Survey: A Whopping 70% of Organizations Are Ill-Equipped to Deal with Third-Party Risk

While organizations are ill-equipped to deal with third-party risk, they believe the board and risk domain owners need to be more engaged in the issue, according to a Deloitte survey.

The firm recently released the results of its third annual EERM (extended enterprise risk management) survey, based on 975 responses from a variety of organizations across major industry segments and from 15 countries across the Americas, Europe Middle East and Africa, and Asia Pacific.

Only 20% of organizations have streamlined their EERM systems and processes, though a whopping 70% believe that business and macro-economic uncertainties have increased the risks inherent in managing the extended enterprise and 53% of them report ‘some’ or ‘significant’ increase in their level of dependence on third-parties, results indicate.

While ownership and accountability for EERM seems to be well and truly established in the C-suite—with 78% of organizations suggesting that either the CEO, CFO, CPO, CRO or a board member is ultimately accountable for this issue, respondents believe that there is room for improvement in the level of engagement on the EERM agenda by board members and risk domain owners.

How long would it take organizations to become EERM-mature?

In addition, 53% of respondents believe that it will at least two to three years to become EERM-mature, survey results reveal.

“This is a significantly longer journey than anticipated in earlier surveys, when respondents reported that this could be achieved in six months to a year”, said Kristian Park, EMEA Leader, Extended Enterprise Risk Management, Deloitte Global Risk Advisory. “The new time-frame is more realistic.”

The drivers

While the main drivers for EERM focus on mitigating risk and compliance, there is an increasing focus on driving value, Deloitte said.

The business case for investment in EERM is now being driven by other factors that exploit the upside of risk, such as enhancing organizational responsiveness and flexibility, innovation, brand confidence and increasing revenues, the firm added.

Asia Pacific organizations need higher level of engagement from board memebers, risk owners

In Asia Pacific, 44% of respondents report some or substantial increase in dependence on third parties while 57% perceive some or substantial increase in inherent risks related to third-parties, said Deloitte.

However, only 15% of them report they have already had integrated and optimized EERM mechanisms, the firm pointed out.

The most common business case driver for business case for EERM investment in the region is the need to  achieve reduced organizational spend on third-parties in the extended enterprise (42%), while 20% are more driven by the opportunity to increase revenue, for instance by the identification of unreported or under-reported revenue streams, the report indicates.

Other major findings related to the region:

  • 75% of respondents from Asia Pacific have implemented centers of excellence or shared services centers for EERM
  • No respondents have outsourced EERM substantially to a managed services provider
  • 56% of respondents evaluate their organizations' overall control structures to be equally or more decentralized
  • 54% of respondents believe their organizational structures for EERM are decentralized
  • Three out of four respondents lack the knowledge and visibility of sub-contractors
  • 34% of respondents acknowledge they either do not monitor sub-contractor risks at all or do not know if anyone in their organization does so.
  • 19% of respondents state that they monitor sub-contractors on a half-yearly or quarterly basis
  • 9% of respondents have high engagement from their boards
  • Only 15% of respondents have a high level of engagement from risk owners