Over 70% organizations do not have adequate knowledge or required visibility into third-party outsourced relationships
No company can function as an island and as our eco system broadens it typically deals with many entities like customers, partners, affiliates and others. When organized together these entities form what we term as the “extended enterprise” which is closer to the core of business than ever before. Organizations that step up to the challenge of developing programs to better manage this risk can elevate their position in the market by unleashing with confidence the reach, expertise and relationships that third parties can bring.
Third party risk management has to become a top-of-mind priority for organizations. In this respect, our recent (third) annual EERM (Extended Enterprise Risk Management) survey, based on 975 responses from a variety of organizations across 15 countries of Asia Pacific, Americas, Europe, Middle East and Africa region ,has highlighted some interesting findings. 70% of organizations in India recognize an increase in risk but remain ill-equipped to deal with it because of inadequate or absolutely no knowledge of sub-contractors engaged by their third parties. In fact, 14% of the respondents in the survey stated that third party-outsourced relationships are not identified, monitored or reviewed at all.
Companies today have to rely on relationships that are multiple and third party in nature, and typically outsourced. These are like outliers on the risk periphery – even for organizations that place strong focus on risk. Our survey report highlights the below key areas where organizations could benefit from further effort:
- Controlling heightened risk: Dependence on third parties continues to grow, with over 70% of Indian respondents stating that their dependence on extended enterprise has grown owing to business and macro- economic conditions. Impact of external events (42%) and increasing threat of their party related incidents and disruptions were the two most dominant factors contributing to the perception of heightened risk in the extended enterprise.
- Enhanced board engagement: Board oversight and engagement with EERM programs continues to lag. At a global level, 78% of organizations suggest that the Chief Executive Officer (CEO), CFO, Chief Procurement Officer (CPO), CRO, or a member of the Board is ultimately accountable for this topic. In India, this decision rests with the Chief procurement or the Risk Officer. Boards in India are making relatively slow progress on this matter whereby 57% of the respondents suggested that their boards merely have a moderate level of understanding and engagement on this subject.
- Technology platforms: In keeping with the trend of increased centralized oversight of EERM activities, technology decisions are now being taken more centrally and standard tiered technology architecture is emerging. Less than 10% of our global respondents in our survey are currently using bespoke systems for EERM, a sharp drop from just over 20% last year.
- Sub-contractor risk: Organizations lack appropriate visibility of sub-contractors engaged by their third-parties as well as the discipline and rigor to frequently monitor such fourth/fifth parties. 57% of survey respondents feel they do not have adequate knowledge and appropriate visibility of sub-contractors engaged by their third-parties and a further 21% are unsure of their oversight practices.
The author is Sachin Paranjape, Partner, Deloitte India