Risks of a third-party incident

Organisations struggling to keep on top of third-party risks

Scroll to continue

Findings from Deloitte annual and global survey on EERM:  developments in EERM maturity have not kept pace with the increasing dependence on third parties.

For many organisations, their third-party ecosystem – or ‘extended enterprise’ – is an important source of business value and strategic advantage. However, as the reliance on third-parties continues to grow, so do the associated risks, bringing potential reputational damage and regulatory action.

Extended enterprise risk management (EERM) is the practice of anticipating and managing exposures associated with third parties across the organisation’s full range of operations as well as optimising the value delivered by the third-party ecosystem.

The tentacles of third-party risk extend into the farthest corners of the extended enterprise ecosystem, so it’s vital that organisations have complete visibility of the network and are managing it accordingly.

What are the risks of a third-party incident?

More than eight in 10 (83%) or organisations have experienced a third-party incident in the past three years, according to Deloitte.

The company carries out a global survey on EERM annually. This year’s findings suggest that developments in EERM maturity have not kept pace with the increasing dependence on third parties. Deloitte attributes it to “chronic underinvestment”, which has seen firms neglect certain risks – nearly half (41%) of the respondents said they do not monitor third parties based on their risk profile.

However, Donna Glass, Managing Partner, Deloitte US, is expecting to see an increase in investment levels over the coming years.

She said: “We believe the severity of consequences of negative actions by third parties to an organisation’s reputation, earnings, and shareholder value will continue to increase, and this will drive organizations to invest in improving their EERM processes and frameworks.”

Yellow and silver cogs engraved with reputation and risk

Image credit: Shutterstock

Currently, the desire to reduce costs is the biggest driver for investing in EERM maturity (62% of respondents indicated), over and above a reduction in third-party incidents (cited by 50% of participants).

Leadership taking responsibility

As better management of third-party risk has been viewed as a transformation opportunity, boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of respondent organisations.

Leaders are turning to technology to improve EERM process efficiency and ensure their organisations are capturing and managing all third-party risks.

New risk intelligence tools are assimilating, aggregating, and examining real-time automated information on all risks across an entire organisation. The tools provide alerts, trend analysis, enable scenario analysis, and use emerging technologies such as the cloud, robotics process automation, and artificial intelligence.

However, the tools are only as effective as overall business engagement in EERM. With more than a third (35%) of respondents stating that the level of engagement and coordination is low, insignificant, or unknown – and just 16% saying it’s high – it’s clear there’s work to be done here.

For that reason, two out of three organisations have made better in-house engagement and coordination a priority, with 37% make it their top priority.

Fourth-party risk not being addressed

Deloitte’s report ends by assessing organisations’ oversight of the risks posed by third parties’ subcontractors and affiliates – referred to as fourth- and fifth-party risk.

It found that just 2% of respondents identify and monitor all subcontractors engaged by their third parties. A further 8% do so for their most critical relationships. The remaining 90% lack the required ongoing focus.

This expansion of subcontracting chains has led to a rise in disruptive incidents caused by organisations that appear, at first sight, to have little to do with the primary organisation at the other end of the chain. Regulators are increasingly holding firms responsible for lack of oversight of their supply chain relationship, the report notes.

Seeking specialist EERM advice

Now EERM has become a board-level issue, is it time your senior managers reviewed their exposures in this area?

Are you sure you want to remove this article from your library?