November 4, 2019
A Renewed Focus on EERM Practices
by Dan Kinsella
A Deloitte survey finds a recognition that there has been underinvestment in extended enterprise risk management.
With third-party risks on the rise, there is renewed focus on maturing extended enterprise risk management (EERM) practices within most organizations. This focus appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment.
To understand the broader risk environment and provide organizations with the insights needed to effectively assess their risk and adapt processes accordingly, Deloitte recently conducted the EERM Risk Management Survey 2019, obtaining perspectives from more than 1,000 respondents across 19 countries covering all the major industry segments. Results shed light on crucial considerations surrounding economic and operating environments; investment; leadership; operating models; technology; and affiliate and subcontractor risk. More specifically:
Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third-party risk management are: cost reduction, at 62%, reduction of third-party-related incidents, at 50%, regulatory scrutiny, at 49%, and internal compliance, at 45%. Organizations urgently want to be more coordinated and consistent in extended enterprise risk management across their organization, as well to improve their processes, technologies and real-time management information across all significant risks.
Investment: Piecemeal investment has impaired EERM maturity, left certain risks neglected and hurt core basic tasks. Only 1% of organizations say they address all important EERM issues, and only a further 20% say they address most EERM issues. One of the main reasons for this maturity stall is that organizations are taking a piecemeal approach to investment – they are mostly making tactical improvements rather than investing in strategic, long-term solutions. This piecemeal approach has led to certain areas – such as exit planning and geopolitical and concentration risk – being neglected, and some organizations not doing core basic tasks well, such as understanding the nature of third-party relationships and related contractual terms.
See also: The Globalization of Risk Management
Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement and coordination and smarter use of data. The survey reveals that boards and executive leadership continue to retain ultimate responsibility for EERM in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. Boards are moving away from using periodically generated data to more succinct and real-time, actionable intelligence, generated online. But who has ultimate responsibility for third-party risk management? According to the survey results, 24% indicated the chief risk officer, 19% indicated other board members and 17% indicated the CEO.
Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services. More than two-thirds, 69%, of respondent organizations say they adopt a federated model, and only 11% of organizations are now highly centralized, which is down from 17% last year. Investments in shared assessments and utilities, and managed services models, are also increasing. Furthermore, co-ownership of EERM budgets is also emerging as a trend. Robust central oversight, policies, standards, services and technologies, combined with accountability by business unit and geographical leaders, is a pragmatic way to proceed.
Technology: Organizations are streamlining and standardizing EERM technology across diverse operating units. The survey confirms Deloitte’s prediction last year that a three-tiered approach for third-party risk management will continue. Smartly coordinated investments in third-party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity and create a more sustainable operating model. More specifically, 59% of the respondents adopted tier one, 75% adopted tier two and tier three continues to grow.
Affiliate and subcontractor risk: Organizations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks.” Less than 32% of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. As affiliates are typically part of the same group, organizations are likely to have a higher level of risk intelligence on them than other third parties.
See also: Is There No Such Thing as a Bad Risk?