NEW YORK, April 24, 2018 /PRNewswire/ -- Amid increasing dependence on third parties, over half (52.9 percent) of respondents from the U.S. said their organization does not have adequate knowledge and an appropriate level of visibility over fourth or fifth parties (third party outsourced relationships) in their extended enterprise. Overall progress toward extended enterprise risk management (EERM) maturity has been slower than expected according to Deloitte Global's third annual EERM survey, "Focusing on the climb ahead."
Globally, 57 percent of survey respondents do not have adequate knowledge and appropriate visibility of sub-contractors engaged by their third parties and a further 21 percent are unsure. Only 2 percent of respondents regularly identify and monitor their subcontractors (fourth/fifth parties) while another 10 percent do so only for those subcontractors identified as critical. The other 88 percent either rely on their third parties to do so; have an unstructured/ad hoc approach; do not do so at all; or do not even know their organizational policy and practices in this regard.
Dependence on third parties continues to grow, with 53 percent of global respondents reporting "some" or "significant" increase in their level of dependence on third parties. Yet, 7 in 10 survey respondents believe that business and macro-economic uncertainties have increased the risks inherent in managing the extended enterprise.
Despite critical levels of third-party dependency, only 20 percent of organizations have streamlined their EERM systems and processes. Fifty-three percent of respondents now believe their journey to achieve EERM maturity is two to three years or more. The financial services industry underscores the contradiction with 71 percent of respondents from financial services institutions reporting a heightened perception of risks inherent in third parties. Yet the most notable increases in the level of dependence on the extended enterprise have taken place in the financial services industry segment with 59 percent of respondents reporting some or significant increase over the last one year.
"Third parties are closer to the core of business than ever before," said Chuck Saia, CEO of Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. "Organizations that step up to the challenge of developing programs to better manage third-party risk can elevate their position in the market by unleashing with confidence the reach, expertise and relationships that third parties can bring."
Board oversight and engagement with EERM programs continues to lag. Globally, 38 percent of board members and 39 percent of risk domain owners still have lower to insignificant levels of engagement on the EERM agenda. Among U.S. respondents, the number is slightly better with only 23.5 percent who said their organization's board members have lower to insignificant levels of engagement.
"Boards recognize that many third-party relationships have traditionally been managed in siloes within business units in a manner that is neither strategic nor consistent," said Dan Kinsella, principal with Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. "The good news is that boards are becoming more engaged and applying oversight that is creating a more centralized, 'federated' approach to EERM that can reduce redundancies and leverage technologies to help enterprises drive gains, open new markets and decrease the uncertainty that can exist with third parties."
In addition to a focus on increasing maturity and making a renewed business case for investment, the report explores other key areas where most organizations could benefit from further effort:
- Centralized Control – An increasing number of organizations are adopting central oversight and management to accelerate risk awareness and efficiency. Globally, just over half (51.6 percent) defined their organization's structure for EERM as highly centralized or more centralized than decentralized. Among U.S. respondents, a full two-thirds defined their organization's structure for EERM as highly centralized or more centralized than decentralized. Globally, 43 percent of respondents said their organization's EERM structure is equally or more decentralized than centralized. Among U.S. respondents, only 28 percent said their organization's EERM structure is equally or more decentralized than centralized.
- Business Case and Investment – While the main drivers for EERM focus on mitigating risk and compliance, there is an increasing focus on driving value. The business case for investment in EERM is now being driven by other factors that exploit the upside of risk, such as enhancing organizational responsiveness and flexibility, innovation, brand confidence and increasing revenues. Globally, as many as 48 percent of respondents were driven by overall cost reduction objectives in investing in EERM – the highest response percentage. Among U.S. respondents, over 46 percent considered investment in EERM a revenue-generating opportunity; while globally, only 21 percent considered investment in EERM a revenue-generating opportunity.
About Deloitte Global's Extended Enterprise Risk Management survey
Deloitte Global's 2018 EERM survey, "Focusing on the climb ahead," is based on 975 responses from a variety of organizations across major industry segments and from 15 countries across the Americas, Europe Middle East and Africa (EMEA), and Asia Pacific (APAC). A record number of participants this year is reflective of the ever increasing profile and investment third-party risk management is getting within organizations.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.