Q&A with Dan Kinsella, Deloitte Risk and Financial Advisory Partner
Deloitte recently released the results of its third-annual Global Extended Enterprise Risk Management (EERM) survey, “Focusing on the Climb Ahead.” Dan Kinsella discusses with CCI’s Maurice Gilbert the findings from the survey, the evolution of EERM over the years and how organizations are going about optimizing their EERM programs.
Maurice Gilbert: Can you give us a brief, overarching explanation of Deloitte’s latest Global EERM survey?
Dan Kinsella: Sure, this is an in-depth survey of 975 senior leaders from top organizations in 15 different countries on how organizations are understanding and dealing with third-party governance and risk management. Third-party risk management is what we mean by “Extended Enterprise Risk Management (EERM).” We use EERM to emphasize all third parties including those with cost, revenue and even nonfinancial relationships. For this survey in particular, we wanted to capture current maturity levels in EERM programs and how fully these efforts are tied to business goals and investments.
Essentially, the picture that emerges is one of increased risk but also — thankfully — increased focus and investment by executives around EERM. The trick, of course, is to make sure this growing commitment to maturing EERM outpaces the growing risk as organizations reach more frequently outside the four walls to augment capabilities and value. These risks include threats of high-profile business failure, illegal third-party actions and costly compliance violations.
MG: How applicable is this survey to different industries across the global economy?
DK: To get the most complete picture possible, we made sure to survey people in a lot of different industries — banking, technology, investment management, travel, hospitality, insurance and many other sectors — and in a lot of different roles. We talked to chief finance officers, heads of procurement and vendor management, chief risk officers, heads of internal audit and those leading the compliance and IT risk functions.
Across all these roles and industries, we saw some common areas where organizations still have a learning curve in maturing EERM. These include the need for more visibility into third-party operations and those of subcontractors third parties may engage, as well as more awareness and buy-in at the C-suite level. Another specific area to focus on is coordination and centralization of EERM roles, structures and technologies across the organization. While we try to help our clients achieve a “federated” EERM structure — one that is centralized, but not overly rigid and allows for business unit customization — the trend away from a decentralized approach to EERM in this survey is an encouraging finding.
MG: On this question of leadership awareness, what about when we get to the level of a board of directors? How tuned in are board members to EERM?
DK: They’re certainly tuned in, but not necessarily on the exact right frequency. What I mean by that is strategic risk management is a core responsibility in a board member’s portfolio as a steward of the organization. But the default view of risk is often as a backstop against compliance or regulatory violations. A shift in organizational thinking and board leadership that views risk management of the extended enterprise as a market driver that can maximize the value of third parties is needed for continued EERM program maturity.
This value comes in the form of some of the things I mentioned earlier, like federating EERM functions across the organization. Doing so can make your operation more efficient — for instance, when you consolidate the security audit process for a third-party vendor that happens to work with many parts of the enterprise, instead of having different departments do multiple audits on the same vendor over and over again. This kind of visibility isn’t always apparent at the board level, so there’s somewhat of a learning curve.
MG: Can you share a bit more on this “learning curve” at the board level around EERM?
DK: Well, let’s consider a few of the survey findings to help illustrate. I mentioned earlier that there’s an upside to risk — a value proposition and sense of confidence around EERM as a driver of value — rather than what had previously been an almost-exclusive focus on managing the downside and avoiding compliance violations.
As a sign of this, our survey found that as many as 48 percent of respondents were motivated by overall cost reduction objectives in investing in EERM, which they felt could be achieved by bringing in efficiencies through the use of third parties or by preventing over-payments. That kind of motivation clearly goes beyond checking the box on compliance; it’s more about seeing risk through the lens of ROI and competitive advantage.
Nonetheless, only 11 percent of these same respondents say they have formal board reviews for EERM on a quarterly basis. And more than one-third of respondents simply don’t know when or whether a board review of EERM has ever happened at all. In our view, boards in their governing capacity should have deeper levels of engagement and more frequent reviews to ensure EERM is elevated to appropriate levels and robust risk management structures and processes are put in place.
Typically, board-level leaders don’t have perfect visibility down into business units and the contractor relationships that support them, so it’s understandable that there’s a learning curve. But once they see the benefits of EERM — applying risk management only where it’s needed and nowhere that it’s not — the value proposition becomes clear and board members can serve a powerful role in advocating for more mature EERM programs.
MG: What exactly do we mean by EERM “maturity” anyway?
DK: Every company is unique, so there’s no exact formula. But essentially, an EERM program is mature to the extent the organization has an integrated process for setting strategy and making decisions around third-party risk. It’s marked by continuous improvement and investment and by the embrace of highly customized and data-driven decision support. You also need executive champions — as we just discussed in the context of board advocacy, and certainly across as many C-suite functions as possible — to act as internal ambassadors for EERM’s value and ongoing investment.
Of course, the goalpost on EERM maturity depends on the extent to which you’re extending the enterprise to begin with — and our survey showed a troubling disconnect: Even though more than half of respondents reported a significant, or at least some, increase in dependence on third parties in the past year, only one in five said their organization had integrated or optimized their EERM mechanisms.
Reaching beyond the four walls for new capabilities is nothing new. But as time goes by and cloud and other technology innovations become more diverse and powerful, we increasingly see third-party assets and services at the heart of operations — think critical infrastructure, connectivity for life-saving medical devices, financial data management or real-time traffic data. As the assistance from third parties and their contractors draws near to mission-critical operations, we inject risk closer to the heart of our operations. And so more mature EERM capabilities are useful in mitigating that risk.
MG: You said there’s no exact formula for optimizing an EERM program, but there must be some trends you’re seeing on how organizations are going about it.
DK: Absolutely! We’re increasingly seeing a common setup for organizations around EERM that involves a three-tiered technology architecture. This involves 1) enterprise resource planning systems or other backbone applications for procurement; 2) generic governance, risk and compliance software or EERM-specific risk management packages tailored to the organization and 3) additional niche packages for specific EERM processes that are configured for specific business applications or specialized risk domains.
Nobody wants to reinvent the wheel, but nobody can settle for cookie-cutter solutions. So, this three-tiered combination of standardized tools with some customization is a way to thread the needle. Organizations are no longer keen to invest in developing complex, bespoke solutions for EERM — less than 10 percent in our survey are doing that, a sharp drop from just over 20 percent last year. Instead, cloud technologies that enable agile business operations with some standardization represent the most popular emerging technology platform being investigated by survey respondents.
By the way, I mentioned centralization of EERM earlier as a sign of maturity. Choosing which architectures to build are a good example of that. This choice of a standard-tiered technology architecture is not typically happening on the business unit level. It’s the kind of technology decision that’s now being taken more centrally to benefit the whole organization.
MG: To the extent that EERM has been on organizations’ radar over the years, have we seen any shift in priorities?
DK: Yes. There’s been a significant change in organizational priorities and underlying leadership concerns since our previous survey — where tools and technologies seemed to be the dominant focus of more than 90 percent of our respondents. By contrast, this year’s survey results show that skills, bandwidth and competence of talent engaged in EERM-related activities appear to be the most significant concern. Some 45 percent of respondents prioritized those attributes, followed by 41 percent who flagged clarity of roles and responsibilities and EERM processes.
It’s almost like we’re seeing snapshots in time for an entire adoption curve around EERM. Previous surveys found leaders struggling over basic decisions around technology. Today, some of those technology questions are settled — like the growing consensus I mentioned around the three-tiered approach that balance standardization with custom configurations. Now we’re seeing EERM leaders roll up their sleeves and try to figure out how exactly to implement these processes and roles within the culture of an organization.
MG: At the risk of going down the rabbit hole, it sounds hard enough for organizations to manage risk around third-party vendors. But the truth is, many third-party vendors have subcontractors of their own.
DK: It’s the kind of complexity that keeps EERM analysts up at night! The truth is, we’re not just talking about third-party risk, but also fourth- or fifth-party risk, as well. Unfortunately, compliance and regulatory standards don’t typically differentiate. Organizations need to own whatever risk comes into the enterprise.
Our survey shows that most organizations lack appropriate visibility of instances where subcontractors are engaged by their third parties. About 57 percent of people we surveyed said they don’t have such visibility, and a further 21 percent said they’re not sure whether anyone in their organization has such visibility. Less than one in five said they periodically review the concentration risk associated with their fourth and fifth parties quarterly or semiannually.
This is no time to be flying blind to subcontractor risk; keep in mind that the regulatory bar keeps rising. Recent regulations embedded in the U.K.’s Modern Slavery Act and the EU’s General Data Protection Regulation legislation — for instance — include requirements to manage layers of fourth- and fifth-party risk.
MG: It sounds like there’s been a lot of evolution for EERM in just the past few years. What does the future hold for organizations and how they approach EERM?
DK: We are optimistic that the momentum will continue and organizations that have invested in EERM should start to see dividends. EERM will likely become less theoretical and more use-case driven. If a track record of EERM investments and how it has both mitigated the threats of “bad things happening” and acted as a driver of innovation and positive cost-reduction across the entire organization is established, there could be considerable momentum toward continued EERM program maturity.
If evidence of efficiencies and cost savings for organizations that stayed the course and committed to EERM continues to be realized, the benefits of cultivating the extended enterprise through use of third, fourth and fifth parties has the potential to outpace the associated risks.
Dan Kinsella is a Deloitte Risk and Financial Advisory partner serving as the extended-enterprise and third-party assurance leader in Deloitte & Touche LLP. He combines business and technology experience to help clients create and optimize their extended enterprise through cost and revenue recovery services. He specializes in creating efficient exchange of risk information synergies in the marketplace. Dan leads Advisory Service Delivery Transformation, helping clients’ efforts in shared services and outsourcing environment improvements.