57 percent of global organizations feel that they do not have appropriate visibility of subcontractors engaged by their third parties, according to a new global survey on extended enterprise risk management by Deloitte. A further 21 percent are unsure of oversight practices, and fewer still (2 percent) routinely review the risk subcontractors pose to their organization.
Kristian Park, extended enterprise risk management (EERM) partner, Deloitte, said:
”With GDPR coming into force across Europe next month, organizations will already be looking with renewed focus at their third party structures. For some, there is still a way to go to implement adequate subcontractor management. Compliance with GDPR not only covers organizations themselves, but also the contractors and subcontractors they engage. Under the regulation, subcontractors representing fourth and fifth parties must be appropriately monitored. Whilst the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards, and reporting data breaches within 72 hours. In the run up to May 25th, we’d expect to see more organizations make additional investments to adequately manage multiple layers of outsourcers. There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify, the greater the reliance in terms of confidential data.”
Regular monitoring of subcontractors remains low, with just 2 percent of those surveyed engaging in this periodically, and 10 percent solely reviewing subcontractors identified as critical to continuity of business.
Park added: “This means that 88 percent of organizations are either dependent on their third parties to conduct subcontractor risk reviews, or have an unstructured, ad-hoc approach to fourth and fifth party oversight. This figure could also indicate that some organizations are simply unaware of their policy or, more alarmingly, do not have one.”
Reliance on third parties continues to with over half (53 percent) of respondents reporting ‘some’ or ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered the two greatest contributory factors to increasing the risk inherent in this.
Despite critical levels of third party dependency, only 20 percent of organizations have streamlined their extended enterprise risk management systems and processes. 53 percent of this year’s respondents now believe that their journey to achieve EERM maturity is two to three years or more.
“This is a significantly longer journey than anticipated in earlier surveys, when respondents reported that this could be achieved in six months to a year”, said Park. “This reflects a more realistic time-frame, and we’d expect organizations to be closely aligning plans to address the expected regulatory outlook over this period.”
About the survey
This is the third Deloitte global survey on extended enterprise risk management. This year’s survey had 975 responses from organizations across 15 countries across the Americas, EMEA, and APAC. Survey respondents include CFOs, heads of procurement/vendor management, CROs, heads of internal audit, and compliance and IT risk function leads.