Audits of the extended enterprise can yield benefits, such as greater flexibility, innovation, brand confidence, and even revenue gains.
There are big risks lurking in your supply chain and in interactions with the vast network of third parties with whom companies do business.
A new survey by Deloitte finds that companies are especially struggling to get a handle on their third parties’ partners and suppliers, often referred to as fourth- and fifth-party partners or the extended enterprise.
The study, “Focusing on the Climb Ahead: Third-Party Governance and Risk Management,” finds that 70 percent of respondents say the risks inherent in managing their extended enterprise have increased at least by some extent, if not significantly.
Despite those heightened risks, many companies still aren’t evaluating partners further up the supply chain. Only a small fraction (2 percent) say they regularly monitor subcontractors at the fourth or fifth levels of their chain, and just 10 percent do so for subcontractors they identify as critical. The rest rely on their third-party partners to provide such oversight.
According to the survey, which is based on 975 responses from a variety of organizations in 15 countries, companies are, however, working on improving their extended enterprise risk management (EERM) programs, although at a slower pace than expected. One in five respondents say they have integrated or optimized their EERM programs recently, and another 50 percent say they plan on improving risk management of their extended enterprises in the next one to three years. Indeed, 53 percent of respondents now believe their journey to achieve EERM maturity will take two to three years or more.
“This is a significantly longer journey than anticipated in earlier surveys, when respondents reported that this could be achieved in six months to a year”, said Kristian Park, EMEA leader of extended enterprise risk management at Deloitte Global Risk Advisory. “This reflects a more realistic time-frame, and we’d expect organizations to be closely aligning plans to address the expected regulatory outlook over this period.”
The ‘Upside of Risk’
There has also been a slight shift in the reasons that companies invest in oversight of their extended network of business partners. While plenty of respondents say they do so to prevent regulatory and compliance failures (43 percent) or to reduce the number of third-party related incidents (34 percent), more companies are looking for positive effects from investments in EERM. For instance, 26 percent of respondents say they could achieve greater flexibility to address market uncertainty from better risk management of the extended enterprise, and 21 percent consider investment in EERM a revenue-generating opportunity, since it could identify under-reported revenue streams. The business case for investment in EERM is also being driven by other factors that exploit the upside of risk, such as enhancing organizational responsiveness, innovation, and brand confidence.
“The business case for investment in EERM is increasingly being focused on exploiting the upside of risk—a significant shift from the almost-exclusive focus earlier on managing the downside, with increasing confidence to demonstrate tangible benefits,” wrote the report’s authors.
“This is a significant shift from the almost exclusive focus in the past on managing the downside of risk,” adds Park. This point is unlikely to be lost on internal auditors who are eager to find audit projects that can add value and produce benefits in addition to guarding against problems. An extended enterprise audit may be just such a project.
More Work to Be Done
The survey results suggests there is still work to do for many organizations to become fully integrated or optimized in their EERM capabilities. Respondents say internal functions and departments can do a better job of working together on managing risks of the extended enterprise. Nearly 40 percent of respondents say their organization has put the need to establish better coordination between risk domain owners, business unit leaders, and internal audit teams at the top of the list of EERM related priorities.
In addition to a focus on increasing maturity, cooperation, and making a renewed business case for investment, the report explores four other key areas where most organizations could benefit from further effort.
- Centralized control: An increasing number of organizations are adopting central oversight and management to accelerate risk awareness and efficiency. More than half (55 percent) of organizations are now equally or more decentralized than centralized (down from 62 percent last year). This reflects that organizations are starting to scale back on decentralization in the overall organization.
- Technology platforms: Technology decisions are also now being increasingly centralized and a standard tiered technology architecture is emerging. Less than 10 percent of respondents are currently using bespoke systems for EERM, a sharp drop from just over 20 percent last year. Cloud technologies that enable agile business operations with standardization represent the most popular emerging technology platform being investigated by survey respondents. Nearly half of respondents are planning to utilize standardized cloud technologies for EERM while 31 percent are considering using robotic process automation for routine EERM tasks across the organization.
- Sub-contractor risk: Organizations lack appropriate visibility of sub-contractors engaged by their third parties as well as the discipline and rigor to frequently monitor such fourth and fifth parties. A full 57 percent of survey respondents feel they do not have adequate knowledge and appropriate visibility of sub-contractors engaged by their third parties and a further 21 percent are unsure of their oversight practices.
- Organizational imperatives and accountability: Ownership and accountability for EERM seems to be well and truly established in the C-suite with 78 percent of organizations suggesting that either the CEO, CFO, CPO, CRO or a member of the board is ultimately accountable for this topic. Survey respondents however believe that there is room for improvement in the level of engagement on the EERM agenda by board members and risk domain owners. Skills, bandwidth, and competence of talent engaged in EERM-related activities appears to be the most significant concern for respondents (45 percent), followed by the clarity of roles and responsibilities and EERM processes (41 percent in both cases).
The Deloitte survey shows that companies are still working to get control of the risks that can spread from up the supply chain or from a third party’s business partners to the company itself. To be sure, many companies are still just trying to do a better job of managing the risks that come from their immediate business partners. But companies are starting to see the benefits of EERM or will start to see them in the coming years. “We believe the investments made in EERM in 2017 will begin to pay dividends in either 2018 or 2019—in line with respondents’ realistic assessment that it takes two-to-three years for organizations to integrate or optimize their EERM programs,” the report’s authors concluded.
For most companies, the vast network of interconnected vendors, suppliers, intermediaries and other third parties continues to grow, along with the risks that come along with such relationships. Most too are finding that their risk management programs must also extend beyond the confines of their own four walls. 
Joseph McCafferty is editor & publisher of Internal Audit 360°
Did you enjoy this article? Consider making a small donation to support independent business journalism at Internal Audit 360°. Click Here to make a $25 contribution! And much thanks to all of those who have already donated. Our success depends on it.