Third-Party Risk Efforts Suffer from Underinvestment
Deloitte finds that maturity levels and "basic core tasks" are lagging, hindered by "a piecemeal approach"; transformation initiatives on the way
Friday, October 25, 2019
By Ted Knutson
There is broad agreement on the expansive vision and holistic mobilization required for effective management of third-party risks, but a Deloitte survey indicates shortfalls in execution.
“Organizations are trying to improve the management of third-party risk by investing in talent, cutting-edge technologies, and robust operating models. Dramatic shifts in the marketplace and push for efficiencies are contributing to an ever-increasing focus on EERM,” says the foreword of Deloitte's 2019 Extended Enterprise Risk Management Survey.
“With a staggering 83% of organizations experiencing a third-party incident in the past three years and only a negligible 1% percent considering themselves 'optimized' to address all-important EERM issues, it evidently reflects underinvestment in the EERM space,” said the consulting firm, citing survey responses from 1,000 executives. The international poll was taken in late 2018 and early 2019, described as “a time of global economic uncertainty that has made its mark on the outlook for businesses.”
The picture of a critical but struggling-to-keep-pace risk function is in line with that of the most recent Protiviti-Shared Assessments Vendor Risk Management Benchmark Study, which was titled Running Hard to Stay in Place.
In another recent survey, by Dun & Bradstreet, confidence in third-party risk management was found to be declining among compliance and procurement professionals, particularly at smaller firms. Cybersecurity was the No. 1-ranked concern, but 48% had not incorporated it in their third-party risk management.
Impact of Third-Party Incidents, and Areas of Needed Improvement
Doubts on Coordination
Deloitte's report said that “chronic underinvestment is making it hard for organizations to achieve their desired EERM maturity levels, and more fundamentally, hindered many organizations from doing basic core tasks well.”
While 37% said better coordination - among business units and various operational, administrative and control functions - was a top third-party-risk priority, only 16% rated their in-house coordination as strong.
Thirty-five percent described coordination as low, nearly absent, or they didn't know.
A desire to reduce costs has become the biggest driver for investing in third-party risk management: 62% called cost-cutting their top third-party, or extended enterprise, risk management priority, up from 48% in the previous annual survey.
Gaps in Understanding
The survey revealed knowledge gaps, said to result from a “piecemeal approach [that] has weakened organizational abilities to do basic core tasks well. The most common factors making it hard to tailor the monitoring effort to the level of risk involved are understanding the nature of third-party relationships (50%) and understanding related contractual terms (43%).
Boards and senior leadership were ultimately responsible for EERM 78% of the time: head of risk in 24% of cases, the board 19%, CEO 17%, chief procurement officer 10%, and CFO 8%.
Deloitte Risk & Financial Advisory Practice leader Dan Kinsella said organizations benefit by appointing third-party risk management “superstars” who are well versed in other business operations. He acknowledged that such leaders are “not easy to come by.”
One area where close coordination pays off, Kinsella said, is between business lines and IT. For example, based on shared observations, an analysis of 20 software vendors could lead to “identifying five doing great things and deserving of a greater share of your business.”
Trends in Technology
In terms of technology, Deloitte sees “a strong desire for standardization and streamlining in EERM technology across diverse business and operating units . . . We anticipate seeing more EERM capex invested in transformation initiatives and related design and implementation in 2019 and 2020.”
The firm also anticipates a “convergence between third-party risk management tools and broader third-party management tools that can enable better holistic and integrated management of performance, contract, and commercial issues in conjunction with the risk generated by these issues.”
The survey found that EERM investment is “skewed toward information security (68% of respondents), data privacy (62%) and cyber risk (58%). And many organizations underinvest in other domains such as labor rights (18%) and geopolitical and concentration risk (both at 12%).”
According to the 2019 Global Cyber Risk Perception Survey by insurance broking and risk management leader Marsh, in partnership with Microsoft, “The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.”
Many organizations viewed the cyber risk they face from supply-chain partners differently from the level of risk their own organizations pose to counterparties: 39% said partners' and vendors' risk was high or somewhat high, but only 16% said the same about the cyber risk they themselves pose to their supply chain.
“Respondents were more likely to set a higher bar for their own organization's cyber risk management actions than they do for their suppliers,” the Marsh report said.