion of respondents in the region who utilize an ERP or 11%

procurement backbone for a more centralized approach to 6%
7% 5% 4% 6%
0% EERM).
5 = Highly
9%
decentralized 1 = Highly 2 = More 3 = Equal mix of 4 = More 5 = Highly
0%
5%
10%
Contacts
C&IP E&R FS LSHC PS TMT Others Americas Asia Pacific EMEA
34
35
Home
3b. COEs and shared service models represent the dominant operating
model, along with an increased focus on market utility models.
Foreword 21 percent of respondents are

Key messages
already utilizing market utilities for With a shift of gears towards centralization At the same time, the increasing focus on collaboration
Executive summary EERM (up from 13 percent last year) in the current survey, most respondents (sharing of information across organizations) is rapidly
(75 percent) told us that their centralized EERM gaining popularity as a key enabler for successful
with another 13 percent intending operations sat either in a CoE or shared service center governance and risk management in the networked
to do so in the near future (up from (whether fully operated by in-house teams or with some world. In keeping with this top trend, information hubs

10 percent last year)
coordination with outsourced service providers) to bring in
the desired standardization as well as specialized skills and
(community models) available as market utilities on EERM
have emerged. 33 percent of our survey respondents
scarce talent. suggested they either used market utility models in
some form or intend to do so in the future to supplement
Business case
02 and investment
Various hybrid and innovative delivery models such as specific aspects of EERM activity.
federated structures and the “hub-and-spoke” model are
also appearing (29 percent of respondents) that combine
the characteristics of centralized and decentralized
03 Centralized control organizations and can, in some cases enable an
organization to remain more agile and competitive in the
21%
marketplace.
2018
13% 13% Four percent of respondents are progressively moving
2017 10% 2018 to a fully outsourced managed services environment as a
2017 bespoke external utility for EERM, reflecting early days of
05 Sub-contractor risk another emerging trend to achieve the desired consistency
in processes and access to scarce talent.
About the authors
Contacts
36 35
Home
Foreword Operating models to coordinate operational, oversight, and

assurance roles for EERM talent Deloitte point of view
45% Deloitte believes that organizations that are data and analytics, which helps organizations assess
moving to internal CoEs and SSCs are primarily and manage risk. In this way, the controlled sharing of
Executive summary
driven by the need to retain organizational non-confidential information can increase efficiency,
control over this critical activity. raise compliance standards, and reduce costs for the
30%
community as a whole.
01 Inherent risk and maturity However, a managed service option can enable an
organization to achieve the desired level of customization In addition to compliance with minimum standards for
15% it requires (not deliverable from most market utilities), pre-qualification based on criticality of the third-party,
14%
while keeping the cost lower than that of an internal team. potential areas where information related to ongoing
Business case
02 and investment
governance and risk management of third-parties can be
4% CoEs and managed services models enable setting shared include, for instance, data privacy and protection,
consistent standards, defining uniform process, cybersecurity, regulatory compliance, corporate social
implementing common technology across business units responsibility (CSR), ethics and sustainability, supply
03 Centralized control In-house Center of Excellence (CoEs)
Hub-and-spoke model
In-house shared service center
Federated structure with a longer term strategic focus, providing training, disruption and continuity, anti-bribery and corruption,
External managed services provider executing risk assessments and providing guidance. safety and quality, EU procurement compliance, and
However, business leadership retains the responsibility for financial distress. Some of the available market utilities
04 Technology platforms Utilization of information hubs available as marketplace

utilities on third-party risk
managing risks and governance. also offer independent audit capability and Significant
Event Notification and Tracking (SENT), which allow
Further, market utility models are heralding in a uniquely member organizations to manage community-wide
5% 3% innovative approach where the members of the community disruptive events proactively.
05 Sub-contractor risk 8%
17% (typically large global organizations with significant third-
party ecosystems) work together to reduce duplication of However, community models do not take away the need
10%
effort in third-party pre-qualification and retention. for organizations to continue investing in their own EERM
Organizational imperatives frameworks and undertaking assessments specific to their
51% 51%
13%
These participating organizations agree common standards and third-party arrangements. Some information-
standards for third-parties as well as performance data hub/market utility providers are also emerging as managed
26% and collaborate to collect it. Such collaboration is often services providers, thus further accelerating the trend.
16% facilitated by external infomediaries10 who are making
About the authors
2017 2018 these community information hubs available as market Consistent with last year, half of respondents were
utilities via a subscription-based service. Using cloud- unaware of managed service/utility options available
Extensively utilized Somewhat utilized
based or other agile technologies, the infomediary then to them, which is understandable, given that such
Intending to utilize in the near future
Contacts Not intending to utilize in the near future provides access to an independent hub for validated opportunities are relatively new and are still evolving.
Unaware of such marketplace utilities
36
37
Home
Foreword Industry highlights Operating models to coordinate operational, oversight and assurance roles for EERM talent by industry
• The uptake on CoEs and SSCs are fairly consistent
across the various industry segments, with the range
being 69-79 percent. C&IP E&R LSHC PS
Executive summary
4% 7% 3%
• TMT has the highest level of uptake on CoEs and SSCs with 12%
9% 18% 25%
79 percent of respondent organizations adopting this
45%
operating model, followed by C&IP with 78 percent and then
by E&R and FS with 73 percent in each case. 12%
46%
13%
39%
51% 15%
• E&R seems to have outsourced the most to managed service 15%
Business case
02 and investment
providers (seven percent of respondents), followed by C&IP
(four percent) while those doing so the least are FS with
22%
32%
two percent and PS with NIL. 30% 25%
03 Centralized control • FS has been leading the way with regard to community
2%
FS TMT Others
models/market utilities since 2016 with the emergence of four 3%

key players. Industries that are following suit include LSHC 23% 14% 21% 37%
(increase in actual utilization from 16 percent to 24 percent
during 2017), CB (e.g. FMCG) (11 percent to 18 percent), 42% 10%
and TMT (12 percent to 27 percent). E&R (28 percent to
33 percent), while the leading industry segment in exploring 17%
16%
05
57%
Sub-contractor risk market utilities, has some way to go to fully embrace the
opportunities here through extensive usage (with only two 22%
percent of the latter 33 percent using such models extensively 31% 32%
Organizational imperatives but the vast majority represented by the other 31 percent
06 and accountability making only limited use). But already we have seen movement In-house (centralized) Center of Exellence (CoEs) with specialized talent for EERM
to progress in this space at the back end of 2017. In-house (centralized) Shared Service Center (SSC) with adminstrative staff for EERM support processes
Hub-and-spoke model
Federated structure
About the authors EERM operations are managed fully or predominantly by an external managed services provider (with centralized decision-making retained in the organization)
Contacts
38 37
Home
Foreword Geography highlights Operating models to coordinate operational, oversight and

• The Americas region is ahead of the other regions assurance roles for EERM talent by region
with 82 percent of respondent organizations having
implemented CoEs or SSCs for EERM, followed by Asia Americas Asia Pacific
Executive summary Pacific (75 percent) and EMEA (74 percent). 3%
10% 15%
• Outsourcing EERM substantially to a managed services
01 provider is still a relatively new concept across all the three 16%
Inherent risk and maturity 8%
regions. While none of the respondents from Asia Pacific 43%
57%
have done this, three percent of respondents from the
Americas and five percent of respondents from EMEA are
Business case
02 and investment
following that approach, possibly due to these fully integrated
managed service models only recently becoming available in
25% 32%
the marketplace.
03 Centralized control • EMEA appears to be leading the way on market utilities/

EMEA
community models with 34 percent uptake as compared to 5%

21 percent in the Americas. Respondents from Asia Pacific are 17%
either unaware or lack the clarity at this stage to be able to take
a decision at this stage. 43%
14%
31%
06 and accountability In-house (centralized) Center of Exellence (CoEs) with specialized
talent for EERM
In-house (centralized) Shared Service Center (SSC) with adminstrative staff for
EERM support processes
About the authors Hub-and-spoke model Federated structure

External managed services provider
Contacts
38
39
Home
4. Technology platforms
Foreword
Technology decisions for EERM solutions are now being taken

Executive summary
more centrally and a three-tiered technology architecture is
emerging.
Business case
02 and investment
About the authors
Contacts
39
41
Home 4. Technology decisions for EERM solutions are now being taken more centrally
and a three-tiered technology architecture is emerging.
Foreword Less than 10 percent of respondents

Key messages The evolving tiered architecture for EERM tools
are currently using bespoke systems Our earlier survey results had indicated a and technologies
Executive summary for EERM, a sharp drop from just somewhat disorganized approach to the use of
technology to enable EERM processes from end-
over 20 percent last year.
ERP — used for end-to-end procurement and/or
to-end, using a combination of more than one platform third-party management
to manage either different aspects of third-party risk or
01 Inherent risk and maturity even different types of third-parties, in some cases, across
multiple business units in a piecemeal manner.
GRC or TPRM technology — providing TPRM specific funtionality
However, in keeping with the new trend of increased Risk domain specific technologies and/or data feeds
Business case
02 and investment
centralized oversight of EERM activities revealed by the
current survey, technology decisions are now being
ERP systems or other backbone applications for procurement
taken more centrally and a standard tiered technology (ERP + Procurement)
architecture is emerging, particularly among those
03
Generic GRC software or EERM – specific risk management packages
Centralized control organizations that have an integrated or optimized status or those tailored from specialized risk domains
(GRC + TPRM utility + TPRM solutions)
in their EERM maturity scale.
Other niche packages for specific EERM processes or risks with feeds
from specialized risk domains
10% The 2018 survey results suggest that this three-tier
05 2018 technology architecture will increasingly work in tandem to

Sub-contractor risk
20% form a common setup for organizations around EERM and
typically comprises of (i) ERP systems or other backbone
2017 applications for procurement; (ii) generic GRC software or
Organizational imperatives EERM-specific risk management packages tailored to the
06 and accountability organization; and (iii) other niche packages for specific EERM
processes or risks with feeds from specialized risk domains.
This third tier includes emerging technologies that use
About the authors natural language processing and machine learning to collect
and analyze data from across multiple sources (including
the internet) on a scale, and with accuracy levels, that
previously were not thought possible without significant
Contacts and highly expensive human oversight and processing.
42 40
Home
Foreword The evolving tiered architecture for EERM tools

Aligned to this trend, qualitative responses from the and technologies Deloitte point of view
survey indicate that organizations are no longer keen to Deloitte believes that with the right
invest in developing complex bespoke solutions for EERM, technology enablement for EERM processes,
Executive summary ERP systems or other backbone
which, together with the use of its existing ERP platform applications for procurement 23% companies can implement and manage
in the past may have significantly lowered the confidence (ERP + Procurement) EERM programs that drive efficiency, reduce costs,
of stakeholders in the quality and reliability of the overall improve service levels, and increase return on equity.
01 Inherent risk and maturity technical solution for EERM. Less than 10 percent of
respondents are currently using bespoke systems for
Generic GRC software or
EERM-specific risk management
In fact, as outlined in our whitepaper titled “Unlock the
value in your technology investments”, organizations
packages or those tailored from 28%
EERM, a sharp drop from just over 20 percent last year. specialized risk domains
with a well-defined technology-enabled EERM
(GRC + TPRM Utility + framework typically tend to realize an additional four
Business case
02 and investment
Standardization of technology architecture for EERM TPRM Solutions) to five percent return on equity.
using a combination of ERP systems and other backbone
Other niche packages for
applications for procurement packaged solutions is specific EERM processes or Better tools and technology can significantly reduce the
78%
supported by an increasing intent by management time spent on pre-contract, post-contract, and ongoing
03
risks with feeds from
Centralized control to invest in emerging technologies for EERM. Cloud specialized risk domains tracking/monitoring activities, thus making available
technologies that enable agile business operations with time for focusing on the broader strategic areas of risk
standardization represent the most popular emerging management and value creation (e.g. performance,
04 Technology platforms technology platform being investigated by survey

respondents. RPA features second on this list, offering
Emerging technologies for EERM strategy, innovation, commercial, etc.).
the opportunity to automate routine tasks related to Most survey respondents desire integrated technology
Cloud technologies to
EERM. 46 percent of respondents are planning to utilize 46% that would address as many of the dimensions of
05
enhance flexibility
Sub-contractor risk standardized cloud technologies for EERM while 31 EERM as possible (e.g. performing due diligence and
percent are considering using RPA for routine EERM tasks ongoing risk assessments, recording and presenting
Robotics automation for routine 31%
across the organization. administrative tasks KPIs and other performance data through dashboards,
Organizational imperatives facilitating documentation and escalation of issues
06 and accountability Visualization technologies for
20%
etc.). The current tiered approach has its advantages in
meaningful interpretation of data leveraging multiple dimensions of available technology,
but those organizations in managed status or below
About the authors Cognitive analytics for are still being compelled to build in some spreadsheet
19%
interpretive tasks or manual process-based intervention to bridge
the gaps.
Blockchain technologies to
16%
validate third-party transactions
Contacts
43
41
Home
Foreword Industry highlights Evolving tiered architechture for EERM tools and Emerging technologies for EERM by industry
• The use of features of the existing ERP system technologies by industry
or other organization-wide backbone systems for 18%
procurement seem to be the highest in E&R and 20% 18%
26% Visualization
Executive summary LSHC industries (26 percent and 32 percent of respondents,
ERP systems or other 18% technologies 26%
backbone applications 32% 15%
18% for meaningful
respectively) and the lowest in FS, PS, and TMT (18 percent, for procurement
9% 25%
interpretation of data
18 percent, and nine percent of respondents, respectively). 6% 19%
11%
01
Generic GRC software 11%
Inherent risk and maturity or EERM-specific risk 16%
34%
• The uptake of generic GRC packages is highest in FS with management packages 13% 14%
or those tailored from 15%
34 percent of respondents subscribing to this option, followed 29% 11%
specialized risk domains 18% Blockchain
by TMT (29 percent) but lowest in C&IP (11 percent of technologies to
22%
Business case
02 Other niche packages 69% 12%
respondents). 58% validate third-party
and investment for specific EERM 48% transactions 25%
processes or risks with 55%
67% 11%
feeds from specialized
• Use of other niche packages appears to be the dominant 62% 5%
risk domains 76%
trend in C&IP (69 percent of respondents) and lowest in FS
03 Centralized control (48 percent). C&IP E&R FS LSHC PS TMT Others
48%
47%
52%
• The overall average of organizations using all of the three-tiers 36%
enhance flexibility
04 in tandem with each other is around 20 percent which 45%

Technology platforms 40%
roughly equals the number of respondents who have achieved
37%
integrated or optimized status in the EERM maturity scale.
27%
05 Sub-contractor risk • All industries appear to be interested in exploring future

technologies and are broadly following a similar trend.
Robotics automation
22%
45%
for routine 36%
administrative tasks 30%
18%
21%
20%
16%
22%
About the authors Cognitive analytics for
15%
interpretive tasks
25%
22%
5%
Contacts
44 42
Home
Foreword Geography highlights Emerging technologies for EERM by region

• Using the features of the organizational ERP system
or other backbone procurement applications for 33%
EERM appears to be most common-place in the enhance flexibility
34%
Executive summary Americas (25 percent of respondents) but the lowest in EMEA 50%
(17 percent of respondents) where using a combination of Robotics automation 23%

for routine 28%
niche packages for specific EERM processes or risks with feeds administrative tasks 33%

from specialized risk domains make up for the difference,
although all three regions broadly follow a similar trend. Cognitive analytics for
14%
18%
interpretive tasks
20%
• Organizations in EMEA appear to be taking the lead with cloud- Visualization 23%
Business case
02 and investment
related initiatives for agile EERM (50 percent of respondents) as
well as in exploring robotics automation (33 percent), cognitive
technologies for
meaningful
interpretation of data
2%
22%
analytics (20 percent), and other emerging technologies for Blockchain 16%
technologies
EERM, although once again the overall trend is broadly similar 10%
03
to validate third-party
Centralized control across the three regions with some limited exceptions. transactions 16%
04 Technology platforms Evolving tiered architechture for EERM tools and

technologies by region
05
25%
Sub-contractor risk ERP systems or other
backbone applications 18%
for procurement
17%
Generic GRC software
19%
Organizational imperatives or EERM-specific risk
management packages
or those tailored from 21%
specialized 22%
risk domains
Other niche packages 56%
for specific EERM
About the authors processes or risks with 62%
feeds from specialized
risk domains 61%

Contacts
43
45
Home
5. Sub-contractor risk
Foreword
Organizations are lacking appropriate visibility and monitoring of

Executive summary
sub-contractors engaged by third-parties.
Business case
02 and investment
About the authors
Contacts
44
47
Home 5. Organizations are lacking appropriate visibility and monitoring of sub-contractors engaged by third-parties.
Foreword Only two percent of respondents

Key messages
regularly identify and monitor Our survey results reveal that respondent This is making it difficult for organizations to determine
Executive summary their sub-contractors (fourth/ organizations lack appropriate visibility of their strategy and approach to the management of sub-
instances where sub-contractors are engaged contractor risk and to apply the appropriate amount of
fifth parties) while another by their third-parties. The majority (57 percent) of discipline and stringency. Recent regulation such as the
10 percent do so only for those survey respondents do not have adequate knowledge Modern Slavery Act and GDPR, which include requirements

sub-contractors identified as critical.
and appropriate visibility of sub-contractors engaged by
their third-parties and a further 21 percent are unsure
to manage layers of fourth/fifth parties, where they exist,
makes this a matter of increased concern.
about whether anyone at all in their organization has such
visibility or not. Finally, only 18 percent of organizations periodically
Business case
02 and investment
review the concentration risk associated with their
2% 10% Further, only two percent of respondents regularly fourth/fifth parties quarterly or half-yearly; while the
identify and monitor their sub-contractors (fourth/ vast majority (82 percent) review this annually or even
fifth parties) while another 10 percent do so only for less frequently, making it a matter or serious regulatory
03 Centralized control those sub-contractors identified as critical. The other 88 concern in the highly regulated industries.
percent either rely on their third-parties to do so; have
an unstructured/ad hoc approach; do not do so at all; or
88
do not know their organizational policy and practices in
this regard.
%
About the authors
Contacts
48 45
Home
Foreword Adequate knowledge and an appropriate level of visibility Frequency of periodic review of the concentration risk
over sub-contractors engaged by third-parties
31%
57%
27%
Executive summary

14%
22% 21% 10%

Business case
02
9% 9%
and investment
Yes No I don’t know Quarterly Half-yearly Annually Once in Never Don't know
2-3 years
04 Technology platforms Monitoring sub-contractors engaged by third-parties and

retaining records along with corrective action
2%
17% 10%
18%
06 and accountability 9%
44%
Fourth/fifth parties are identified and regularly monitored

About the authors The most critical fourth/fifth parties are identified and regularly monitored
Some fourth/fifth parties are identified and reviewed on an ad hoc basis
Fourth/fifth parties are reviewed at the initiation of any new contract with a
third-party
Our organization relies upon and monitors the procedures within its
Contacts third-parties as the primary basis
Fourth/fifth parties are not identified, reviewed or monitored at all
46
49
Home
Foreword Industry highlights

Deloitte point of view • In general, the lack of stringency and discipline
The growth of subcontracting as a global new levels of criticality in dependence, their sub-contractors in monitoring/oversight of sub-contractors by
phenomenon in recent years has been driven by (referred to as fourth parties) are now exposing not just respondent organizations is common to all industry
Executive summary segments and geographic regions.
exactly the same factors that have contributed them but their end-customers to the threats of high
to the rise of the extended enterprise ecosystem. As a profile customer service disruption and other major
matter of fact, sub-contractors are nothing other than the business failures. These failures are now attracting the • It is counter-intuitive to note that the more regulated industries
01 Inherent risk and maturity extended enterprise of suppliers and service providers
to the focal organizations covered by the survey. Their
attention of the regulators who are holding organizations
accountable for lack of oversight of third-parties and their
(in relative terms) such as FS and LSHC are the weakest
performers in this regard with as many as 81 percent and
suppliers and service-providers have also been motivated sub-contractors. Where these risks have been realized, this 85 percent of respondents, respectively, acknowledging that
by the desire to gain competitive advantage through the has compromised organizational reputation, broken down they do not have appropriate knowledge and visibility over
Business case
02 and investment
involvement of third-parties, i.e. enable better product or business continuity, and attracted substantial penalties and their fourth/fifth parties. C&IP and E&R, both with 75 percent
of respondents in this position follow in their footsteps.
service innovation, facilitate expansion to new markets, regulatory enforcement action.
and provide access to skills and capabilities not available
internally, while they (as suppliers of goods and services) We understand most organizations are focusing on • Similarly, only 15 percent of the respondents from FS as well
03 Centralized control continue to focus on their core business processes. identifying, assessing, and managing the risk in their third- as an equal proportion of respondents from C&IP review
Sometimes the sub-contractor (referred to as fourth parties and believe that, for the moment, just having an concentration and other risks from their fourth and fifth
parties to the focal organization) may also be further sub- awareness of sub-contractor relationships is sufficient. The parties either quarterly or half-yearly, followed by 24 percent
04 Technology platforms contracting some of the sub-contracted processes, creating

fifth parties, sixth parties, and so on to the focal firm.
tug of war between the regulatory requirements to manage
the risks all the way through the extended enterprise
in TMT and 33 percent in E&R.
versus the legal/contractual view that your responsibility

At the same time, disruptive incidents globally are stops at your third-party is emerging as an interesting area
05 Sub-contractor risk increasingly confirming that these suppliers have of debate.
themselves been much less focused on bringing in a holistic
and integrated approach to their own third-party ecosystem Some organizations will continue to rely on their third-
Organizational imperatives than their customers, as many of these customers may be parties’ own EERM procedures but in critical scenarios/
06 and accountability subject to third-party regulation in their respective industry certain situations they may want the ability to intervene on
segments which the suppliers or sub-contractors are not. a more real-time basis.
But as these suppliers take their extended enterprise to
About the authors
Contacts
50 47
Home
Foreword Adequate knowledge and an appropriate level of visibility Geography highlights Frequency of periodic review of the concentration
over sub-contractors engaged by third-parties by industry • The lack of knowledge and visibility of sub- risk by region
contractors is fairly consistent across all the three
42%
geographic regions spanning around three out of
64%
64%
Executive summary four respondents in each region.
36%
58%
55%
54%
31%
51%
51%
• The periodicity of monitoring is however the least in Americas
01 with the majority of respondents (55 percent) acknowledging
25%
25%
23%
that they either do not monitor such sub-contractor risks at
all or do not know if anyone in their organization does so as
30%
15%
against 35 percent of respondents being in that position in
27%
25%
Business case 24%
24%
02
13%
22%
EMEA and 34 percent in Asia Pacific. However, even in the
21%
21%
21%
21%
11%
19%
10%
10%
10%
and investment
9%
9%
9%
17%
8%
latter geographies, only 19 percent of respondents monitor
15%
15%
7%
7%
this half-yearly or quarterly (15 percent in Americas), implying
far more needs to be done in this regard.
03 Centralized control Yes No I don’t know
Quarterly Half-yearly Annually Once in 2-3 years Never Don't know
C&IP E&R FS LSHC PS TMT Others Americas Asia Pacific EMEA

Adequate knowledge and an appropriate level of visibility
04 Frequency of periodic review of the concentration over sub-contractors engaged by third-parties by region
risk by industry
62%
42%
50%
34%
43%
32%
32%
31%
29%
28%
28%
32%
25%
25%
24%
24%
06
22%
21%
25% 25% 25%
and accountability
20%
20%
22%
18%
17%
16%
15%
15%
16%
13%
12%
12%
12%
11%
11%
11%
10%
10%
10%
10%
10%
9%
9%
8%
8%
About the authors

3%
6%
0%
4%
4%
Quarterly Half-yearly AnnuallyOnce in 2-3 years Never Don't know Yes No I don't know
Contacts Americas Asia Pacific EMEA
48
51
Home
6. Organizational
Foreword
imperatives and
Executive summary
accountability
Business case
02 and investment
6a. Ultimate ownership and accountability for EERM
suggests it is well and truly established in the
C-suite roles with need for improvement in
engagement.
04 Technology platforms 6b. Challenges over internal coordination, talent

and processes represent areas of highest
(organizational) concern over EERM.
About the authors
Contacts
53
49
Home
6a. Ultimate ownership and accountability for EERM suggests it is well and truly
established in the C-suite roles with need for improvement in engagement.
Foreword Either the CEO, CFO, CPO, CRO,

Key messages
or a member of the Board is Survey results around the ownership and The data relating to the levels of engagement of
Executive summary ultimately accountable for EERM in accountability for EERM suggests it is well and risk domain owners is also not very encouraging.
truly established in the C-suite with 78 percent Only 16 percent of risk domain owners had a high level
78 percent of the organizations, of organizations suggesting that either the CEO, CFO, CPO, of engagement and understanding of EERM with the
up from 75 percent last year. CRO, or a member of the Board is ultimately accountable vast majority represented by the remaining 84 percent
01 Inherent risk and maturity for this topic. This includes a member of the Board being
ultimately accountable for EERM in 19 percent of the cases
of respondents who felt risk domain owners had at
best moderate (45 percent), low (17 percent) or levels
and 33 percent suggested the CEO (21 percent) or CFO of engagement that were absent (seven percent) or
(12 percent) had a similar responsibility. unknown (15 percent). Survey respondents believe that
Business case
02 and investment
relatively lower levels of engagement and understanding
In some cases, there appears to be a small shift in ultimate by risk domain owners negatively impacted the level of
accountability from CPOs and Vendor/Alliance Managers coordination with other stakeholders as discussed in our
to Heads of Risk and CFOs under Board/CEO supervision, finding 6(b) on page 58.
03 Centralized control although this is not still true where the organizational
supply-chain forms the most significant component of the Survey respondents believe that a key underlying factor for
extended enterprise. In such organizations which still form this limited engagement is the lack of regular supervisory
04 Technology platforms the majority, the CoEs and shared services are also largely
owned by procurement teams.
review by the Board. Only 11 percent of organizations
surveyed have formal Board reviews on a quarterly basis
with at best another 10 percent doing this on a half-yearly
78% Survey respondents however believe that there is room basis. For 35 percent, this is just another annual processes
2018 for improvement in the level of engagement on the EERM to be completed while 38 percent do not know when they
agenda by Board members and risk domain owners. had such a review or whether they had it at all.
Only 20 percent of Board members have a high level
Organizational imperatives 75% of engagement, where a member of the Board has
06 and accountability 2017 ultimate accountability. This, in turn, implies that levels of
engagement in the remaining 80 percent of organizations
where the Board operates in an oversight or supervisory
About the authors role are at best moderate (42 percent of respondents) if
not low (19 percent), absent or unknown (seven percent
and 12 percent respectively).
Contacts
54 50
Home
Foreword Ultimate accountability for EERM Frequency of board-level EERM review focused on
alignment with strategic plan and risk appetite Deloitte point of view
CEO 27% 20% 21% As extended enterprise risks grow, along with
11%
Member(s) of shareholder, political, legal, and regulatory
Executive summary the Board
20% 19% 19%
24% activism, there is likely to be a greater
CRO 8% 12% 15% 10% demand placed on management and boards to be
CFO 5% 9% 12% accountable for major risk events, whether the events
01 Inherent risk and maturity CPO 18% 15% 11%

occur within the organization or across its extended
enterprise. In this scenario, Deloitte believes that Boards
Head of Compliance 4% 5% 4% in their governing (supervision and oversight) capacity
Head of Vendor or 4% 2% 2% should have deeper levels of engagement and more
Business case
02 Alliance Management 14% 14%
frequent reviews to ensure management has elevated
and investment Head of Internal Audit 1% 0% 3%
35% EERM to appropriate levels and established robust risk
Individual Vendor or
Alliance Manager
3% 3% 2% 6% management structures and processes.
03 Centralized control Other 10% 15% 11%

Quarterly Half-yearly Annually Once in 2-3 years Deloitte specialists recognize that Boards are already
2016 2017 2018 Never Don’t know very busy. But as extended enterprises expand and
grow in strategic importance, the expectation is that
04 Technology platforms Level of engagement of Board members and risk domain

owners in EERM
Boards will play a more engaged role with regard to
third-party risks.
Board of directors Risk domain owners Don’t know Today, a large number of global Boards carry out their
16%
No significant
engagement or
risk oversight responsibilities either by themselves or
20% understanding at best with some support from CFOs and its audit
/coordination committee. As extended enterprises grow in complexity
Lower level of and scale, we predict that more Boards globally may
42%
45%
engagement
and understanding
be considering the establishment of risk committees
/coordination or similar focus groups to assist them in ensuring a
Moderate level more systematic and broader oversight of strategic and
of engagement
About the authors operational risks, as is currently an emerging trend in
and understanding
19% 17% North America.
/coordination
7% High level of
7%
engagement
12% 15% and understanding
Contacts /coordination
Level of engagement Level of engagement
55
51
Home
Foreword Industry highlights Level of engagement and coordination between risk Geography highlights
• The level of engagement and knowledge of domain owners and the EERM team by industry • Organizations from EMEA appear to have the
EERM by the Board appears to be the highest in PS highest level of engagement in relative terms from
(35 percent of respondents) and E&R (31 percent) their Boards with 24 percent demonstrating a high
55%
53%
Executive summary and the lowest in LSHC (15 percent), C&IP (18 percent), and level of engagement and understanding, as compared to
TMT (18 percent), followed closely by FS (19 percent). only 10 percent in the Americas and nine percent in Asia
45%
42%
Pacific. The lack of awareness by respondents on the level of
40%
• High levels of engagement and coordination by risk domain Board engagement in EERM is also the highest in the Americas
32%
owners is once again the highest in PS (30 percent of with as many as 37 percent respondents unaware of the
30%
30%
respondents), followed however by LSHC (21 percent), E&R (18 actual position, as against only seven percent in EMEA and
21%
21%
21%
21%
percent), and FS (17 percent). 11 percent in Asia Pacific.
20%
20%
19%
18%
18%
18%
18%
Business case
02
17%
16%
16%
15%
14%
13%
and investment
11%
5%
5%
• This diversity across regions is supported by the fact that
10%
10%
4%
9%
7%
6%
Level of engagement and understanding of board of
0%
only seven percent of respondents from the Americas have
directors with risks relating to the extended enterprise High Moderate Low None Don’t know quarterly or half-yearly supervisory reviews of EERM by the
03 Centralized control of their organization by industry Board, compared to 24 percent in Asia Pacific and 23 percent
C&IP E&R FS LSHC PS TMT Others in EMEA.
58%
• The engagement of risk domain owners however is relatively
much higher in the Americas with 20 percent of respondents
48%
44%
having a high level of engagement and understanding,

43%
compared to 16 percent in EMEA and 15 percent in Asia

36%
35%
35%
05
33%
Sub-contractor risk Pacific. However, 27 percent of respondents from the

31%
30%
29%
Americas are not aware of the position in this regard, as against
24%
only 11 percent in EMEA and 18 percent in Asia Pacific.

20%
19%
19%
18%
18%
16%
16%
16%
15%
06
5%
5%
10%
11%
4%
10%
9%
9%
9%
9%
9%
and accountability
7%
0%
0%
High Moderate Low None Don’t know

About the authors
Contacts
56 52
Home
Foreword Level of engagement of board members and risk domain Frequency of board-level EERM review focused on
owners in EERM by region alignment with strategic plan and risk appetite by region
Board of directors Risk domain owners

Americas Asia Pacific
Executive summary High level of 10% 20% 5% 2% 9%
engagement and 9% 15%
understanding 24% 16% 21%
Moderate level of 30% 32% 15%
01
engagementand 44% 42%
Inherent risk and maturity understanding 44% 49%
27%
Lower level of 16% 17%
engagement and 26% 19%
understanding 18% 17%
56%
Business case
02
No significant 7% 5% 17%
engagement or 9% 6%
and investment understanding 7% 7% 3%
37% 26% 30%
Don't know 18% 7% 8%
11%
11%
03
7%
Centralized control EMEA
Americas Asia Pacific EMEA 12%

18%
04 Technology platforms 11%
16%
6%
37%
06 and accountability Quarterly Half-yearly Annually Once in 2-3 years
Never Don’t know
About the authors
Contacts
53
57
Home
6b. Challenges over internal coordination, talent and processes represent
areas of highest (organizational) concern over EERM.
Foreword Skills, bandwidth and competence

Key messages
of talent appears to be the most Survey results indicate that skills, bandwidth, It is therefore no surprise to see that as many as
Executive summary significant concern related to and competence of talent engaged in EERM- 40 percent of respondent organizations have prioritized
related activities appears to be the most the need to establish better coordination between
EERM (45 percent of respondent significant concern for respondents (45 percent), followed risk domain owners, business unit leaders, functional
organizations); followed by the by the clarity of roles and responsibilities and EERM heads, legal, and internal audit teams, etc. as the top

clarity of roles and responsibilities
processes (41 percent in either case). organizational imperative related to EERM.
(41 percent), EERM processes Stakeholder awareness and commitment to third-party Aligned to the concern of non-standardized processes
risks have emerged as a newer area of concern with and lack of clear roles/responsibilities, the need to
02
Business case (41 percent), stakeholder 38 percent of respondents, an issue that we have not strengthen due diligence activities prior to onboarding
and investment
awareness and commitment to seen in the forefront in our earlier surveys in general new third-parties is second on the list of top organizational
terms, although a more specific need to get attention of imperatives related to EERM (35 percent of respondent
third-party risks (38 percent). the Board and feature as an ongoing priority item in the organizations). This, in turn, is followed by the need
03 Centralized control related agenda had been expressed by respondents. to build stronger resilience to disruption caused by
third-party related incidents (24 percent) and ensure a
Other areas of emerging concern include achieving proportionate EERM approach based on the categorization
04 Technology platforms organizational agreement/clarity in (a) identification

of strategically critical third-parties (32 percent of
of the most strategic third-parties to the organization
(24 percent).
respondents) and (b) structure of the third-party
45% 41% management organization (30 percent of respondents),

05 Sub-contractor risk implying the need for better alignment and coordination
from an intrapreneural11 rather than an entrepreneurial
perspective.
About the authors 41% 38%
Contacts
58 54
Home
Foreword Leadership concerns around EERM Top organizational imperatives related to EERM
Skills, bandwidth and competence in Better in-house coordination with risk domain
45% owners, business unit leaders, functional heads, 40%
extended enterprise risk management
legal teams, internal audit, etc.
Executive summary
Processes for extended Strengthening due diligence prior
41% 35%
enterprise risk management to onboarding third-parties
Clarity of related roles
41% Building stronger resilience to disruption
and responsibilities
Technology for extended

and uncertainty resulting from third-parties 24%
40% Identifying the most strategic third-parties to

enterprise risk management 24%
ensure proportionate effort in EERM processes
Enhancing monitoring of third-parties
Business case Stakeholder awareness and
02 and investment
commitment to third-party risks
38% (e.g. real-time monitoring, risk sensing, etc.)
using emerging technologies such as
22%
Organizational clarity in identification RPA, cognitive processes

32% Addressing cyber risks centrally
of strategically critical third-parties 18%
in the organization
Structure of third-party
management organization 30%
Enhancing assurance activities
17%
over third-parties
Enhancing visibility and transparency of third-

16%
04
parties (including fourth and fifth parties)
Addressing cyber risks at third-party locations 14%
05
Enhancing clarity in business case
Sub-contractor risk 14%
articulation requirements
Greater alignment with organization-wide crisis
prevention/management team to increase 13%
resilience to third-party related disruption
Enhancing technology to
manage third-parties
12%
Proactive fraud management 11%
About the authors

Enhancing training and guidance 10%
for the retained organization
Enhancing training and compliance 9%

Contacts guidance to third-parties
55
59
Home
Foreword
Deloitte point of view
There has been a significant change in As risk management and governance becomes an Each of these players brings a unique set of perspectives
organizational priorities and underlying leadership overarching strategic issue, aligned to business strategy and skill-sets to risk management and governance which can
Executive summary
concerns since our previous survey where and operations drilling down to individual business units, be an invaluable asset to every business, provided they are
tools and technologies used for EERM had concerned a it is natural that more and more people at various levels, orchestrated to ensure that:
vast majority (more than 90 percent) of respondents. functional areas, and stakeholders will have a role to
01 Inherent risk and maturity Respondents to our previous survey had indicated that this
concern around the lack of a single unifying technology to
play. Further, a much broader and newer set of risks and
strategic assets which are more difficult to leverage, manage,
• There is complete clarity on who does what in the area of
risk management.
manage EERM, together with the disparity of third-party and protect will continue to emerge—including people,
management processes across the depth and breadth of intellectual property, customers, marketing efforts, and • There are neither overlaps nor underlaps in who
Business case
02 and investment
increasingly decentralizing organizations had created an even, for example, “the crowd” in emerging phenomena does what.
“execution gap” that came in the way of integrating and like crowdsourcing. This will need new skills to be infused
optimizing EERM. into the organization and roles to be redefined. Apart from • Limited risk management resources are deployed
the emerging risk domains as well as the owners of these effectively across the organization to address the most
03 Centralized control Deloitte specialists believe that two trends over the last new risk domains, organizations should consider external significant areas of concern and opportunity across
12 months, both discussed earlier in this report, have stakeholders who herald a more outside-in perspective the business.
been key to reducing this overwhelming concern. First, the including, for instance, customers, bloggers, information
04 Technology platforms introduction of centralized ownership and management

within the more decentralized structures supported by the
trendsetters, and marketplace/security analysts. As a result, internal coordination (specifically between risk
domain owners, business unit leaders, functional heads,
increasing dominance of CoEs and SSCs (see key finding legal, and internal audit teams) has now emerged as a
3a). Second, although a single technology solution for EERM key concern in the current survey in addition to ensuring
05 Sub-contractor risk is still yet to emerge, the standardization of the three-tier the ongoing relevance of skills, roles, and responsibilities
technology architecture (see key finding 3b) has gone a long as compared to realistic reassessments of available
way in showcasing the tiered way forward for technology staff bandwidth.
Organizational imperatives enablement that can address the execution gap. There is
06 and accountability however more to do in articulating and standardizing “best- Accordingly, organizational imperatives that address issues
of-breed” processes. around coordination, talent and processes and “putting the
house in order” have now overshadowed the technology-
About the authors related concerns expressed in earlier surveys.
Contacts
60 56
Home
Foreword Industry highlights Top five organizational imperatives related to EERM by industry
The need to build better in-house coordination
with risk domain owners, business unit leaders,
functional heads, legal, and internal audit teams, etc. Better in-house coordination with risk domain Better in-house coordination with risk domain
Executive summary consistently features as a top organizational imperative within
owners, business unit leaders, functional
heads, legal teams, internal audit, etc.
46% owners, business unit leaders, functional
42%
Strengthening due diligence prior Strengthening due diligence prior
all the key industry sectors, followed by the need to strengthen to onboarding third-parties 32% to onboarding third-parties 39%
due diligence prior to onboarding third-parties and more Enhancing monitoring of third-parties (e.g. real-time
Identifying the most strategic third-parties to ensure 25% monitoring, risk) using emerging technologies 27%
proportionate effort in EERM processes
01 generally enhance assurance activities or monitoring within the such as robotics automation, cognitive
Inherent risk and maturity Addressing cyber risks at third party locations 22% Identifying the most strategic third-parties to 27%
extended enterprise. ensure proportionate effort in EERM processes
Building stronger resilience to disruption and uncertainty Building stronger resilience to disruption and uncertainty
resulting from third-parties in the extended enterprise 19% 24%
resulting from third-parties in the extended enterprise
• Identifying the most strategic third-parties to ensure
Business case
02 and investment
proportionate EERM effort is a top imperative across the C&IP,
E&R, FS, and LSHC industry segments.
Better in-house coordination with risk domain
owners, business unit leaders, functional 49%
40%
Strengthening due diligence prior 31% Building stronger resilience to disruption and uncertainty
to onboarding third-parties resulting from third-parties in the extended enterprise 35%
• Addressing cyber risks is a top organizational imperative in the
03
Identifying the most strategic third-parties to ensure 29% Addressing cyber risks at third party locations 30%
Centralized control C&IP, FS, and PS industry segments.
proportionate effort in EERM processes
Enhancing assurance activities over third-parties 27% Enhancing clarity in business case 25%
articulation requirements
Enhancing monitoring of third-parties (e.g. real-time
• Building stronger resilience to disruption is a key action item for monitoring, risk sensing) using emerging technologies 24% Enhancing assurance activities over third-parties 20%
such as RPA, cognitive processes
respondents from C&IP, LSHC, PS, and TMT industry groups.
Strengthening due diligence prior Better in-house coordination with risk domain
• Enhancing technology to address EERM requirements, however to onboarding third-parties 37% owners, business unit leaders, functional 40%
Better in-house coordination with risk domain heads, legal teams, internal audit, etc.
remains a top imperative for TMT, possibly due to the growth owners, business unit leaders, functional 34% Strengthening due diligence prior
to onboarding third-parties 38%
05
Sub-contractor risk of online or platform-based collaboration in this industry Enhancing monitoring of third-parties (e.g. real-time Building stronger resilience to disruption and uncertainty
monitoring, risk sensing) using emerging technologies 30% resulting from third-parties in the extended enterprise 29%
segment. such as RPA, cognitive processes
Addressing cyber risks at third-party locations 25% Enhancing technology to manage third-parties 19%
Identifying the most strategic third-parties to Enhancing monitoring of third-parties (e.g. real-time
Organizational imperatives 22%
06
ensure proportionate effort in EERM processes monitoring, risk sensing) using emerging technologies 18%
and accountability
Strengthening due diligence prior
About the authors owners, business unit leaders, functional
42%
Identifying the most strategic third-parties to 32%
ensure proportionate effort in EERM processes
Addressing cyber risks at third-party locations 26%
Contacts Enhancing training and guidance

for the retained organization 21%
57
61
Home
Foreword Geography highlights Top five organizational imperatives related to EERM by region
• Regional analysis of top organizational imperatives
related to EERM also indicate the need to build better owners, business unit leaders, functional
heads, legal teams, internal audit, etc. 46%
in-house coordination with risk domain owners,
Executive summary business unit leaders, functional heads, legal, and internal Strengthening due diligence prior
audit teams, etc. as a common imperative across all the key
Building stronger resilience to disruption
regions, followed by the need to strengthen due diligence prior and uncertainty resulting from third-parties 25%
in the extended enterprise
01 Inherent risk and maturity to onboarding third-parties and the need for strengthening
resilience over disruption and uncertainty arising from the
Enhancing clarity in business
case articulation requirements 24%
extended enterprise. Additionally: Identifying the most strategic third-parties to
ensure proportionate effort in EERM processes 20%
Business case
02 and investment
• Respondents from the Americas are focused on the need to
articulate better business cases for investment in EERM and
identifying the most strategic third-parties for proportionate Strengthening due diligence prior
36%
to onboarding third-parties
EERM effort.
03 Centralized control Better in-house coordination with risk domain
30%
• Respondents from Asia Pacific share the Americas’ need to
Building stronger resilience to disruption
articulate better business cases for EERM and additionally and uncertainty resulting from third 25%
parties in the extended enterprise
enhance training and guidance for their retained organization.
Enhancing training and guidance
for the retained organization 19%
• Respondents from EMEA share a common priority to identify Enhancing clarity in business
19%
the most strategic third-parties for proportionate EERM effort, case articulation requirements
05 Sub-contractor risk but are also focused on enhancing real-time monitoring of

third-parties using emerging technologies.
heads, legal teams, internal audit, etc. 41%
Strengthening due diligence prior
Identifying the most strategic third-parties to

ensure proportionate effort in EERM processes 27%
Enhancing monitoring of third-parties (e.g. real-time

About the authors monitoring, risk sensing) using emerging technologies 24%
Building stronger resilience to disruption 24%

and uncertainty resulting from third-
parties in the extended enterprise
Contacts
62 58
Home About the authors
Foreword Kristian Park leads the Extended Enterprise Risk Management team in the EMEA region, as well as leads Deloitte’s
Global Third-party Risk Management (TPRM) group. As a partner in Deloitte UK, Kristian works with his clients to
develop governance frameworks to identify and manage all types of third-party risks, looking at both process and
technology solutions; performs inspections of third-party business partners on his client’s behalf; and assesses
Executive summary third-party compliance with contractual terms and conditions.
In addition, Kristian is responsible for Deloitte UK’s Software Asset Management and Software Licensing teams and

assists clients in managing their software licensing obligations–driving efficiencies and savings. He has experience
across a broad variety of industry sectors including Life Sciences, Financial Services, Energy & Resources, Sport,
Technology, Media, and Consumer & Industrial Products.
Business case
02 and investment
Kristian Park
03 Centralized control EMEA Leader, Extended Enterprise Risk Management
Global Risk Advisory
04 Technology platforms Danny Griffiths is a Director in our London based EERM team. He has 11 years of experience providing assurance
and advisory services to his clients in the area of third-party risk. Danny leads the Third-party Advisory (TPA)
proposition within our UK EERM team, and specializes in supporting clients in the development of Third-party
Governance & Risk Management frameworks. He has worked extensively in the Financial Services sector in
this regard as well as advising organizations across many of the other industry sectors and he regularly hosts
roundtables and presents at forums on this topic.
In addition, Danny has significant experience leading compliance programs for large national and multi-national
organizations, assessing third-party compliance against contractual obligations. Danny has led inspections across
a range of third-parties including suppliers, outsourcers, marketing agencies, distributors, resellers, and licensees.
He has practical experience working in a broad range of industries including Financial Services, Technology &
About the authors Media. Consumer Business, Sports Business, Energy & Utilities, Real Estate, and Public Sector. He has led projects in
multiple jurisdictions within EMEA, the Americas, and Asia.
Danny Griffiths
Contacts Director, Extended Enterprise Risk Management
Deloitte LLP
63
59
Home
Foreword Mark Bethell is a Director in the UK EERM practice. Mark re-joined Deloitte in June 2015 having spent 4 years
working in industry at a global oil major. While at the oil major Mark led the design and implementation of a global
risk management framework designed specifically for joint ventures operated by others. Mark’s other roles at the
major included membership of the Internal Audit Leadership Team, with accountability for all internal audit work
Executive summary performed in relation to the extended enterprise (contractors, suppliers and non-joint ventures).
Since returning to Deloitte, Mark has led a number of projects to help clients, across multiple industries, manage the

risks associated with the extended enterprise. He has helped his clients to design, build, and implement third-party
risk management frameworks and design and operate large scale, global programs of third-party audits covering
a variety of risk types. Mark has a particular focus on implementing EERM Managed Services for his clients and the
ongoing development of technologies to support in automated risk screening and monitoring.
Business case
02 and investment
Mark Bethell
03 Centralized control Director, Extended Enterprise Risk Management
Deloitte LLP
04 Technology platforms Sanjoy Sen is the Head of Research and Eminence for EERM at Deloitte LLP, based in the UK. He is a Chartered
Accountant (FCA), a Cost and Management Accountant, and a Certified Information Systems Auditor (CISA) with
over 29 years of experience, which includes 17 years of partner-level experience at Deloitte and another competing
Big 4 firm.
Sanjoy is currently enhancing his experience in strategic governance and risk management around outsourcing and
shared services through a Doctoral Research Scholarship at Aston Business School, Birmingham, while continuing
to provide professional advice to Boards, senior leadership, Heads of Risk, and Internal Audit. His ongoing research
has been published globally through various academic and professional channels with over 200 citations in frontline
newspapers, professional journals, and conference papers since 2014 in addition to co-authorship with Deloitte’s global
EERM leaders.
About the authors
His prior experience in strategic governance and risk management of the extended enterprise, outsourcing, and
shared services spans the UK, Gibraltar, India, and various countries in the Middle East. This includes assisting clients
Sanjoy Sen in strengthening their business strategy frameworks through effective strategic outsourcing and shared services
Contacts Doctoral Research Scholar initiatives through a combination of risk advisory and internal audit roles in client engagements.
Aston Business School
64 60
Home Contacts
Foreword Global EERM contacts Asia Pacific

Global Leader Jan Corstens +32 2 800 24 39 jcorstens@deloitte.com Australia Elissa Hilliard +61 2 9322 3014 ehilliard@deloitte.com.au
Asia Pacific Leader Jimmy Wu +88 6225459988 jimwu@deloitte.com.tw Australia Tom Sykes +61 3 9671 5686 tsykes@deloitte.com.au
Executive summary EMEA Kristian Park +44 20 7303 4110 krpark@deloitte.co.uk China Yvonne Wu +86 21 614 115 70 yvwu@deloitte.com.cn
Americas Dan Kinsella +1 312 486 2937 dankinsella@deloitte.com Hong Kong Hugh Gozzard +852 2852 5662 huggozzard@deloitte.com.hk
Country contacts India Sachin Paranjape +91 22 6185 4903 saparanjape@deloitte.com
01 EMEA Japan Masahiko Matt Sugiyama +81 9098 09 6885 masahiko.sugiyama@tohmatsu.co.jp

Austria Alexander Ruzicka +43 153 7007 950 aruzicka@deloitte.at Japan Bruce Kikunaga +81 90834 77656 bruce.kikunaga@tohmatsu.co.jp
Belgium Jan Corstens +32 2 800 24 39 jcorstens@deloitte.com Korea Min Youn Cho +82 2 6676 1990 minycho@deloitte.com
+74 957 870 600 +64 4495 3934
Business case CIS Sergey Kudryashov skudryashov@deloitte.ru New Zealand Aloysius Teh ateh@deloitte.co.nz
02 and investment Denmark Jesper Due Soerensen +45 30 93 64 20 jessoerensen@deloitte.dk Philippines Luisito Amper +63 2 581 9028 lamper@deloitte.com
Finland Jouni Viljanen +35 8207555312 jouni.viljanen@deloitte.fi Taiwan Jimmy Wu +34 9129 26985 jimwu@deloitte.com.tw
France Gregory Abisror +33 1 58 37 94 03 gabisror@deloitte.fr Singapore Suci Ramadhany +65 6800 2555 sramadhany@deloitte.com
03 Centralized control Germany Jan Minartz +49 403 2080 4915 jminartz@deloitte.de Thailand Weerapong Krisadawat +66 2034 0145 wkrisadawat@deloitte.com
Greece Alithia Diakatos +30 2106 78 1176 adiakatos@deloitte.gr Vietnam Philip Chong +65 6216 3113 pchong@deloitte.com
Hungary Zoltan Szollosi +36 (1) 428 6701 zszollosi@deloitte.com Americas
04 Technology platforms Ireland

Italy
Eileen Healy
Andrea Musazzi
+353 214 907 074
+39 028 3322 610
ehealy@deloitte.ie
amusazzi@deloitte.it
Argentina
Brazil
Esteban Enderle
Patricia Muricy
+54 11 43 2027
+55 21 3981 0526
eenderle@deloitte.com
pmuricy@deloitte.com
Luxembourg Jan Corstens +32 2 800 24 39 jcorstens@deloitte.com Canada Nathan Spitse +141 687 433 38 nspitse@deloitte.ca
05
Netherlands Jina Calmaz +31 8828 81871 jcalmaz@deloitte.nl Chile Christian Duran +56 22 72 98 286 chrduran@deloitte.com
Sub-contractor risk
Poland Mariusz Ustyjanczuk +48 22 511 0939 mustyjanczuk@deloittece.com LATCO Esteban Enderle +54 11 43 2027 eenderle@deloitte.com
Portugal Joao Frade +351 2104 27 558 jfrade@deloitte.pt Mexico Ricardo Bravo +52 55 508 06 159 ribravo@deloittemx.com
Solvenia Polona Klep Cufer +386 1 307 29 87 pcuferklep@deloittece.com United States Dan Kinsella +1 312 486 2937 dankinsella@deloitte.com
06 and accountability Southern Africa Dean Chivers +27 1180 51159 dechivers@deloitte.co.za
Spain Oscar Martín +34 914432660 omartinmoraleda@deloitte.es
Sweden Charlotta Wikström + 46 73 397 11 19 cwikstroem@deloitte.se
About the authors Switzerland Ronan Langford +41 58 279 9135 rlangford@deloitte.ch
Turkey Cuneyt Kirlar +90 212 366 60 48 ckirlar@deloitte.com
United Arab Emirates Tariq Ajmal +971 2 408 2424 tajmal@deloitte.com
United Arab Emirates Huzaifa Hussain +97 1043 7688 88 HuzHussain@deloitte.com
Contacts
United Kingdom Kristian Park +44 20 7303 4110 krpark@deloitte.co.uk
65
61
Home End notes
Foreword 1. In preparing our report, we have considered both fully as well as partially completed survey responses (to the
extent survey questions have been answered by these respondents). However, the increased proportion of
respondents from regions where levels of understanding and organizational maturity in third-party risk is starting
to increase, compared to more mature territories, has limited our ability to compare current results with last year’s
survey in some cases.
Executive summary
2. Industry segments covered by the survey include Financial Services (FS), Energy & Resources (E&R), Public Sector
(PS), Technology, Media and Telecommunications (TMT), Consumer and Industrial Products (C&IP), Life Sciences
& Health care (LSHC), and others. Other industries relates to survey responses where the respondent did not
01
indicate the nature of their industry or did so ambiguously.
3. Figures set out on page 7 relate to centralized spending on EERM as estimated by respondents. Some respondents
have indicated that their organizations may be spending significantly higher amounts related to EERM, given the
decentralized nature of spend and activity.
Business case
02 and investment
4. This model presents a hybrid of various characteristics of centralized and decentralized structures combining the
benefits of some standardization and centralized planning with (decentralized) local leadership and some flexibility.
5. Also referred to as community models.
03
6. This typically operates with a centralized in-house specialist pool supported by representatives from this pool
Centralized control co-located geographically across multiple “hubs” to support business/departmental functions or regions within its
purview on EERM-related issues.
7. Nearly three out of four respondents had experienced a third-party related disruptive incident in the last three
04
years as per our Global EERM Survey, 2017.
8. Excluding Australia and New Zealand from where we also had a very limited participation in this survey.
9. Also referred to as community models.
05 Sub-contractor risk 10. The Business Dictionary defines an infomediary as an information intermediary, typically a trusted third-party
provider of information or advice on selection of goods or services, competitor information or research data (also
called knowledge broker).
About the authors
Contacts
66 62
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related entities. DTTL (also referred to as “Deloitte Global”) and each
of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and
territories serves four out of five Fortune Global 500 ® companies. Learn how Deloitte’s approximately 264,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by
means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a
qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2018. For information, contact Deloitte Touche Tohmatsu Limited.
Designed and produced by The Creative Studio at Deloitte, London. J14519

GX Ra Eerm Survey 2018

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GX Ra Eerm Survey 2018

Uploaded by

Copyright:

Available Formats

Focusing on the climb ahead

Third-party governance and risk management

01 Inherent risk and maturity

Home Revealing untapped opportunities in extending your enterprise

01 Inherent risk and maturity

About the authors

Home Executive summary

has within organizations. imperatives and

About the authors

Home Executive summary

Home Executive summary

About the authors

01 Inherent risk and maturity US$ 3, 0 0 0, 0 0 0

About the authors

Home Executive summary

01 Inherent risk and maturity

About the authors

Home Executive summary

Business case is emerging.

05 Sub-contractor risk packages for specific EERM processes or risks with

Home Executive summary

Only two percent of respondents regularly identify and

About the authors

Home Executive summary

About the authors

01 Inherent risk and maturity

04 Technology platforms 39%

About the authors

In summary, concerns over coordination, talent, and

About the authors

01 Inherent risk and maturity

About the authors

Home Executive summary

01 Inherent risk and maturity

Organizational self assessment of overall levels of EERM

About the authors

Foreword 53 percent of respondents

01 Inherent risk and maturity

04 Technology platforms together with the increasing frequency of significant

Business case 11%

04 Technology platforms Change in the level of risk inherent in managing the

20% 18% 19%

48% 44% 49%

Foreword Deloitte EERM Maturity Model

• Processes aligned • A growing number of alliance and joint venture

Maturity of extended enterprise program

01 Inherent risk and maturity

TMT 3% 21% 52% 21% 3%

Against this backdrop, the industry segments that made the

06 and accountability 19 percent since last year).

About the authors Americas 4% 24% 44% 26% 2%

Initial Deﬁned Managed Integrated Optimized

The business case for investment in EERM is

About the authors

01 Inherent risk and maturity

Addressing internal compliance 41%

Increase in conﬁdence in the

About the authors

Business case driver Tangible performance measures

Foreword Industry highlights

Americas Asia Paciﬁc EMEA

01 Inherent risk and maturity

About the authors