Tag Archives: enterprise risk management

Perspectives on Risk Culture Building

If you are still trying to identify all the risks you are exposed to within the context of your business or spend endless hours converting historic data into useless risk reports in an effort to mitigate as much risk as possible for a green light on the road to taking less risk (for less reward); if you are spending a fortune on controls and the digging of trenches for your lines of defense… fear no more!

The Radical Risk Management process is here, and the future is bright for those who choose to go through the disruption of dumping the outdated thinking, concepts, models and processes — things like the risk management “process” that is based on the assumption that it is possible to identify all the risks you are exposed to and then follow a dedicated process of mitigating all those risks as well as ideas like “Green is Good” and the three, four or, even worse, five “lines of defense.”

The management of risk is a mental process, not a technical process of data gathering, evaluation and reporting at consistent intervals with an expectation of a different outcome, or even improvement. Those who do nothing will just be exploited by those who change and get better at the management of risk.

This radical process involves only four components: Situational Awareness, Mental Simulation, Naturalistic Decision-Making and, finally, Response Execution. 

These are built around key elements of an effective risk culture, namely: Risk Intelligence gathered from everywhere (not just last quarter’s outdated risk report), a Risk Nervous system through which this information can flow everywhere in the business (not a process of sanctification where reporting gets better the higher it goes) and all employees having the Competencies and skills to manage the risks associated with their jobs on a daily basis to ultimately build sustainable competitive advantage for the organization (no levels of assurance, squadrons of policemen or lines of defense; there is nothing to defend against).

Risk Intelligence

“Information is anything that can be known, regardless of how it is discovered. Intelligence refers to information that meets the stated or understood needs of [the users] and has been collected, processed and narrowed to meet those needs. Intelligence is a subset of the broader category of information. Intelligence and the entire process by which it is identified, obtained, and analyzed respond to the needs of [users]. All intelligence is information; not all information is intelligence” –Mark M. Lowenthal, Intelligence: From Secrets to Policy (from Special Warfare Bulletin, JFK Special Warfare Center and School, Fort Bragg.)

In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis.

In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimize risks to make informed decisions and build sustainable competitive advantage for the organization.

Success depends on the levels of accountability you drive in your organization and the time and effort you put into building an effective risk culture. Do not even attempt this if you are going to keep a process of making risk decisions in committees where these decisions are “syndicated” without anybody taking any accountability. That will not work in the Radical Risk Management process!

There is also no need to employ consultants to help you with this. I could never anyway understand why organizations would pay outsiders to come in and gather ideas from their staff and convert these into PowerPoint presentations they sell back to the organization. There is no blueprint of one-size-fits-all for the Radical Risk Management process; you have to build the unique process in your organization, based on the underlying corporate culture and organizational structure and focusing on driving both the behaviors you want to encourage and the behaviors you want to avoid.

You need to take each of the four components and develop these within the context of your business strategy, goals and objectives. If a risk will not prevent you from reaching your business goals, don’t worry about it; you can never identify all the risks you are exposed to, the key factor is how your employees will respond to a situation of risk in real time. Business is not a game, and business decisions based on last quarter’s risk report are not such a good idea in real life, there is no reset button!

See also: Adios to ‘3 Lines of Defense’ Risk Model

Let us briefly look at the four components:

Situational Awareness Is:

  • “The perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future,” as defined in Endsley’s model of Situational Awareness.
  • “Skilled behavior that encompasses the processes by which task-relevant information is extracted, integrated, assessed and acted upon” (Kass, Herschler, & Companion, 1991).
  • “Continuous extraction of environmental information, integration of this information with previous knowledge to form a coherent mental picture and the use of that picture in directing further perception and anticipating future events” (Dominguez, 1994).

Situational awareness is having an accurate understanding of our surroundings — where we are, what happened, what is happening, what is changing and what could happen; knowing what’s going on so you can figure out what to do, collecting information from your surroundings and situation to improve your decision making and circumstances by:

  • Using your senses (sight, smell, sound, taste and touch)
  • Monitoring the messages that others are providing through their behavior and communications
  • Being attentive to environmental circumstances that may indicate challenges, opportunity or danger

Reticular Activating System

A pathway in your brain that:

  • Filters incoming information
  • Turns on the “pay attention” button
  • Expands your intuition
  • Improves the message system between your subconscious brain and your conscious brain

Levels of awareness

  • Tuned Out
  • Relaxed Awareness
  • Focused Awareness
  • High Alert
  • Incapacitated

Mental Simulation is our mind’s ability to imagine taking a specific action and simulating the probable result before acting. Anticipating the results of our actions improves our ability to solve new problems. Mental Simulation relies on our memory, learned via perception and experience. (Josh Kaufman, The Personal MBA)

There are a number of things you can do to minimize the perceptual analysis. The first is doing exactly what you are doing at this moment. You are thinking! Become aware of the possibilities and think about them. Sudden situations of risk and the likely adrenaline dump are not things we are used to or comfortable with. By thinking about our reactions, by cognitively dealing with the possibilities of outcomes, we take the first step in managing the risk response.

Mental Simulation includes running imagery of the situation and the actions to achieve outcomes. Imagery is the set of mental visual pictures of oneself proceeding through a series of actions. Imagery can go beyond just pictures and incorporate the other senses, as well. Research into the use of imagery indicates that it has positive effects, including improving self-confidence, task completion, concentration and coping. Effective use of the imagery technique has seven elements: physical, environment, task, timing, learning, emotion and perspective (PETTLEP: Dave Smith, Caroline Wright, Amy Allsopp, and Hayley Westhead, “It’s All in the Mind: PETTLEP-based Imagery and Sports Performance,” Journal of Applied Sport Psychology 19/1 (2007)

Naturalistic Decision Making 

Decision making involves assessment and choosing a course of action. Decision making requires an understanding of the situation and controlled thinking. The situation determines the urgency of the decision, risks and limits of action.

The naturalistic decision making (NDM) framework emerged as a means of studying how people make decisions and perform cognitively complex functions in demanding, real-world situations. These include situations marked by limited time, uncertainty, high stakes, team and organizational constraints, unstable conditions and varying amounts of experience. Every business in today’s marketplace operates under these conditions, and practicing this based on last month’s risk report can be futile.

Mindfulness is a key element in decision making. Mindfulness is the idea that one should be present in the moment and acknowledge his or her own feelings, thoughts and sensations. Arguably, mindfulness is linked to situational awareness. Research suggests that mindfulness decreases accidents and mistakes while increasing memory and creativity. Researchers also assert that mindfulness can decrease stress and even increase a person’s general health. Additionally, recent research into mindfulness showed that it could actually change the brain physically for the better. This research indicated that mindfulness could increase the density of brain matter in the anterior cingulate cortex and the hippocampus, resulting in better attention, self-regulation, thinking flexibility, reduced stress and increased memory.

See also: Claims and Effective Risk Management

Response Execution

Once these steps are complete and a response has been selected; the response, or action, must be executed. Correct and effective execution requires smooth and timely coordination to achieve the desired result of optimizing the risk to get maximum benefit for the organization. The availability of resources also affects a response, and inadequate attention results in ineffective execution. 

Peak Response Execution is an action of optimal cognitive, emotional and physical functioning. Cognitively, people are at their peak when they have focused attention, ignoring unimportant things and allocating brain power to the task at hand. War fighters performing at their peak can better assess the situation, make decisions and perform the right tasks at the right time. Additionally, individuals performing at their peak are less likely to succumb to stress and choke when it counts.

That is it! You have to research each of these four components and apply your learning to your organization to build a Radical Risk Management process in your organization. With no blueprint, there is nothing to implement, and there is also no standard. (I hope somebody will not try to create a standard for Radical Risk Management and a whole industry of three-day certification courses to try and certify Radical Risk Management Practitioners).

The way forward: You can take the concept and go forward at your own pace and own target, as long as you use the process outline graphic with due reference. Alternatively, you can steal the concept and develop it further for your own commercial gain, but “chickens always come home.” 

Adios to ‘3 Lines of Defense’ Risk Model

In this age of disruption, all those organizations that spent many years and lots of cash to dig beautiful trenches for their useless Three Lines of Defense are being seriously damaged. These organizations are now left needing even more effort, to fill up their trenches and get out on the battlefield of real business.

R.I.P., Three Lines of Defense model (the three being: operational managers; risk managers and compliance functions; and internal auditors). Your creators saw a tiny speck of light, but millions are left without defense, and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have three lines, but these are now so blurred that organizations must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches. 

The model turned to a story of failed backward innovation — making something useless even more useless…… and that in the middle of the age of disruption.

As Michael Volkov recently said: “The IIA’s revised model [for the Three Lines of Defense] should be ignored and relegated to the ash heap of bad ideas.”

The elephant in the room is actually a grey rhino, not a black swan; it is time for risk practitioners to learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk, together with beautifully crafted RAG reports linked to a bunch of risk-mitigating responses, are of no use, and that following any standard or framework contributes nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front line and the decisions made by them in every situation of risk that they encounter.

It is time for auditors to get away from the management of risk, far away — and to stay away. By the time anything gets to their line, it is too late anyway; all they can do is to issue a finding, implying that they “found” something. I have never seen an auditor resuscitate a dead business. Lately, we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.

What a pity that the hours of heated, heat map-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or, even worse, last quarter); came to …..nothing! 

See also: COVID-19: Technology, Investment, Innovation

The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases, also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates are still going with the flow. Just like dead fish.

We also learned that “tested” business continuity plans are of very little value; no disaster will follow your plan. Success lies in the way each and every employee will respond to the situation of risk on D-day.

It is time for risk practitioners to grab the bull by the horns and learn this elephant-size lesson that the only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.

Claims and Effective Risk Management

The cost of claims has been at the heart of Total Cost of Risk (TCOR) since even before the inception of risk management as a separate function. The sheer magnitude of losses, insurable or not, defines so much of what risk managers focus on and tends to be what they report on most often, as well. The nature of mature and, by inference, effective risk management programs has claim management as a key focus. While risk maturity is directly correlated with risk effectiveness, this latter term encompasses a much broader perspective on things that matter. 

Not surprisingly, many components of risk management maturity have some connection to effective claim management. Accordingly, it is appropriate to understand what these components are and how they dovetail with a more comprehensive view into effective risk management. Admittedly, this perspective relates most to the traditional practice of risk management, focused on hazard risk, but failure in this realm will likely point to failure in other areas of risk management.

Components of Risk Discipline 

To instill risk discipline, and, by extension, maturity into claim management, one must set the tone for effectiveness across the spectrum of risk management activities and significantly feed overall risk management performance. This tone will influence the ability of risk leaders to act as “trusted advisers” to organizational decision makers. This should be a key goal for risk leaders, critical to long-term effectiveness and functional sustainability.

The starting point for this subject is two key things. First, how one defines “risk” and drives a consensus among key stakeholders about that definition. Claims are, of course, the outgrowth of risk and exposure. This direct relationship is the essence of why claims and effective claims management have a direct relationship to effective risk management. Whether this aspect of the discipline gets done by insurers (as part of the insurance contract), insureds (as a part of a self-administered claim operation) or through third parties (independent adjusters, third party administrators etc.) makes little difference. Effective claim management feeds effective risk management.

The second issue is both which risks are your focus and where on the loss curve they fall. This may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face; often only the insurable risks. If that’s the case, the need to focus on claim management is clear; one leads to the other.

The Basics of Effective Risk Management Maturity

If you are a risk leader with broad accountability for risks, then the first question of “what is a risk to your firm?” requires total clarity. For the purposes of this article, a good definition of risk is “uncertainty” as it relates to the accomplishment of objectives. This simple definition captures the most central element of concern — uncertainty. However, the real challenge is determining the amount of uncertainty (such as frequency/likelihood), as well as the level of impact or severity. Each risk leader must make this choice and get it validated by his or her organization.

While many leaders focused on hazard risk look at risks at actuarially “expected” levels of loss, the challenge is how far out on the tail one should manage. While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events becomes more destructive. Because the magnitude of loss in this realm can be catastrophic, the importance of both preventing and mitigating these events and their impact becomes critical. Central to after-loss mitigation is the claim management process. Related key questions that every risk leader must answer include:

  • What matters more to your organization: likelihood or impact, or are they equal?
  • What level of investigation should you apply to less likely risks?
  • How do we apply typically limited resources to remotely likely risks?
  • Do you have a consensus among key stakeholders as to what risks to focus on and how?
  • Do you have or need an emerging risk identification process?
  • Do you have a consensus on and clear understanding of how you define risk in your organization?
  • Have you educated your organization on the correlations between losses, claims and risk effectiveness?

These questions are the starting point for ensuring risk management maturity. From your answers to these questions, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your desired state. But we need to define what risk maturity is to track progress toward this state and to ensure that stakeholders are aligned around the chosen components necessary to get there. Understanding the attributes of claims and risk maturity includes:

  • Managing exposures to specifically defined appetite and tolerances;
  • Management support for the defined risk culture that ties directly to the organizational culture;
  • Ensuring disciplined risk and claim processes aligned with other functional areas;
  • Creating a process for uncovering the unknown or poorly understood (aka emerging) risks;
  • Effective analysis and measurement of risk and claims both quantitatively and qualitatively; and,
  • A collaborative focus on a resilient and sustainable enterprise, which must include a robust risk and claim strategy.

See also: Future Is Already Here in Claims

Examples of Risk Management Maturity Models

One thoroughly developed risk management maturity model (RMM) comes from the Risk Management Society (RIMS). While it was developed some 10 years ago, it remains a simple, yet comprehensive view of the seven most important factors that inform risk maturity. When well implemented, these components should drive an effective approach to managing all risk within your purview. 

The components of the RIMS RMM model include:

  • Adopting an enterprise-wide approach that is supported by executive management and that is aligned well with other relevant functions;
  • The degree to which repeatable and scalable process is integrated in the business and culture;
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy;
  • The degree of discipline applied to using the elements of good root cause analysis;
  • The degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement;
  • The degree to which the vision and strategy are executed considering risk and risk management; and,
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process.

Like all risk management strategies, no two are exactly the same, and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization what the organization needs and will support. 

Of course, RIMS is not the only source of risk maturity measurement. Others, including Aon, offer other criteria. Aon’s model includes these components:

  • Ensuring the board understands and is committed to the risk strategy;
  • Effective risk communications;
  • Emphasis on the ties among culture, engagement and accountability;
  • Stakeholder participation in risk management activities;
  • The use of risk in/formation for decision making; and,
  • Demonstration of value.

This is not to say that the RIMS model ignores these issues, they simply take a different emphasis between the models. 

Another model worth considering is from Protiviti’s perspective on risk maturity as it relates to the board of director’s accountability for risk oversight. A few highlights of the perspective include:

  • An emphasis on the risks that matter most;
  • Alignment between policies and processes;
  • Effective education and use of people and their place in the organization;
  • Ensuring assumptions are supportable and understood;
  • The board’s knowledge of asking the right questions; and,
  • Understanding the relationship to capability maturity frameworks.

Certainly, good governance is critical to ultimate success, and the board’s role in that is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and, by inference, risk and related claims will have been effectively managed, as well.

Another critical aspect of the impact of risk and claims that should not be overlooked is their impact on productivity. If productivity is directly related to people’s availability to work, then we can quickly agree that risks produce losses that affect both people and property, oftentimes together. We can readily agree that impacts to productivity are a frequent result of losses and the claims they generate. Further, productivity impacts are not just limited to on-the-job injury. Every car accident, property loss or general liability loss that includes personal injury has implications for productivity, in either the workplace or outside of the workplace. As a result, it behooves all risk and claim leaders to execute their roles by aligning their interests and driving their focus.

Finally, a few fundamentals that are important to understand in execution of these goals include understanding that:

  • how you handle claims will directly affect not just your TCOR but your overall risk management capability and effectiveness; 
  • there is no one right approach to managing claims or risks; each organization must chart its own course aligned with its culture and priorities;
  • risk and the claims they can generate must be treated as an integral aspect of organizational strategy;
  • risk and claim management should be a focus on additive value; and,
  • risk and claim maturity have shown that better results are achieved as a result.

See also: How Risk Managers Must Adapt to COVID

In its simplest form, risk management is about preventing (or, on the upside, leveraging), financing and controlling risk and loss. Effective risk management is dependent on many elements, not least of which is effective claims management. And while claims are naturally focused on negative events that have already occurred, this activity is centrally critical to comprehensive, effective risk management.

How you prioritize claims and related activities will have significant effects on how you can contribute to organizational success. Doing both well will enable both risk and claim management effectiveness, demonstrated by measurable maturity.

Key Indicators of Weak ERM Programs

Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans. 

One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them. 

For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.

Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.

Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.

The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.

Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.

See also: Risks, Opportunities in the Next Wave  

Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an “internet only” insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.

Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”  

It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition. 

An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.

Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.

The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.

Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:

  • To what extent are risks stated clearly and specifically?
  • Are there risks included that are unique to the company?
  • Based on how the risk is stated, is it clear who the risk owner should be?
  • Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
  • To what extent are strategic risks included?
  • Are there current or emerging strategic risks that are not included?
  • Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust? 
  • Is the cost of the planned mitigation in balance with the potential impact of the risk?   
  • Are the planned mitigations attainable, implementable?
  • Is the mitigation plan implementation on track?

Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.

A Renewed Focus on EERM Practices

With third-party risks on the rise, there is renewed focus on maturing extended enterprise risk management (EERM) practices within most organizations. This focus appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment.

To understand the broader risk environment and provide organizations with the insights needed to effectively assess their risk and adapt processes accordingly, Deloitte recently conducted the EERM Risk Management Survey 2019, obtaining perspectives from more than 1,000 respondents across 19 countries covering all the major industry segments. Results shed light on crucial considerations surrounding economic and operating environments; investment; leadership; operating models; technology; and affiliate and subcontractor risk. More specifically:

Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third-party risk management are: cost reduction, at 62%, reduction of third-party-related incidents, at 50%, regulatory scrutiny, at 49%, and internal compliance, at 45%. Organizations urgently want to be more coordinated and consistent in extended enterprise risk management across their organization, as well to improve their processes, technologies and real-time management information across all significant risks.

Investment: Piecemeal investment has impaired EERM maturity, left certain risks neglected and hurt core basic tasks. Only 1% of organizations say they address all important EERM issues, and only a further 20% say they address most EERM issues. One of the main reasons for this maturity stall is that organizations are taking a piecemeal approach to investment – they are mostly making tactical improvements rather than investing in strategic, long-term solutions. This piecemeal approach has led to certain areas – such as exit planning and geopolitical and concentration risk – being neglected, and some organizations not doing core basic tasks well, such as understanding the nature of third-party relationships and related contractual terms.

See also: The Globalization of Risk Management  

Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement and coordination and smarter use of data. The survey reveals that boards and executive leadership continue to retain ultimate responsibility for EERM in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. Boards are moving away from using periodically generated data to more succinct and real-time, actionable intelligence, generated online. But who has ultimate responsibility for third-party risk management? According to the survey results, 24% indicated the chief risk officer, 19% indicated other board members and 17% indicated the CEO.

Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services. More than two-thirds, 69%, of respondent organizations say they adopt a federated model, and only 11% of organizations are now highly centralized, which is down from 17% last year. Investments in shared assessments and utilities, and managed services models, are also increasing. Furthermore, co-ownership of EERM budgets is also emerging as a trend. Robust central oversight, policies, standards, services and technologies, combined with accountability by business unit and geographical leaders, is a pragmatic way to proceed.

Technology: Organizations are streamlining and standardizing EERM technology across diverse operating units. The survey confirms Deloitte’s prediction last year that a three-tiered approach for third-party risk management will continue. Smartly coordinated investments in third-party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity and create a more sustainable operating model. More specifically, 59% of the respondents adopted tier one, 75% adopted tier two and tier three continues to grow.

Affiliate and subcontractor risk: Organizations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks.” Less than 32% of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. As affiliates are typically part of the same group, organizations are likely to have a higher level of risk intelligence on them than other third parties.

See also: Is There No Such Thing as a Bad Risk?  

For more information on Deloitte’s “2019 Extended Enterprise Risk Management Survey,” or to download a copy, please visit their website here. You can find the full report here.