Do You Know Who Your Partners Are? Third Party Incidents Impact Almost Every Business
Business relationships are a lot like holiday celebrations with extended family and friends; the more people that are involved, the more complicated the ordeal becomes. More guests means more shopping and cooking, occupied guest bedrooms and conflicting political opinions that only come to light after the eggnog is poured.
Only the host knows the extent of festive chaos that ensues behind the scenes.
Like the host of a holiday party, the responsibility of managing the risk of global organizations is usually left to boards and executives. However, it’s the shareholders that will feel the affects if anything goes awry.
Extended enterprise risk management (EERM) is defined as the practice of anticipating and managing exposures associated with third parties across an organization’s full range of operations, including third-party driven value.
“An extended enterprise is essentially the ecosystem that an organization operates in beyond their four walls,” explained Dan Kinsella, managing partner and U.S. and Americas extended enterprise and third-party assurance leader, Deloitte & Touche LLP.
“Our research shows that those ecosystems are ever-increasing year after year, both in transactions and volume of relationships.”
According to Deloitte’s 2019 annual global survey on Extended Enterprise Risk Management, an expansion of a business ecosystem brings an expansion of associated risks that need to be accounted for.
But as networks of connections are expanding, the umbrella of risk management is not opening fast enough to cover them.
As reliance on relationships with outside organizations increases, so do the associated risks — in turn making it crucial that organizations are properly investing in EERM.
Organizations must have visibility into risks that are posed by the extended enterprise — for those third, fourth and even fifth parties –or risk losses.
Minding the Gap
While countless organizations engage in third-party relationships, there are few that consider the risks those relationships might foster.
According to the survey, 83% of organizations experienced a third-party incident within the last three years of operation, yet only 30% expressed interest in recruiting junior EERM talent. Overall, 1% of organizations felt they were “optimized” to manage all third-party exposure.
The difference in these percentages illustrates that, when it comes to implementing extended enterprise risk management, there is a disconnect between the development of the idea and the execution of the strategy.
While most organizations experienced the pain of third-party shortcomings, less than half are actively seeking to develop the skills that will be required of future EERM professionals.
The professional talent required to manage a large web of partnerships is not developing as fast as EERM strategies are being applied.
“There are not enough people out there who see risk management with this lens. The reality is and the future is that people who have this set of skills will be increased and enhanced because of the demand to drive more consistency and better results for this ecosystem,” said Kinsella.
In order to successfully manage extended parties, there must be open communication. Dialogue is often blocked by data silos, discontinuous monitoring and use of third-party subcontractors.
Technology is making the goal of streamlining information through all platforms more attainable; 56% of organizations are using or intend to use cloud-based platforms for EERM and 45% are using or intend to use robotics process automation.
Federated structures are becoming the most popular operating model for EERM, focusing on shared services and centers of excellence.
This is the most time and cost-effective use of central oversite, according to Kinsella.
“As opposed to just creating something new, you just kind of connect to the centers of excellence that are out there. You bring it together via a process and technology backbone as opposed to fully centralizing the resources.”
Implementing EERM for Long-Term Value
From an organizational perspective, it’s easy to see how the disconnect between the development and implementation of EERM emerged. Despite its extended history, insurance does not feel the impact of governmental regulations like the financial sector does.
“Banking got regulated on third-party risk management. Insurance is just now coming into it,” said Kinsella.
Like other industries, insurance is attempting to manage EERM from a perspective of long-term value. It’s likely that next year’s survey results will show that implementation strategies are slowly but undoubtedly catching on, even if the immediate impact of them is not substantial.
Preparedness and adaptive strategies that will likely emerge include smarter contracts, better management of affiliate risk, and reliance on operating models.
“Incidents are still rising which means we’re not doing enough,” said Kinsella. “While it will never be perfect, the impact of these events will begin to lessen. They will still happen, but we will be ready.” &