Extended enterprise risk management responsibility moves to the boardroom
- Published: Friday, 20 September 2019 07:52
According to a Deloitte extended enterprise risk management (EERM) survey, as better management of third party risk has been viewed as a transformation opportunity, boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of respondent organizations. However, just over half (53 percent) of respondents to Deloitte's survey want a more coordinated and consistent approach to EERM across organizational functions.
Other key findings from the survey included:
- Developments in extended enterprise risk management maturity have not kept pace with increasingly critical levels of dependence on third parties since first surveyed in 2015, as such the majority (83 percent) of organizations experienced a third-party incident in the past three years.
- The economic environment continues to drive cost reduction and talent investment in EERM. The desire to reduce costs has become the biggest driver for investing in EERM maturity (62 percent of respondents indicated).
- According to the survey, federated structures are becoming a dominant operating model for third-party risk management as boards and executive management continue to take a deep interest in third-party risk management and want to provide more coordinated and responsive input. More than two-thirds (69 percent) of respondent organizations say they have adopted a federated model that allows for this sharing of responsibility.
- A mere 1 percent of organizations considered themselves optimized to address all important EERM issues presented. Chronic underinvestment is making it hard for organizations to achieve their desired EERM maturity levels, and more fundamentally, hindered many responding organizations from doing basic core tasks well.
Leadership wants better engagement, better coordination and smarter use of data
Third party risk management was viewed as an operational rather than a board or top leadership issue for decades. As better management of EERM has been viewed as a transformation opportunity, boards and senior leadership have grown to have ultimate responsibility for EERM in more than three-quarters of respondent organizations. This starts with better engagement and coordination within the business, encompassing organizational units, geographies, risk domains and subject matter experts.
As the survey revealed, boards and executive leadership now retain ultimate responsibility for EERM in most organizations.
Who ultimately has responsibility for third-party risk management?
- 24 percent: Chief Risk Officer
- 19 percent: Other board members
- 17 percent: CEO.