Extended enterprise risk management will be a focus in 2019: survey
- Published: Wednesday, 16 January 2019 09:03
A recent survey by Deloitte has shown that organizations are concerned about several extended enterprise risks, including supply chain, financial, regulatory, legal, and strategic. Organizations need to manage these areas centrally, leading to an expectation that ‘extended enterprise risk management’ (EERM) will be a 2019 priority.
The survey revealed that 70 percent of respondents indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties. Also, nearly half (47 percent) of respondents said their organizations had experienced some sort of risk incident involving the use of external entities in the last three years.
"The risk comes from needing to trust that these third parties - and their subcontractors - aren't making mistakes in handling data, ensuring privacy, or doing anything else that would harm the business," said Dan Kinsella, extended-enterprise and third-party assurance leader in the Risk and Financial Advisory practice and partner with Deloitte & Touche LLP. "Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization. Whenever this happens, benefits and risks are derived from those interactions with third parties.
Responses from the question "Who oversees risk governance of your organization's extended enterprise?" illuminated another challenge for extended enterprise risk management. 24 percent of poll respondents indicated it was the board risk committee's responsibility, while 17 percent pointed to the audit committee, and another 11 percent to the full board, with the remainder to an internal auditor, external stakeholder or just didn't know who managed EERM. A recent Deloitte risk management survey of CEOs and boards found that 62 percent of CEOs fail to hold their extended enterprise to the same risk standards as their own organization, despite leaders seeing information technology providers as posing the greatest threat. A clear line of EERM governance is invaluable to the overall success of the organization, says Deloitte: senior leadership can create an accountable EERM organization to mitigate key risks falling through the cracks of the first, second, or third lines of defense / defence.
Emerging capabilities of technology-driven systems, applications, controls, programs and methodologies can improve and accelerate efficiencies. They also can improve compliance and decrease risks from reputation damage, regulatory missteps, consumer backlash and cyber threats. According to poll respondents, their organizations are likely to invest in such emerging technologies and tools during the next 12 months: cloud computing (31 percent), robotics process automation (RPA) (18 percent), data visualization (12 percent), cognitive technologies (7 percent), blockchain (7 percent) and Internet of Things (IoT) (6 percent) among others.
Security around third-party ecosystems is a concern for organizations of all sizes. 38 percent of those polled specified their organizations' intent to focus on cyber risks in the extended enterprise for the next 12 months. To manage the associated risks better, organizations need an approach where they address their cyber risk concerns from the beginning of vendor procurement and include sets of security requirements and controls via contract, says Deloitte. By asking some of the following questions, they can begin to evaluate and address the extended enterprise risk posture:
- Do they take a secure-by-design approach?
- Do they use a secure system development life cycle?
- Are their developers trained in the security aspects that you want achieved?
- Do they conduct error testing?
It is likely that 2019 will demonstrate the increasing importance of EERM program maturity to mitigate risks, safeguard compliance and drive business value, says Deloitte. Efficiency will also probably improve in the process as third-party ecosystems grow and third parties take on more and more mission critical, core functions in the organization.