Value Through Risk
How to create a leadership view on management of third-party risks as a business driver.
Corporate treasurers and finance managers, as well as CEOs, board members, and other stewards of the business, generally pride themselves on recognizing and leveraging new forms of value in the organization. The good news for these executives is that many of them are sitting on a lode of untapped value, which they may be able to harness using extended enterprise risk management (EERM).
That’s because many organizations have extensive opportunities to tap the potential of third-party assets that exist beyond the traditionally recognized boundaries of the organization. What does it mean to extend the enterprise, and what’s the nature of the value and risk that comes with these third-party assets?
Simply put, executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of the company. Whenever this happens, benefits and risks are derived from those interactions with third parties. The benefits may be new or enhanced services; cloud resources, in particular, are vital for the range and scalability of services they can bring. The risk comes from needing to trust that these third parties—and their subcontractors—are making no mistakes in handling data, ensuring privacy, or doing anything else that would harm the business.
Why Extend?
Extending the enterprise can add depth of expertise and service, open new markets, fuel innovation, and improve the organization’s reputation. Unfortunately, as a recent Deloitte Dbrief poll and a Deloitte UK global survey on EERM both make clear, these opportunities are sometimes obscured by the challenges of understanding the potential value available within the supply chain and getting past the management team’s risk aversion.
Nevertheless, companies are increasingly relying on third-party assets and services to manage and protect systems at the heart of their operations—think core infrastructure, connectivity for life-saving medical devices, customer relationship management, or financial systems and data. And the more mission-critical the assist is that an organization gets from third parties and their contractors, the more risk is injected into the heart of company operations.
Judging by the prevalence of cloud services and other popular means of extending the enterprise, the opportunities for value creation using third parties in the organizational ecosystem are too big to ignore. However, taking advantage of these opportunities requires effective risk management. As external service providers play an increasingly important role in corporate operations, boards are paying close attention. When board members ask management about third-party risks and every executive has a different answer, rather than a cohesive line-of-sight into those risks across the organization, the value of a program to identify, track, assess, and mitigate extended-enterprise risks becomes clear.
A well-structured EERM program helps a company optimize the value it can achieve from its third-party relationships, while keeping the risks in check.
EERM Can Be a Powerful Business Driver
What exactly does an EERM program look like? Every company is unique, so there’s no one-size-fits-all formula. But essentially, an EERM program involves an organization establishing an integrated process for setting strategy and making decisions around third-party risk. Continuous improvement and investment are typically part of the conversation, as is embracing highly customized and data-driven decision support technologies to improve management’s understanding of, and ability to mitigate, risk.
There are also cultural elements: An EERM program needs executive champions to act as internal ambassadors for its value and ongoing investment. Part of these culture shifts involves broad understanding of one fact: The way risk is managed can translate into value for the organization, in the form of standardizing or simplifying processes and avoiding duplication of risk management efforts within business unit silos. As an example, the company might consolidate the security audit process for a third-party vendor that happens to work with many parts of the enterprise, instead of having different departments perform multiple audits on the same vendor over and over again.
Many organizations first look at EERM as a compliance initiative. However, as ongoing shifts in technologies and business models mean companies are increasingly relying on third-party assets for core corporate functions, managers and boards are realizing the need for better visibility into those assets. Applying a streamlined yet customizable EERM process—to manage the risks inherent in reliance on third parties without applying the brakes on business growth—can help a company not only meet regulatory requirements, but also drive competitive advantage and enhance the organization’s reputation.
So, as companies extend the physical and virtual boundaries of the organization with third-party, or even fourth- and fifth-party assets, EERM is best understood as a powerful business driver—rather than just a means of meeting regulatory requirements. In fact, in some ways, an EERM program can be a self-funded initiative. For example, standardizing security audits for a vendor that deals with many parts of the company will generate cost savings by enabling the company to avoid duplication of effort and other inefficiencies.
Research Suggests Work Still To Be Done
The Deloitte Dbrief poll surveyed nearly 2,400 professionals across a range of industries, while the Deloitte UK EERM global survey was a more in-depth survey of 975 senior leaders from top organizations in 15 countries.
Across both studies, it’s striking how low on the EERM maturity curve many organizations are. In the global survey, more than half of respondents reported an increase in dependence on third parties in the past year. And 7 out of 10 believe that business and macroeconomic uncertainties have increased the risks inherent in managing their extended enterprise. However, only one in five said their organization has integrated or optimized its EERM mechanisms.
In the Dbrief poll, a mere 3.9 percent of respondents defined their EERM efforts as “optimized.” This suggests that a very small proportion of organizations have matured EERM to the point of having integrated strategy and decision-making, continuous improvement and investment, executive champions, and highly customized decision-support tools that draw on external data.
Respondents’ self-assessments of their EERM maturity reflect the complexity of the task at hand and the challenges companies need to overcome along the way. Nevertheless, Deloitte UK’s EERM global survey shows that more and more executives are beginning to understand the business case for EERM optimization. Nearly half (48 percent) of respondents said their investments in EERM are driven by overall cost-reduction objectives, which they feel they can achieve either through increased efficiency from using third parties or by preventing overpayments.
This is not to say that executives aren’t still concerned about compliance. Although cost control was the goal of EERM spending for 48 percent of survey respondents, reduction of regulatory exposure (43 percent), addressing internal compliance requirements (41 percent), and reducing the number of third-party–related incidents (34 percent) were also strong business-case drivers.
Executives should consider re-imagining EERM as a path to both value creation and compliance. In our experience, this blended approach occurs when organizations learn to apply risk management only where it’s needed and nowhere that it’s not, and when they strategically leverage risk for efficiency gains.
Barriers to Progress
More than one-third of respondents to the Deloitte Dbrief survey consider their current organization’s processes for measuring and monitoring risks in the extended enterprise to be “ad hoc” or “reactive.” Among the top barriers to progress, respondents cited management challenges—including leadership’s view of EERM as primarily compliance-driven and a lack of EERM awareness beyond the mid-management level, with little board or senior management visibility.
Meanwhile, Deloitte UK’s EERM global survey shows there are no easy fixes. Some 53 percent of respondents predicted the journey to achieve the desired state of EERM maturity will last at least two to three years. That’s a reality check compared with earlier surveys in which these same executives indicated the journey could be completed in less than a year.
These findings suggest that maturity of EERM is lagging at a time when third parties are moving closer than ever to the core of many businesses. The results add new urgency to the need for EERM programs to take a more prominent position on C-suite and boardroom radars. EERM is a tool that can help senior leaders position supply chain risk in the larger context of the organization’s financial health and long-term business strategy.
Deloitte UK’s EERM global survey does reflect an emerging shift toward more centralized oversight and management for EERM, to enable increased risk awareness and consistency companywide. In some organizations, EERM decision-makers take a “federated” approach to risk management processes—blending a top-down, centralized process with a silo-structured, decentralized process. Returning again to the example of security audits, while organizations may standardize much of the process that applies companywide (perhaps the third party’s certifications or how it safeguards data generally), departments in the organization can still customize certain elements of the audit that may be business-unit specific—for example, queries from a pharmaceutical division around how the third-party handles health records.
The flexibility of such an approach to EERM enables the aggregation of information at a corporate level, not only to gain a cross-risk view of third-party relationships, but also to address issues around concentration risk.
Less Risk, More Value
Respondents to the global survey are working on increasing the maturity of their organization’s EERM initiative. To move their company in this direction, they are articulating the business case for EERM, implementing centralized ownership and control of EERM initiatives, and ensuring appropriate visibility into subcontractor performance and rigor in monitoring.
The truth is, we’re talking not just about third-party risk, but about fourth- or fifth-party risk as well. Unfortunately, compliance and regulatory standards don’t typically differentiate. Large companies need to own whatever risk affects their enterprise, especially in light of recent regulations like the EU’s General Data Protection Regulation (GDPR), which includes requirements to manage risk from subcontractors as well.
The Dbrief poll found that a majority of respondents believe their organization will keep investing in EERM programs over the next 12 months. Within that majority, 24 percent believe their organization is most likely to invest in exploring and adopting technology to support their existing extended ERM programs.
As both of these recent surveys show, many organizations are gearing up to address risk drivers as they strategize to activate value-creation opportunities in their supply chain. Many companies are beginning to use EERM to exploit the upside of risk. This affirms the idea that risk management can, and likely will, be a vital performance lever going forward.
Of course, ongoing effort is required to realize the advantages from this changing perception of risk management. Organizations need to place ownership and accountability for EERM in the C-suite. Doing so should help the company improve engagement and understanding of EERM by key stakeholders, including the leaders most able to drive the effort.