8 measures to keep pace with third-party risks

Risk

Companies are working more intensively with third parties, but their risk management strategies may not be keeping pace, according to a Deloitte survey of 975 respondents in 15 countries.

In all, 53% of respondents said that they were more dependent on third parties, but only 20% said they had streamlined their extended enterprise risk management (EERM) systems — and a strong majority said that their extended enterprise was at higher risk now.

Subcontractors represented a particular area of concern, with 57% of respondents saying they lacked adequate visibility of subcontracted work.

Part of the gap may be due to the lengthy rollout times for EERM processes. While respondents previously said that an EERM rollout could take six months to a year, the majority now believe it could take three years or more, Deloitte reported.

For some organisations, it can be a substantial endeavour: Some of the largest companies spend up to $5 million on EERM, employing more than 100 people.

Meanwhile, the focus of those initiatives is changing.

Previous surveys showed an “almost exclusive” concern with managing the downsides of risk, according to Kristian Park, a risk management leader at Deloitte Global Risk Advisory. That most commonly includes regulatory exposure and the possibility that third parties will become implicated in bribery or corruption scandals.

Now, companies are looking for untapped potential in third parties, too. They’re seeing the opportunity to reduce costs and innovate. Partnerships are expanding beyond their traditional focus on the supply chain to include a broader set of support services and technologies — but that can only happen when frameworks for third parties are designed effectively.

The governance of companies is “therefore finally starting to reinvent itself to focus on maximising this opportunity, while also managing compliance requirements and the downside of risk,” the report said. “However, in this new thinking, the explicit linkage of risk and strategy, starting at the board and C-suite level must be an integral part of the organisational strategy-setting process.”

To monitor third-party partnerships, Deloitte suggests these eight performance measures:

Cost reduction. Reducing 5% of total procurement spent through efficiencies in managing third-party suppliers; zero tolerance on duplicate payments to suppliers and third parties; a maximum of 2% overpayment on invoices not matching orders; reduction of insurance premium by 8% compared with the previous year from better movement of goods between third-party locations.

Increase in revenue. A 10% increase in revenue from newer geographies enabled by third-party alliances and partnerships; at least one new product offering in the financial year, contributing to 1% of total revenue due to third-party expertise.

Reduction in number of third-party-related incidents. Zero incidence of third-party-related disruptions that cannot be addressed in 24 hours or with financial implications of more than $1 million; 100% third-party adherence to organisational standards.

Reduction in regulatory exposure. Zero tolerance to regulatory breach; no regulatory fines or penalties.

Addressing internal compliance requirements. Full compliance with standards ensuring the health and safety of employers, customers, and contractors as well as the protection of the environment; zero deviation from internal policies and processes unless covered by specific exemptions.

Better response and increased flexibility to market uncertainty. Twenty-five per cent flexibility in distribution capacity based on third-party arrangements; improvement in customer ratings on increased customer flexibility over previous year.

Unlock access to innovative or disruptive technology. At least one out of ten of new third-party arrangements in the financial year should be focused on delivering new strategic opportunities or provide access to new technology; 10% increase in automation through technology for risk management year on year.

Increase in confidence in the organisational brand. Increase in share price by 5% year on year.

Andrew Kenney is an FM magazine contributing editor based in the US. To comment on this article, or to suggest an idea for another article, contact Sabine Vollmer, an FM senior editor, at Sabine.Vollmer@aicpa-cima.com.