NEW YORK, Jan. 15, 2019 /PRNewswire/ -- Recognizing that the greatest risk to the enterprise may come from outside the organization, a recent Deloitte poll revealed 70 percent of respondents indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties. Also, nearly half (47 percent) of respondents said their organizations had experienced some sort of risk incident involving the use of external entities in the last three years.
"The risk comes from needing to trust that these third parties — and their subcontractors — aren't making mistakes in handling data, ensuring privacy, or doing anything else that would harm the business," said Dan Kinsella, extended-enterprise and third-party assurance leader in the Risk and Financial Advisory practice and partner with Deloitte & Touche LLP. "Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization. Whenever this happens, benefits and risks are derived from those interactions with third parties."
Overall, organizations are concerned with several extended enterprise risks including financial, regulatory, legal, and strategic that need to be managed centrally. Responses from the question "Who oversees risk governance of your organization's extended enterprise?" illuminate another challenge for extended enterprise risk management (EERM). Twenty-four percent of poll respondents indicated it was the board risk committee's responsibility, while 17 percent pointed to the audit committee, and another 11 percent to the full board, with the remainder to an internal auditor, external stakeholder or just didn't know who managed EERM. A recent Deloitte risk management survey of CEOs and boards found that 62 percent of CEOs fail to hold their extended enterprise to the same risk standards as their own organization, despite leaders seeing information technology providers as posing the greatest threat. A clear line of EERM governance is invaluable to the overall success of the organization. Senior leadership can create an accountable EERM organization to mitigate key risks falling through the cracks of the first, second, or third lines of defense.
Emerging capabilities of technology-driven systems, applications, controls, programs and methodologies can improve and accelerate efficiencies. They also can improve compliance and decrease risks from reputation damage, regulatory missteps, consumer backlash and cyber threats. According to poll respondents, their organizations are likely to invest in such emerging technologies and tools during the next 12 months: cloud computing (31 percent), robotics process automation (RPA) (18 percent), data visualization (12 percent), cognitive technologies (7 percent), blockchain (7 percent) and Internet of Things (IoT) (6 percent) among others.
Examples of leveraging these technologies in the extended enterprise include some insurance companies use data feeds from IoT sensors embedded in cars to adjust owners' risk premiums, awarding lower premiums to drivers with safe records and charging higher premiums to drivers with riskier driving habits. This capability is disrupting the traditional insurance model, which requires specialized third parties to collect data manually to calculate premiums. Many organizations already are using technologies such as RPA and blockchain to improve clarity about risk exposures, and for processing invoices and conducting compliance checks.
Security around third-party ecosystems is a legitimate concern for organizations of all sizes. Thirty-eight percent of those polled specified their organizations' intent to focus on cyber risks in the extended enterprise for ensuing 12 months. To manage the associated risks better, organizations need an approach where they address their cyber risk concerns from the beginning of vendor procurement and include sets of security requirements and controls via contract. By asking some of the following questions, they can begin to evaluate and address the extended enterprise risk posture:
- Do they take a secure-by-design approach?
- Do they use a secure system development life cycle?
- Are their developers trained in the security aspects that you want achieved?
- Do they conduct error testing?
The year 2019 likely will demonstrate the increasing importance of EERM program maturity to mitigate risks, safeguard compliance and drive business value. Efficiency will also probably improve in the process as third-party ecosystems grow and third parties take on more and more mission-critical, core functions in the organization.
About the online poll
More than 4,050 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, "Reestablishing the perimeter: Extending the risk management ecosystem," held Oct. 25, 2018. Respondent industry sectors include banking, capital markets and investment (20 percent); technology (12 percent); transportation and hospitality (11 percent); retail and consumer products (10 percent); life sciences and health care (8 percent); telecom, media and entertainment (6 percent); insurance (5 percent); industrial products (5 percent); oil and gas (5 percent); power and utilities (3 percent). Response rates differed by question.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.