All together now Third party governance and risk management Extended enterprise risk management global survey 2019 - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
All together now Third party governance and risk management Extended enterprise risk management global survey 2019
All together now
now | Third party governance
Third-party governance and
and risk
risk management
management
Home Foreword
Foreword Welcome to our annual global survey on Extended Enterprise Risk Management
(EERM). We started this survey four years ago to share experiences, opportunities
Executive summary and challenges as organizations take their journeys toward EERM maturity; where
the approach to third-party risk management is integrated and consistent across
Economic and operating
the organization, and led from the top1.
01 environment
I am proud to say that this year we attracted our largest number • The pursuit of efficiency is driving organizations to embrace
of respondents yet – 1,0552 from 19 countries around the world3. a number of solutions. These include federated structures
This reflects an increasingly high interest and leadership focus on – where central senior leadership, organizational units, and
02 Investment third-party risk management. country teams share responsibility; emerging technologies;
shared assessments, and utilities; and managed services
Our survey took place between November 2018 and January delivery models. Organizations are also standardizing and
03 2019, and the sentiment of this period is reflected in the simplifying enabling technologies. Kristian Park
Leadership
results. Signs of a slowdown in global economic growth were EMEA Leader, Extended Enterprise Risk Management
beginning to emerge, together with an atmosphere of greater • Boards and executive management continue to take a deep Global Leader, Third-party Risk Management
organizational uncertainty. The survey reveals how organizations interest in third-party risk management and want to provide Global Risk Advisory
04 Operating model are recognizing this change by making greater efficiencies. more coordinated and responsive input. This is reflected in
their investment in actionable intelligence and desire to pool
This year’s key findings are: and analyze information on all risks and across the whole
organization.
05 Technology • The desire to reduce costs has become the biggest driver for
investing in EERM maturity, followed by reduction in third-party • A new insight is that organizations are increasingly aware that
incidents, regulatory, and internal scrutiny. if they are going to improve EERM, they need to spend enough
Subcontractor
06 and affiliate risk • Chronic underinvestment is making it hard for organizations
money to recruit experienced, and therefore expensive,
EERM leadership.
to achieve their desired EERM maturity levels, and more
fundamentally, hindered many organizations from doing basic I hope the wealth of information in this report will further
About the authors core tasks well. Not being “brilliant at the basics” means enhance your understanding of prominent EERM trends and
the full benefits from cutting-edge initiatives and solutions developments as you navigate your organization on its
can’t be realized. EERM journey.
Contacts
013
All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home Robust EERM governance is imperative to an organization’s success
Foreword Organizations are trying to improve the management of third- Our prediction around the growth of a tiered way forward for
party risk by investing in talent, cutting-edge technologies, and standardized technology investments in EERM has turned out
robust operating models. Dramatic shifts in the marketplace and to be true. Organizations prefer to streamline and simplify
push for efficiencies are contributing to an ever-increasing focus third-party risk management technology across diverse
Executive summary on EERM. operating units.
With a staggering 83 percent of organizations experiencing We believe the severity of consequences of negative actions
Economic and operating
01 environment
a third-party incident in the past three years and only a negligible
1 percent considering themselves “optimized” to address all
by third parties to an organization’s reputation, earnings, and
shareholder value will continue to increase, and this will drive
important EERM issues, it evidently reflects underinvestment in organizations to invest in improving their EERM processes
the EERM space. and frameworks.
02 Investment
While 20 percent of respondents claim they are addressing A clear line of EERM governance is imperative to the overall
most of the EERM elements, and 50 percent put themselves in success of the organization. Senior leadership can play a crucial
the “managed” category, our findings, however, show that these role in creating an accountable EERM organization that is set Donna Glass
03 Leadership are piecemeal investments focused more on targeted tactical up to mitigate third-party risks, improve compliance, and avert Managing Partner, Deloitte Advisory US
improvements rather than strategic long-term solutions. reputation damage and regulatory missteps. Business Leader, Deloitte Global Risk Advisory
04 Operating model
Our 2019 survey reveals that boards are championing an inside-
out approach to EERM, which includes better engagement,
Our risk advisory professionals across the globe can help you
understand more about this survey and how the findings relate
coordination, and smarter use of data. Leaders are also aspiring to distinctive opportunities for your organization.
for greater innovation. This year we’ve seen the emergence of
05 Technology more succinct and real-time actionable intelligence, generated
online, for boardroom reporting on third-party risks.
To learn more, please visit us at www.deloitte.com/risk.
Subcontractor More sustainable operating models for third-party risk
06 and affiliate risk management are being embraced – these are characterized by
federated structures that are supported by centers of excellence
and shared service centers, emerging technologies, shared
assessments and managed services models, and a move toward
About the authors
co-ownership of budget.
Contacts
4 02
All together now
now | Third party governance
Third-party governance and
and risk
risk management
management
Home Executive summary
6 1
Foreword
Economic
Subcontractor
and operating
and affiliate risk
There is renewed Organizations have
environment
Economic uncertainty
Executive summary poor oversight of the continues to drive
focus on maturing risks posed by third
parties‘ subcontractors
a focus on cost
reduction and talent
EERM practices within and affiliates. investment in EERM.
2
Economic and operating
01 environment
most organizations.
This appears to be
02 Investment Technology Investment
5
Piecemeal investment
driven by a recognition Organizations are
streamlining and simplifying 2019 has impaired EERM
maturity, neglected certain
key findings
EERM technology
of underinvestment across diverse risks, and adversely affected
03 Leadership operating units. core basic tasks.
in EERM, coupled with
mistrust of the wider
04 Operating model
Operating
Leadership
uncertain economic model
Boards and
senior executives
Federated structures are championing an
05 Technology environment. are the most dominant
operating model for
inside-out approach to
EERM, which includes
EERM, underpinned by better engagement,
centers of excellence coordination, and
and shared services. smarter use
Subcontractor
06 and affiliate risk
of data.
About the authors 4
Contacts
3
035
All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
1 Executive summary
Economic and operating environment
Executive summary Executives responded to the survey between November 2018 Organizations have clear motives for investing in EERM:
and January 2019, a time of economic uncertainty that has Cost reduction remains top. It was cited by 62 Value preservation comes second: “reduction
Economic and operating
made its mark on the outlook for businesses. percent of respondents, up from 48 percent in number of third-party related incidents”
01 environment
last year. was chosen by 50 percent of respondents, up
from 43 percent last year.
This uncertain economic and business outlook affects EERM by forcing organizations to:
02 Investment 62%
50%
• Challenge EERM budgets and investments;
• Increase operational efficiency to reduce costs; and
• Rethink their strategy for what to engage third parties for.
48% 43%
03 Leadership
There is also increased scrutiny from two directions:
• Externally. Regulators globally expect organizations to have established third-party risk
04 Operating model management frameworks and have progressed on their journey.
• Internally. More progressive organizations have set up internal compliance mechanisms 2018 2019 2018 2019
mirroring the scrutiny applied by regulators.
Organizations are more worried about Organizations are motivated even more
05 Technology regulatory scrutiny than last year: by internal compliance requirements than
49 percent cite it, up from 43 percent. before. This was given as a reason by
45 percent, up from 41 percent.
Subcontractor
06 43% 49%
and affiliate risk
41% 45%
About the authors
Contacts
2018 2019 2018 2019
6 04
All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary Third-party incidents continue to cause disruption What is damaging confidence in an organization’s EERM?
with varying impact: A lack of a Followed by fears
Economic and operating
coordinated and
53% about processes,
01 83 percent consistent EERM technology, and real-
49%
environment approach across time management
83%
of organizations experienced
a third-party incident in the organizations information
past three years. was cited by for EERM, at
02 Investment 53 percent 49 percent.
of organizations.
03 Leadership
Respondents feel an urgent need to be coordinated and consistent in EERM across their
organization and improve processes, technologies and real-time management information
across all significant risks.
04 Operating model
An interesting new insight is that leadership realizes that, despite budget pressures,
EERM ambition requires talent investment: spending money now to save money later.
11% This is largely about recruiting expertise. The survey identifies different orders of priority:
05 Technology
• Recruiting more experienced and expensive EERM leaders to coordinate initiatives is higher.
• Recruiting for junior EERM skills is lower. This is probably due to the rise and availability of
Of these:
35% third-party services and utility models. Only 30 percent cited this as a priority this year.
Subcontractor
30%
06 and affiliate risk
11 percent experienced
a severe impact on
customer service, financial
position, reputation or
About the authors regulatory compliance.
35 percent experienced
a moderate impact on
customer service, financial
Contacts position, reputation or
regulatory compliance.
05 7
All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
2 Executive summary
Investment
Executive summary Most organizations believe Annual operating expenditure Piecemeal investment has Investment is skewed
they are underinvesting on EERM varies significantly impaired EERM maturity: towardcertain risk domains:
Economic and operating
in EERM: between organizations: We have tracked organizational investments Annual investments have typically focused
01 environment Fewer than three in 10 think that their Annual operating expenditure on EERM
in EERM maturity over the last four years. on the largest regulatory issues of the year.
This longitudinal study shows that many For example, information security, data
capital expenditure on EERM is the ideal activity has varied significantly, depending
organizations have made limited piecemeal privacy, cyber risk, and financial crime in
amount or more. on industry, management, EERM delivery
02 Investment models, and so on.
investments focused on targeted tactical
improvements, rather than investing more
2018 and 2019. Organizations most
commonly allocate EERM budget to:
strategically in longer-term solutions.
50 percent spend more Information security 68%
Only 1 percent of organizations consider
03 Leadership
than US$1 million5.
themselves “optimized”, addressing all
50%
Fewer than three in 10 think they are Data privacy 62%
spending the ideal amount or more on important EERM issues.
EERM staff and other operating costs. Another 20 percent say they are “integrated:
04
Cyber risk 58%
Operating model they are not best in class, but have addressed
most EERM elements.
51 percent put themselves in the “managed”
category: they have considered all important
05 Technology
elements, but see room for improvement.
22 percent consider themselves “defined”, some
elements are addressed but with limited effort.
Subcontractor
06 and affiliate risk 6 percent say they are “initial”, none or very few
Regulatory
non-compliance 57%
11% of elements addressed.
The top 11 percent spend more than
Integrated
Optimized
About the authors
Managed
US$10 million each and employ more
Initial
than 100 FTE staff.
Financial crime 54%
Contacts 6% 22% 51% 20% 1%
See figure 2.5 for Deloitte’s EERM maturity model.
8 06
All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary This piecemeal approach has neglected certain areas of risk: Underinvestment in EERM has weakened the ability to be
Organizations are failing to review Organizations are underinvesting in “brilliant at the basics”:
critical areas annually: certain areas:
Economic and operating
01 environment Almost half of
Only:
organizations do not
review concentration risk
02 Investment every year. This tends to 18 percent invest
be reviewed reactively via
reporting as opposed to
in labor rights
50% 43% 41%
proactively as part
03 Leadership of the EERM process. 50 percent of 43 percent lack 41 percent do not monitor
organizations do not enough knowledge third parties based on their
understand the nature of contract terms. risk profile.
04 Operating model More than
60 percent
of individual third-
party relationships.
of organizations
do not review exit 12 percent in This limits the benefits from more cutting-edge solutions and hampers attempts to ensure
05 Technology plans for critical concentration risk risk management efforts are proportionate to the risk.
third parties
every year.
Subcontractor
06 and affiliate risk
About the authors
12 percent in
geopolitical risk
Contacts
07 9All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
3 Executive summary
Leadership
Executive summary Boards and senior executives are ultimately accountable for Leaders are raising the bar through emerging technologies:
EERM in the vast majority of cases as organizations continue Last year’s survey identified that senior leadership were favoring red-amber-green (RAG)
Economic and operating
to recognize third-party risk management as an integral part dashboards to inform their discussions at board and executive committee meetings. At that time,
01 environment of strategy setting.
most organizations used static RAG reports, analyzing related third-party data periodically.
The latest survey, however, shows that senior leaders are moving from using periodically
Responsibility
24% Board members are The CEO is
17% generated data to more succinct and real-time actionable intelligence, generated online.
02 Investment rests most
commonly with
responsible in 19 percent
of organizations.
responsible
in 17 percent New risk intelligence tools are assimilating, aggregating, and examining real-time automated
the chief risk of organizations.
19%
information on all risks across an entire organization. The tools provide alerts, trend analysis,
officer – enable scenario analysis, and use emerging technologies such as the cloud, robotics process
03 Leadership in 24 percent automation, and artificial intelligence.
of cases.
This is happening at a time when regulators are starting to encourage innovation in risk
04 Operating model management and oversight.
05 Technology
Subcontractor
06 and affiliate risk 56 percent of organizations 45 percent are using or 36 percent are using or
are using or intend to use intend to use robotics intend to use visualization
cloud-based platforms process automation. techniques to create
About the authors for EERM. actionable intelligence.
Contacts
56% 45% 36%
10 08All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Boards are now championing an inside-out approach to EERM in addition to the historical outside-in approach. This starts with better engagement and coordination within the
Executive summary business, encompassing organizational units, geographies, risk domains, and subject matter experts.
Economic and operating Many organizations admit to poor engagement and … but they want to make it better:
01 environment coordination among their internal EERM stakeholders… Two in three
organizations list better
02
in-house engagement and
Investment
35% coordination as a priority
action item in EERM.
35 percent
03 Leadership say the level of
engagement and
coordination is low,
insignificant, or
04 Operating model unknown.
05 Technology
06
Subcontractor
and affiliate risk
37%
37 percent make it
the top priority.
About the authors 16%
Only 16 percent
of organizations
Contacts believe it is high.
09 11All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
4 Executive summary
Operating models
Executive summary Federated structures are becoming the most dominant Organizations increasingly use centers of excellence and
operating model for EERM. The majority of respondents shared service centers:
Economic and operating
said their organization has now adopted this model, where
01 environment strong central oversight is combined with accountability
53 percent of organizations use centers of
excellence, and a further 21 percent intend to
38 percent have shared service centers,
and a further 20 percent aspire to
held by organizational units or leaders in different countries, create them. establish them.
02 Investment reinforced by a combination of central policies, standards,
services, and technologies.
03 Leadership 69 percent say they are adopting a Only 11 percent of organizations are highly
federated model. centralized, down from 17 percent last year.
04 Operating model 69% 11% 53% 21% 38% 20%
05 Technology
Subcontractor
06 and affiliate risk
About the authors
Federated structures are often:
• Underpinned by a center of excellence or shared services capability
Contacts • Increasingly supported by a managed service (which reduces both headcount and capital
spending), emerging technologies, and shared assessments and utilities.
12 10All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary Managed services are an emerging trend: The growing use of Co-ownership of budget is
18 percent of organizations use an external managed services provider with
technology, managed another new trend:
Economic and operating
staff on the premises. A further 13 percent intend to. services, and utility models
01
Ultimate budget control is retained by
environment
18% will drastically reduce capital organizational leaders and other central first-line
functions such as procurement. More than half
spending (capex): (51 percent) of organizations said it was retained
02 Investment by the CEO/executive leadership/board (24
percent) and procurement (27 percent)
73%
But it is increasingly being co-owned by
03 Leadership
organizational units (29 percent) and geography
leadership (4 percent). These areas have a say
24% over EERM budgets specific to their fields.
This approach is enabling organizations to be
04 Operating model
13% agile and consistent.
73 percent of organizations think cumulative
24%
18% 24% capital costs should not exceed their annual
05
operating cost, once these next-generation
Technology
18 percent of respondents use managed
solutions are adopted. 4%
services to acquire risk intelligence, A further 24 percent believe they should
06
Subcontractor
and affiliate risk
another 21 percent plan to.
21% come down to two or three times annual
operating costs.
This is a sharp decline from respondents’
estimate last year that cumulative EERM
29% 27%
About the authors
14%
capex is typically three to five times annual
operating cost.
11 percent use managed services solutions The remaining 3 percent believe that this will
Contacts
11%
that deploy EERM as a service, another still remain more than three times annual
14 percent plan to. operating costs.
11 13All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
5 Executive summary
Technology
Executive summary Last year we predicted that organizations will begin to take The evolving tiered architecture for EERM tools and technologies
EERM technology decisions centrally and we highlighted
Economic and operating
the emergence of a standard three-tiered technology
01 environment architecture. This year’s survey shows that both of these Tier three
stand true and that within the three-tiered technology
02 Investment architecture, organizations are increasingly streamlining
and simplifying specific technology solutions for EERM. Tier two
03 Leadership
Tier one
04 Operating model
Three-tiered technology architecture comprises:
Tier one: Enterprise Resource Planning (ERP) or procurement platforms that establish a common
foundation and operational discipline for EERM.
05 Technology
Supported by:
Tier two: Either EERM-specific risk management packages tailored to an organization’s third-party
management requirements, or generic governance, risk management and compliance (GRC), or
Subcontractor
06 and affiliate risk
controls management platforms that include EERM capability; and
Tier three: Niche packages for specific EERM processes or risks providing feeds from specialized
risk domains such as financial viability, financial crime, contract management, and cyber threats.
About the authors
Contacts
14 12All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary Tier one Tier two Tier three
The majority of respondents (59 percent) adopt an ERP or An even greater majority (75 percent) Organizations are increasingly using niche
procurement platform as a foundation system for EERM. adopt risk management solutions for EERM. packages for specific EERM processes or risks
Economic and operating
01 environment
There is debate about the choice between:
with feeds from specialized risk domains.
This includes:
• EERM specific packages. Currently 18 percent • Financial viability (30 percent),
02 Investment of organizations use these; and • Financial crime (28 percent),
• Contract management (18 percent),
• Generic integrated risk management solutions tailored for EERM use.
• Sustainability (11 percent), and
03 Leadership Currently 57 percent of organizations use these.
• Cyber threats (9 percent).
While integrated risk management solutions are more prevalent across
59% respondent organizations, this does not necessarily mean they are the preferred
30%
04 Operating model solution. Commentary from respondents suggests that some organizations may
choose to use these generic risk management platforms because they already
exist in their organizations and can most easily and cost effectively be leveraged
to support EERM activities.
05 Technology
The most common solutions are:
The most popular
45% 28%
Subcontractor
platforms are:
13%
06 SAP Ariba
8%
and affiliate risk RSA Archer
8%
Microsoft
IBM OpenPages 18%
About the authors Dynamics
6%
Thomson Reuters
6% 11%
Contacts 17% 6% ServiceNow 9%
Oracle Metric Stream
13 15All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
6 Executive summary
Subcontractor and affiliate risks
Executive summary Two key aspects of third-party risk management are not being 11%
adequately addressed: i) subcontractors; and ii) affiliates. 17%
18%
Economic and operating
01 environment Subcontractor risk (also known as fourth/fifth party risk): 11 percent assess subcontractors only when
taking on a new third party (up from
Organizations do not know enough about the subcontractors engaged by their 8 percent last year).
02 Investment third parties. This makes it difficult for organizations to determine how to manage
subcontractor risk, and to apply this strategy with discipline and rigor. 18 percent identify and assess
subcontractors ad hoc.
Only 2 percent of organizations identify and monitor all subcontractors engaged by their
03
third parties, and only 8 percent (down from 10 percent last year) do so for their most
44 percent rely on third parties to check their
44%
Leadership
critical relationships.
contractors, but monitor the way third parties
The remaining 90 percent do not recognize the need or have appropriate knowledge, do this.
visibility, or resources to monitor subcontractors.
04 Operating model 17 percent do not identify, assess, or monitor
subcontractors at all.
05 Technology 2%
8%
Subcontractor This challenge is particularly relevant in regulated industries such as financial services, where
06 and affiliate risk systemic concentration risk is a concern for regulators. The challenge, however, is not isolated
to regulated industries given broader laws and regulations such as the UK Modern Slavery Act
and EU’s GDPR.
About the authors 90%
Contacts
16 14All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary Affiliate risk
Less than a third (32 percent) of organizations evaluate and monitor affiliate6 risks with the same
rigor as they do other third parties. A higher proportion (46 percent) take an alternative, typically
Economic and operating
01 environment
more simplified, approach to affiliate risk management and the remaining 22 percent said they
do not have affiliates.
02 Investment 32% 46% 22%
03 Leadership
04 Operating model
05 Technology
Subcontractor Pre-screening, due diligence, and monitoring appears to be much lighter touch for affiliates
06 and affiliate risk than other third parties. This is acceptable if proportionate to the risk involved, but the
approach must be clearly defined and consistent.
Another development is the emergence of global business services (GBS) structures. These
About the authors
aim to integrate governance mechanisms and good practice across all third parties, as well as
internal shared services delivery teams. However, the scope of these structures, as well as the
entity in which they sit, varies across organizations. This creates multi-layered challenges for
Contacts third-party, risk management.
15 17All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home Executive summary
Future predictions
Foreword
Executive summary Business case Regulators Operating models
drivers
Economic and operating
01 environment Cost reduction as a driver for investment in Regulators already have significant Organizations have invested in changes to
EERM is likely to be short term. We should expectations on how organizations manage EERM operating models to gain efficiencies
expect other drivers that ensure profitable third-party risk. We expect regulators to and a more consistent approach across
02 Investment top-line growth to be more prominent in the
medium to longer term. This includes EERM
become more powerful and broaden their
area of responsibility to address emerging
various risk domains proportionate to the
risks involved. We predict that this will
investments that can use the skills risks as seen by recent laws and regulations, begin to pay dividends by the end of 2020
and capabilities of third parties to: such as the Modern Slavery Act and GDPR. or 2021 – in line with respondents’ realistic
03 Leadership assessment that it takes two to three years
• Access new markets We also anticipate regulators will encourage for investment benefits to crystallize.
• Generate new revenue streams innovation in risk management and
04 Operating model • Establish competitive advantage
compliance. For instance, in December
2018 the Federal Reserve, one of the bodies
We also expect that favored models for
EERM delivery will continue to change as the
regulating financial services in the US, functionality of technology solutions develop
suggested innovative approaches ranging and confidence and comprehensiveness
05 Technology from building sophisticated financial
intelligence units to embracing artificial
of market utilities and managed delivery
solutions evolve.
intelligence for transaction monitoring. We
Subcontractor expect the European Banking Authority and
06 and affiliate risk UK Financial Conduct Authority to adopt
similar stances in the future.
About the authors
Contacts
18 16All together now|
All together now
Third party governance
| Third-party and risk
governance andmanagement
risk management
Home
Foreword
Executive summary Technology Expenditure Subcontractor risk
Economic and operating
01 environment The desire to streamline technology We anticipate that 2019 and 2020 will Risk management of fourth and fifth
will continue. see more EERM capital expenditure on parties will gain increasing prominence
transformation initiatives and related and investment as organizations better
02 Investment In response to this: design and implementation work to make
the shift to platforms that improve the
understand the inherent risks and its
significance as a potential source of
• Major ERP vendors are increasing the
maturity of EERM in the long term. reputation risk.
functionality of their tools
03 Leadership • Third-party risk management tools
will evolve into broader third-party
After this necessary upfront investment,
organizations doing this well should
management tools, where performance,
be able to achieve their aspiration of
contracts, and commercial matters are
04 Operating model managed in conjunction with the risk.
limiting ongoing capital expenditure
to, at most, the same levels as annual
EERM operating expenditure.
We also expect the evaluation criteria for
05 Technology technology solutions to evolve beyond
“cheaper, faster, better” to include:
Smaller and nimbler organizations,
however, may be more able and willing to
move toward shared utilities models and
• Support in emerging markets
Subcontractor adopt emerging technology, therefore
06 and affiliate risk • Robotics and cognitive automation demonstrating the inverse trend – higher
• A consideration of what the shared utilities levels of operating expenditure and only
and managed services platforms of the incremental capital expenditure.
About the authors future can provide.
Contacts
17 19All together now
now | Third party governance
Third-party governance and
and risk
risk management
management
Home
01
Foreword
Executive summary Economic and operating
01
Economic and operating
environment
environment
Economic uncertainty continues to drive cost reduction
02 Investment
and talent investment in EERM.
03 Leadership
04 Operating model
05 Technology
Subcontractor
06 and affiliate risk
About the authors
Contacts
18
21All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home Economic uncertainty continues to drive cost
reduction and talent investment in EERM.
Foreword
The story so far 2019 findings
Over the past four years, our annual EERM surveys have Organizations are operating in an increasingly complex and Third-party incidents
Executive summary
tracked the key drivers for engaging third parties and challenging economic and business environment with tougher Third-party incidents continue to cause disruption with varying
investments in third-party risk management. Our surveys regulatory regimes and disruptive market shifts. impact. The majority (83 percent) of organizations experienced
repeatedly show that organizations increasingly use third a third-party incident in the past three years. Of these, just 11
Economic and operating
01 environment
parties to meet wider strategic objectives rather than just
reduce costs. These include:
We also identified a concern among many respondents that the
governments of some countries were encouraging insular and
percent experienced a severe impact on customer service,
financial position, reputation or regulatory compliance, but over
• Organizational agility, including flexibility and scalability. non-cooperative behavior that could negatively impact global a third (35 percent) experienced a moderate organizational
• Product or service innovation, often by using the specialist businesses. impact.
02 Investment knowledge and skills of third parties.
Our current survey reveals this complex and challenging Identified areas for EERM improvement
In 2015, investment in EERM almost exclusively focused on environment is having a significant impact on investments in
Despite a focus on cost reduction, just over half (53 percent)
03 Leadership
managing the downside risks, such as regulatory exposure
or third-party incidents. There was less focus on exploiting
EERM: Organizations are revisiting their operating models to
pursue efficiency and reduce costs.
of respondents want a more coordinated and consistent
approach to EERM across organizational functions. This is the
upside risks that improve organizational performance
top area for action.
through initiatives such as: Investment drivers
04 Operating model • Reducing costs by means of efficiencies in third-party This year’s most common drivers for investing in EERM are: The need to improve processes, technologies, and real-time
management. • Cost reduction management information for EERM (49 percent) is second.
• Unlocking new revenue streams through better monitoring (62 percent of respondents, up from 48 percent last year)
05 Technology of third parties.
• Reducing third-party incidents
The availability of managed services and utility models has
reduced concerns about acquiring the more basic EERM skills,
(50 percent, up from 34 percent last year) and about the overall capacity to deliver. Organizations instead
By 2018, our survey respondents – including board
members and executive leadership – had developed • Regulatory scrutiny want to invest in EERM leadership talent to coordinate and to
Subcontractor
06 and affiliate risk
a much stronger understanding of the risks and
opportunities that third-party risk management
(49 percent, up from 43 percent last year) lead initiatives.
• Internal compliance requirements
offered. This meant they were more confident that their
(45 percent, up from 41 percent last year).
investments in EERM would show tangible benefits.
About the authors
Recent economic global uncertainty, however, meant they
have been less able to make significant capital investments
Contacts in transformation initiatives to bring about a holistic and
integrated approach to third-party risk management.
22 19now| Third-party
All together now Third party governance
governance and
and risk
risk management
management
Home
Foreword Fig 1.1 Investment drivers for EERM Fig 1.2 Impact of third-party incidents experienced in the last three years
2019
Cost reduction 62%
High business impact such as significant impairment to customer service,
material financial losses, significant reputational damage, or regulatory breach 11%
Executive summary Reduction in
50%
(whether resulting in enforcement action or not)
third-party incidents
Reaction to regulatory scrutiny 49% Moderate business impact such as impairment to customer service,
financial losses, reputational damage, or regulatory breach 35%
Economic and operating Address internal
01
45%
compliance requirements
Low business impact such as minor disruption to customer services,
environment Better response and increased
small financial losses, limited adverse media, or regulatory breach 54%
27%
flexibility to market uncertainty
Increase in revenue 26%
02 Investment Unlock access to innovative
technology solutions
25% Fig 1.3 Areas where improvement is required to increase organizational confidence in EERM
Increase in confidence in 53%
20% 49%
the organizational brand
03
45%
Leadership Unlock access to new markets /
channels / products
19% 41%
36%
30%
2018
04 Cost reduction 48%
Operating model
Reaction to regulatory scrutiny 43%
Address internal 41%
05
compliance requirements
Technology Reduction in 34%
third-party incidents Coordinated and Processes, technology, Governance and Coordination between Clarity of related roles Skills, bandwidth,
consistent approach and real-time management holistic oversight business leaders and and responsibilities and competence in EERM
Better response and increased 26%
across all organizational information for EERM of third parties risk domain owners
flexibility to market uncertainty
Subcontractor
06
functions by leadership
Increase in revenue 21%
and affiliate risk
Unlock access to innovative 19%
technology solutions
Increase in confidence in 17%
About the authors the organizational brand
Unlock access to new markets / 15%
channels / products
Contacts
Exploiting upside of risk
Managing downside of risk
20
23All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword Industry highlights Organizations in life sciences & health care more
Cost reduction, reduction in third-party commonly suffered high (19 percent) and moderate (46
Deloitte point of view incidents followed by regulatory scrutiny percent) business impact from third-party incidents.
and internal compliance requirements, present the Consumer & industrial products businesses are next:
Executive summary most powerful motives for investment in EERM across 17 percent of respondents saw third-party incidents
Organizations have been focusing on reducing costs through better third-
party management for several years. We are starting to see more and most industries. But, there are exceptions to this, and with a high business impact, and a further 31 percent
more organizations taking a two-pronged approach to this: particular priorities in different sectors. experienced a moderate impact. Followed by financial
Economic and operating
01 environment • By establishing programs to recover overpayments or revenue leakages.
• Addressing internal compliance requirements is
services at 10 percent high and 36 percent moderate.
a higher concern (47 percent) compared to
In all sectors, a large number of organizations
• Through investment in a strategic EERM solution and achieving regulatory scrutiny (at 44 percent) in consumer
recognized the need for improvement in processes,
& industrial products.
02 Investment efficiencies through mechanisms such as shared services.
• Reducing the number of third-party incidents is the
technology, and real-time management
information for EERM.
The shortage of EERM leadership talent is an old problem too. But this most common driver for investment in EERM in energy
concern has been further highlighted by the recognition that initiatives & resources (74 percent of respondents). This was far Life sciences & health care (60 percent), and government
03 Leadership to create efficiencies and improve internal coordination can only be
successful if led by people with leadership skills and EERM experience.
above the next highest industry, financial services, at & public services (50 percent), particularly believe in
55 percent. the need for better engagement between business unit
We believe the consequences of negative actions by third parties will leaders and risk domain owners.
• A third (33 percent) of organizations in government
continue to grow more severe – damaging organizational reputation,
04 Operating model earnings, and shareholder value. This will remain a compelling driver
& public services want to invest in EERM to unlock
access to innovative technology solutions. The majority
for organizations to invest in improving third-party risk management
of organizations citing this within the sector were
processes and frameworks.
higher education institutions, probably because of
05 Technology
At the same time, regulatory enforcement, mirrored by internal scrutiny
their desire for technological innovation to enable
initiatives such as distance learning. Finding tech
and compliance requirements, will continually be a more proactive and
solutions was also common in financial services
continuous process.
Subcontractor
06 and affiliate risk
More robust third-party management will be driven by radically more
(27 percent) and technology, media & telecoms (26
percent).
severe actions by regulators in a range of sectors – financial services, life • Government & public services organizations were
sciences and Health Care, chemicals, food and retail – and legislation and also by far the most likely to recognize the need for
About the authors regulations with a global reach and impact, such as the US Foreign Corrupt a greater coordination and consistency of approach
Practices Act. across organizational functions, at 90 percent.
Contacts
24 21now| Third-party
All together now Third party governance
governance and
and risk
risk management
management
Home
Foreword Fig 1.4 Investment drivers for EERM by industry Fig 1.5 Impact of third party incidents experienced in the last three years by industry
67%
70%
58%
Cost reduction 55%
67% 17%
Executive summary High business impact such as
53%
significant impairment to customer 6%
42% service, material financial losses, 10%
74%
significant reputational damage, 19%
Reduction of third- 55%
41% or regulatory breach (whether
party incidents
resulting in enforcement action or not)
Economic and operating
33%
01 environment
43%
44%
4%
59%
56%
Reaction to regulatory scrutiny 23%
22%
02
49%
Investment 31%
47%
Moderate business impact 40%
53%
Address internal 41% such as impairment to customer 36%
compliance requirements 41% service, financial losses, reputational
22%
damage, or regulatory breach 46%
03
53%
Leadership 44%
32% 34%
34%
Better response and increased 21%
flexibility to market uncertainty 18%
11%
04
31%
Operating model
29% 52%
25%
18%
Low business impact such as minor 54%
Increase revenue 36%
56%
disruption to customer services, 54%
05
35% small financial losses, limited
Technology adverse media, or regulatory breach 35%
25% 56%
23%
Unlock access to innovative 27% 62%
technology solutions 9%
33%
Subcontractor
06
26%
and affiliate risk 21%
25%
19% 18%
Increase confidence 14%
in the organizational brand 11% 16%
24%
No such incidents with 15%
About the authors third parties in the last 3 years
17%
23%
Unlock access to new 18% 30%
markets / channels / products 27%
22%
33%
20%
Contacts C&IP E&R FS LSHC G&PS TMT C&IP E&R FS LSHC G&PS TMT
*See end note 4 for industry categories in full
22
25All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword Geography highlights Fig 1.6 Investment drivers by region
Investments in EERM were most likely to be driven by
cost reduction and value preservation strategies in 63%
EMEA, followed by the Americas and Asia Pacific: Cost reduction 60%
Executive summary 57%
• Cost reduction: EMEA 63 percent, Americas 60 percent, Asia
Pacific 57 percent 54%
Reduction in 46%
Economic and operating
01
• Reduction in third-party incidents: EMEA 54 percent, third-party incidents
40%
environment Americas 46 percent, Asia Pacific 40 percent
52%
• Reaction to regulatory scrutiny: EMEA 52 percent, Americas
Reaction to regulatory scrutiny 50%
50 percent, Asia Pacific 38 percent
02
38%
Investment
• Addressing internal compliance requirements: EMEA 47
47%
percent, Americas 46 percent, Asia Pacific 38 percent. Address internal compliance
46%
requirements
03 These statistics probably reflect the relative levels of uncertainty 38%
Leadership
in these regional business environments. The top-ranked
drivers also potentially reflect a history of greater regulatory 25%
Better response and increased
flexibility to market uncertainty 30%
enforcement activity in EMEA and Americas, compared to Asia 32%
04 Operating model Pacific countries.
21%
Value creation drivers, other than cost reduction, were marginally Increase revenue 30%
stronger in Asia Pacific territories. For instance: 42%
05 Technology
• Increase revenue (for example by identifying under-reported 27%
Unlock access to innovative
revenue streams): 42 percent in Asia Pacific, but only 30 percent technology solutions
26%
in the Americas and 21 percent in EMEA. 16%
Subcontractor
06 and affiliate risk • Better response and increased flexibility to market uncertainty: 19%
32 percent of respondents in Asia Pacific as against 30 percent Increase confidence in 13%
the organizational brand
in the Americas and 25 percent in EMEA. 30%
About the authors
All regions had a similar occurrence of third-party incidents, Unlock access to new markets /
21%
21%
although Asia Pacific had a marginally higher proportion of channels / products
11%
incidents with high business impact – 14 percent, as against 11
Contacts percent in EMEA and 9 percent in the Americas.
EMEA Americas Asia Pacific
26 23now| Third-party
All together now Third party governance
governance and
and risk
risk management
management
Home
02
Foreword
Executive summary Investment
Economic and operating
01 environment
Piecemeal investment has impaired EERM maturity, neglected
02 Investment
certain risks, and adversely affected core basic tasks.
Pages from print document to be inserted, and centred here at 100% scale...
(297x210mm)
03 Leadership
04 Operating model
05 Technology
Subcontractor
06 and affiliate risk
About the authors
Contacts
24
29All together now | Third-party governance and risk management All together now| Third party governance and risk management
Piecemeal investment has impaired EERM
Home maturity, neglected certain risks, and adversely
affected core basic tasks.
Foreword
The story so far 2019 findings
Developments in EERM maturity have not kept pace There has been strong evidence over the years that such In most organizations, investment in two areas is
Executive summary
with increasingly critical levels of dependence on third a piecemeal approach to investing in EERM has impaired the underemphasized:
parties since our first survey in 2015. Only one in five speed at which organizations have been able to mature. In
organizations had integrated or optimized their approach the latest survey, only 21 percent of respondents consider • Exit planning and termination activities related to
Economic and operating
01 environment
between 2015 and 2018. themselves “integrated” or “optimized” – only up from 20 percent
last year. Just over half (51 percent, and only up from 50 percent
critical third parties. Exit plans for critical third parties are
assessed less than annually for more than 60 percent of the
Organizations have reset their expectations about last year) consider themselves in the “managed” category. respondents.
a realistic time frame to integrate and optimize the related
02 Investment risk management mechanisms to reach the desired state. This year, we asked respondents about their investment in EERM.
• Managing concentration risk. Concentration risks are
assessed less than annually for almost half of the respondents.
They have gradually realized it is at least a two- or three- More than 70 percent believe they are spending less than the
Concentration risk tends to be reviewed reactively via reporting
year journey, rather than a six-month or one-year project, ideal amount, or are not sure whether they are. And seven in ten
as opposed to proactively as part of the EERM process.
03 Leadership
as first thought. believe they engage fewer employees than necessary for EERM,
or are not sure. A new insight is respondents realize this piecemeal approach
In reality, the optimum state of EERM remains a moving has weakened organizational abilities to do basic core tasks well.
target. Many organizations are still playing catch-up with Although underinvestment is a common perception across most The most common factors making it hard to tailor the monitoring
04 Operating model rising expectations of how innovative third-party and
related services could be. Concepts of good practice,
organizations, annual operating expenditure on EERM varies
significantly. Half (50 percent) spend more than US$1 million on
effort to the level of risk involved are understanding the nature of
third-party relationships (50 percent) and understanding related
technology solutions, utilities, and managed services are their annual EERM operating costs, but the top 11 percent spend contractual terms (43 percent).
becoming more sophisticated. Consequently, respondents more than US$10 million each and employ over 100 full-time
05 Technology are re-evaluating their earlier self-assessments equivalent (FTE) staff.
of maturity.
This year’s survey also captured detail on investment in specific
Subcontractor
06 and affiliate risk
Some respondents over the years have reported
a somewhat sporadic approach to EERM in their
risk domains.
organizations, focusing annual investment mainly on the Investment is skewed toward information security (68 percent of
largest regulatory issues of the year. In 2018, for example, respondents), data privacy (62 percent) and cyber risk
About the authors that was data privacy. Organizations need to be careful not (58 percent).
to neglect wider risks and keep pace with advancements
in capability. And many organizations underinvest in other domains such as
labor rights (18 percent) and geopolitical and concentration risk
Contacts (both at 12 percent).
30 25now| Third-party
All together now Third party governance
governance and
and risk
risk management
management
Home
Foreword Fig 2.1 Change in level of maturity in EERM (2016–19) Fig 2.2 Most organizations believe that they are under-investing in EERM
Cumulative capital costs Annual operating costs
18%
2019 6% 22% 51% 20% 1% 30%
Executive summary
14%
More than 70% believe they spend less than ideally
2018 6% 24% 50% 19% 1% required, or are not sure, in terms of
annual operating costs
Economic and operating
01 environment 2017 7% 29% 44% 18% 2%
27%
28%
22%
More than 70% believe they spend less than ideally
2016 1% 29% 48% 20% 2% required, or are not sure, in terms of
02 Investment cumulative capital costs
1. Initial: None or very few of above elements addressed 40%
2. Defined: Some of the above elements addressed with limited effort with regard to the 21%
above elements
03 Leadership 3. Managed: Consideration given to addressing all the above elements with room for
improvement
4. Integrated: Most of the above elements addressed and evolved
Yes, we are spending what we ideally should be or more
No, we are spending less than what we ideally should be
No, we are spending significantly less than what we ideally should be
5. Optimized: Best in class organization – all of the above elements addressed and evolved Not sure
04 Operating model Fig 2.3 Top factors challenging third-party risks to be addressed with proportionate effort
Limited understanding of third parties across the organization due to divisional/functional silos 50%
05 Technology
Need for more detailed knowledge of third-party contract terms and related data 43%
There are
multiple factors
Monitoring or assurance processes are not driven by risk profiles of third-parties 41%
Subcontractor
06 and affiliate risk 15% 85%
No coherent process to identify, monitor, and assess multiple risks of third parties 36%
Lack of clarity in classification of third parties as significant or critical to the business
About the authors 28%
Limited senior leadership engagement in providing guidance in this regard 25%
No factors – we
are able to bring in
Contacts a proportionate effort
Any other reasons 4%
to the risks involved
26
31All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home
Foreword
Deloitte point of view
Executive summary
Our earlier EERM surveys highlighted that third-party risk Organizations should reinvigorate their focus on bringing
has historically been siloed by risk domains and determined third-party risk management together by streamlining
by multiple stakeholders driving specific activities. Examples processes and frameworks, while regularly exploring
Economic and operating
01 environment
are disruption risks from a supply chain perspective and
information security risks related to IT services provided
opportunities that make them more integrated, efficient,
and effective.
by third parties.
Organizations should also consider allocating a higher
02 Investment By 2016, more progressive organizations had begun to proportion of annual EERM operating expenditure (opex) to
adopt a more holistic approach, covering all types of third- pre-screening and exit planning and termination activities
party and all areas of risk. Although these organizations – perhaps about 10 percent to each of these. This would
03 Leadership
made good progress in covering a broader range of third
parties under a more holistic set of risk domains, the lack
supplement the focus on selection – due diligence and
contracting at 20 to 30 percent of the budget, and ongoing
of adequate budgets has once again focused attention on monitoring at 50 percent or a little above. This mix of
investing heavily in specific risk domains that have been the spending would help organizations evolve their approach
04 Operating model subject of legislation. Examples in 2018 are: from detective to more preventive mechanisms.
• Privacy concerns driven by the Global Data Protection
Regulation (GDPR) in Europe and similar legislation
05 Technology elsewhere
• Cybersecurity fears following disruptive cyberattacks
across the globe.
Subcontractor
06 and affiliate risk
These limited piecemeal investments in EERM have impaired
growth in organizational maturity and made it harder to
take a strategic approach to investment. Critically, not
About the authors being “brilliant at the basics” potentially undermines an
organization’s efforts to realize the benefits from more
cutting-edge initiatives. As a result, the benefits realized are
a small fraction of the potential.
Contacts
32 27All together now | Third-party governance and risk management All together now| Third party governance and risk management
Home Deloitte EERM Maturity Model
Foreword
Executive summary • Limited local governance in place
• Minimal effort in reducing risk
• No formal governance
Governance & oversight
Economic and operating
01 environment • Limited formal policies • Local policies and procedures in place
Policies & standards and procedures in place
02 Investment
• Few activities defined
• Defined processes in siloes
Business processes • Firefighting mode
• Functional, reactive problem-solving
03 Leadership
Tools & technology • Simple and least expensive tools used
• Off the shelf tools used for problem-solving
ad hoc • Limited access to third-party data
04 Operating model Risk metrics & reporting • Limited metrics and reporting • Local ad hoc metrics and reporting
People & organization
05
• Individual effort
Technology • Responsibilities built into existing roles
• Little management input
• Lack of training • Increased input from management
Subcontractor Risk culture
06 and affiliate risk • Risk-taking for quick fix benefits • Risk-taking for short term benefits
Initial
About the authors Defined
Contacts
34 28You can also read
