In today’s global market, companies typically do business with a large number of entities, including customers, partners, agents, affiliates, vendors, and service providers. Together, these entities constitute what Deloitte calls the “extended enterprise.” Each of these vendors poses risks for the company, which highlights the importance of effective risk management systems. Extended enterprise risk management, or EERM, is “the practice of anticipating and managing exposures associated with third parties across the organization’s full range of operations as well as optimizing the value delivered by the third-party ecosystem.”
Are companies prepared to address the risks associated with their extended enterprise? Deloitte Global’s third annual EERM survey, “Focusing on the climb ahead: Third-party governance and risk management,” showed various trends. The six key areas of focus identified in the survey are:
- Inherent risk and maturity
- Business case and investment
- Centralized control
- Technology platforms
- Sub-contractor risk
- Organizational imperatives
The most significant findings concern sub-contractor risk. Of the 97 respondents, 53 percent reported “some” or “significant” increase in dependence on third parties. Despite the vast dependence on third-parties and increased awareness of risk, companies do not show the same level of awareness or monitoring of contractors of their third parties, or the company’s fourth or fifth parties.
More than half of respondents claim they have adequate knowledge and visibility over subcontractors, yet only two percent indicate that they regularly identify and monitor these fourth and fifth parties. Another 10 percent do so only for critical subcontractors. The rest of the respondents either expect their third parties to monitor subcontractors; have an unstructured approach; do not monitor subcontractors at all; or do not know whether they monitor subcontractors.
In addition to subcontractor risk, the survey found that only 20 percent of organizations have updated their EERM systems, and 53 percent estimate it would take two to three years to achieve EERM maturity.
Another significant finding concerns board member engagement. The survey found that board oversight and engagement with EERM programs are low. Globally, 38 percent of board members and 39 percent of risk domain owners still have lower to insignificant levels of engagement on the EERM agenda.
Read about and download the survey report here.