More Attention and Discipline for Third-Party Risk

Growing sensitivity to third-party risks - extending out to fourth, fifth, and nth parties - is resulting in more rigorous management and higher prioritization of these ecosystem exposures, according to data from Deloitte.

In a survey of more than 4,000 participants during an October 2018 extended enterprise risk management (EERM) webcast, 47% said they had experienced either a low- or high-impact risk incident involving an external entity over the past three years. Seven out of 10 indicated a moderate to high level of dependence on entities that might be characterized as third, fourth or fifth parties.

EERM is still a work in progress. When asked who was overseeing EERM governance, just over half of the respondents said it was either their full board, audit committee or risk committee - while 19% answered “don't know” or not applicable.

According to another study, 62% of CEOs “fail to hold their extended enterprise to the same risk standards as their own organization, despite leaders seeing information technology providers as posing the greatest threat,” said Deloitte's January 15 press release. “A clear line of EERM governance is invaluable to the overall success of the organization. Senior leadership can create an accountable EERM organization to mitigate key risks falling through the cracks of the first, second or third lines of defense.”

“The risk comes from needing to trust that these third parties - and their subcontractors - aren't making mistakes in handling data, ensuring privacy, or doing anything else that would harm the business,” said Deloitte & Touche partner Dan Kinsella, extended-enterprise and third-party assurance leader in the Risk and Financial Advisory practice. “Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization. Whenever this happens, benefits and risks are derived from those interactions with third parties.”

As of early 2018, many EERM processes were ad hoc, and in a Deloitte survey mentioned in a GARP Risk Intelligence article, “only 3.9% described their process as 'optimized with integrated strategy and decision making, executive champions, continuous improvement and investment, and highly customized decision support tools with external data.'”

Automated Solution

In a sign of the times, Dun & Bradstreet on January 23 announced the availability of D&B Compass, a “third-party risk management solution powered by artificial intelligence that allows for comprehensive due diligence and monitoring of all levels of customer, supplier, and third-party relationships.”

D&B in October published results of a survey of procurement and compliance professionals showing that despite concerns about customer/vendor due diligence and supplier/vendor monitoring, many companies struggled to implement automation in third-party risk management. More than half of respondents said that their organizations had been subject to fraud in the last two years.

The report pointed out that “the vast majority of respondents have a positive view of technology and how it can be leveraged in the compliance and procurement space; just 3% reported that technology would be of no help in duties and tasks.”

“Organizations are still struggling to glean true insights because their data is spread out, housed in disparate systems across the company,” said Brian Alster, global head of procurement and compliance, Dun & Bradstreet. “Utilizing automated solutions that manage data and workflow to monitor and report problems can save companies time and money, which can ultimately lead to more profitable growth.”

Regulatory Impetus

Kinsella of Deloitte noted that the financial services industry, because of regulatory mandates, was a leader in introducing third-party risk discipline. “We're seeing a huge movement too in life sciences, health care, energy and resources, and finally in federal government because they have such a proliferation of third-party relationships that are strategically important,” he said.

Accelerating the trend of third-party and extended-ecosystem dependencies has been “the use of offshoring and the proliferation of relationships without even a handshake,” Kinsella added. “Historically, no one and everyone was in charge; relationships were established in an organization at times with limited oversight.”

Kinsella advises adoption of a framework that begins with “know your third party” and defines what constitutes a company's critically important extended enterprise by gathering information on each party through interviews and questionnaires. Some are using managed service providers or industry consortiums (an example is TruSight) to maximize efficiency.

Currently attracting more interest is risk sensing, “which can involve a number of technologies, surveillance video and other real-time collection methods,” Kinsella said. Rating systems such as Cyber GRX, sentiment from news feeds and predictive analytics can contribute to the effort.

“Are you executing with third parties in a way that is according to the contract or the agreement, and are they performing with the timeliness and quality you expect?” Kinsella said. “We often see leakage or just apathy over time, especially with contracts that are five or 10 years old. People don't even know what's in the contract, or they can't find the contract.”

Technological Tools

Technologies such as cloud computing, blockchain, Internet of Things (IoT), robotic process automation (RPA) and data visualization can improve extended-enterprise compliance and mitigate risks from reputational damage, regulatory missteps, consumer backlash and cyber threats.

For example, insurers use data feeds from IoT sensors in cars to adjust owners' premiums; drivers with riskier habits pay more.

In the recent Deloitte survey, 31% said their organizations were most likely to invest in cloud technology over the next 12 months, 18% said RPA, 12% data visualization, 7% cognitive technologies, 7% blockchain, and 6% IoT.

Thirty-eight percent said they would be most focused on cyber and technology extended-enterprise risks over the coming 12 months. That compared with 20% on legal, financial and regulatory, and 11% on operational (supply chain).