Corporate treasurers and finance managers, as well as CEOs,board members, and other stewards of the business, generally pridethemselves on recognizing and leveraging new forms of value in theorganization. The good news for these executives is that many ofthem are sitting on a lode of untapped value, which they may beable to harness using extended enterprise risk management(EERM).

That's because many organizations have extensive opportunitiesto tap the potential of third-party assets that exist beyond thetraditionally recognized boundaries of the organization. What doesit mean to extend the enterprise, and what's the nature of thevalue and risk that comes with these third-party assets?

Simply put, executives extend the enterprise every time they usea cloud service, outsource a business process, or otherwise spreadoperations beyond the traditional four walls of the company.Whenever this happens, benefits and risks are derived from thoseinteractions with third parties. The benefits may be new orenhanced services; cloud resources, in particular, are vital forthe range and scalability of services they can bring. The riskcomes from needing to trust that these third parties—and theirsubcontractors—are making no mistakes in handling data, ensuringprivacy, or doing anything else that would harm the business.

Why Extend?

Extending the enterprise can add depth of expertise and service,open new markets, fuel innovation, and improve the organization'sreputation. Unfortunately, as a recent Deloitte Dbrief poll and a Deloitte UK global survey on EERM both makeclear, these opportunities are sometimes obscured by the challengesof understanding the potential value available within the supplychain and getting past the management team's risk aversion.

Nevertheless, companies are increasingly relying on third-partyassets and services to manage and protect systems at the heart oftheir operations—think core infrastructure, connectivity forlife-saving medical devices, customer relationship management, orfinancial systems and data. And the more mission-critical theassist is that an organization gets from third parties and theircontractors, the more risk is injected into the heart of companyoperations.

Judging by the prevalence of cloud services and other popularmeans of extending the enterprise, the opportunities for valuecreation using third parties in the organizational ecosystem aretoo big to ignore. However, taking advantage of these opportunitiesrequires effective risk management. As external service providersplay an increasingly important role in corporate operations, boardsare paying close attention. When board members ask management aboutthird-party risks and every executive has a different answer,rather than a cohesive line-of-sight into those risks across theorganization, the value of a program to identify, track, assess,and mitigate extended-enterprise risks becomes clear.

A well-structured EERM program helps a company optimize thevalue it can achieve from its third-party relationships, whilekeeping the risks in check.

EERM Can Be a Powerful Business Driver

What exactly does an EERM program look like? Every company isunique, so there's no one-size-fits-all formula. But essentially,an EERM program involves an organization establishing an integratedprocess for setting strategy and making decisions aroundthird-party risk. Continuous improvement and investment aretypically part of the conversation, as is embracing highlycustomized and data-driven decision support technologies to improvemanagement's understanding of, and ability to mitigate, risk.

There are also cultural elements: An EERM program needsexecutive champions to act as internal ambassadors for its valueand ongoing investment. Part of these culture shifts involves broadunderstanding of one fact: The way risk is managed can translateinto value for the organization, in the form of standardizing orsimplifying processes and avoiding duplication of risk managementefforts within business unit silos. As an example, the companymight consolidate the security audit process for a third-partyvendor that happens to work with many parts of the enterprise,instead of having different departments perform multiple audits onthe same vendor over and over again.

Many organizations first look at EERM as a complianceinitiative. However, as ongoing shifts in technologies and businessmodels mean companies are increasingly relying on third-partyassets for core corporate functions, managers and boards arerealizing the need for better visibility into those assets.Applying a streamlined yet customizable EERM process—to manage therisks inherent in reliance on third parties without applying thebrakes on business growth—can help a company not only meetregulatory requirements, but also drive competitive advantage andenhance the organization's reputation.

A business's bottom line and itsoverall reputation are enhanced when it skillfully leverages riskto grow the business. For example, a health insurance company mayenlist the services of hundreds of thousands of brokers to sellvarious insurance products. An effective EERM program can helpleadership identify the linkage between the relative risk aparticular broker presents to the organization (by understandingthe risks associated with a given broker's behavior) and the valueof that broker's performance. In another example, a well-tuned EERMprogram can help retailers track and assess the many merchandisersthey rely on to build out inventory. As retailers gain greatermerchandiser awareness, thanks to an EERM program that flagsinstances of fraud and even price collusion, their management teamsare poised to optimize their product mix by rooting out overpaymentand products showcased for reasons other than merit.

So, as companies extend the physical and virtual boundaries ofthe organization with third-party, or even fourth- and fifth-partyassets, EERM is best understood as a powerful businessdriver—rather than just a means of meeting regulatory requirements.In fact, in some ways, an EERM program can be a self-fundedinitiative. For example, standardizing security audits for a vendorthat deals with many parts of the company will generate costsavings by enabling the company to avoid duplication of effort andother inefficiencies.

Research Suggests Work Still To Be Done

The Deloitte Dbrief poll surveyed nearly 2,400 professionalsacross a range of industries, while the Deloitte UK EERM globalsurvey was a more in-depth survey of 975 senior leaders from toporganizations in 15 countries.

Across both studies, it's striking how low on the EERM maturitycurve many organizations are. In the global survey, more than halfof respondents reported an increase in dependence on third partiesin the past year. And 7 out of 10 believe that business andmacroeconomic uncertainties have increased the risks inherent inmanaging their extended enterprise. However, only one in five saidtheir organization has integrated or optimized its EERMmechanisms.

In the Dbrief poll, a mere 3.9 percent of respondents definedtheir EERM efforts as “optimized.” This suggests that a very smallproportion of organizations have matured EERM to the point ofhaving integrated strategy and decision-making, continuousimprovement and investment, executive champions, and highlycustomized decision-support tools that draw on external data.

Respondents' self-assessments of their EERM maturity reflect thecomplexity of the task at hand and the challenges companies need toovercome along the way. Nevertheless, Deloitte UK's EERM globalsurvey shows that more and more executives are beginning tounderstand the business case for EERM optimization. Nearly half (48percent) of respondents said their investments in EERM are drivenby overall cost-reduction objectives, which they feel they canachieve either through increased efficiency from using thirdparties or by preventing overpayments.

This is not to say that executives aren't still concerned aboutcompliance. Although cost control was the goal of EERM spending for48 percent of survey respondents, reduction of regulatory exposure(43 percent), addressing internal compliance requirements (41percent), and reducing the number of third-party–related incidents(34 percent) were also strong business-case drivers.

Executives should consider re-imagining EERM as a path to bothvalue creation and compliance. In our experience, this blendedapproach occurs when organizations learn to apply risk managementonly where it's needed and nowhere that it's not, and when theystrategically leverage risk for efficiency gains.

Barriers to Progress

More than one-third of respondents to the Deloitte Dbrief surveyconsider their current organization's processes for measuring andmonitoring risks in the extended enterprise to be “ad hoc” or“reactive.” Among the top barriers to progress, respondents citedmanagement challenges—including leadership's view of EERM asprimarily compliance-driven and a lack of EERM awareness beyond themid-management level, with little board or senior managementvisibility.

Meanwhile, Deloitte UK's EERM global survey shows there are noeasy fixes. Some 53 percent of respondents predicted the journey toachieve the desired state of EERM maturity will last at least twoto three years. That's a reality check compared with earliersurveys in which these same executives indicated the journey couldbe completed in less than a year.

These findings suggest that maturity of EERM is lagging at atime when third parties are moving closer than ever to the core ofmany businesses. The results add new urgency to the need for EERMprograms to take a more prominent position on C-suite and boardroomradars. EERM is a tool that can help senior leaders position supplychain risk in the larger context of the organization's financialhealth and long-term business strategy.

Deloitte UK's EERM global survey does reflect an emerging shifttoward more centralized oversight and management for EERM, toenable increased risk awareness and consistency companywide. Insome organizations, EERM decision-makers take a “federated”approach to risk management processes—blending a top-down,centralized process with a silo-structured, decentralized process.Returning again to the example of security audits, whileorganizations may standardize much of the process that appliescompanywide (perhaps the third party's certifications or how itsafeguards data generally), departments in the organization canstill customize certain elements of the audit that may bebusiness-unit specific—for example, queries from a pharmaceuticaldivision around how the third-party handles health records.

The flexibility of such an approach to EERM enables theaggregation of information at a corporate level, not only to gain across-risk view of third-party relationships, but also to addressissues around concentration risk.

Less Risk, More Value

Respondents to the global survey are working on increasing thematurity of their organization's EERM initiative. To move theircompany in this direction, they are articulating the business casefor EERM, implementing centralized ownership and control of EERMinitiatives, and ensuring appropriate visibility into subcontractorperformance and rigor in monitoring.

The truth is, we're talking not just about third-party risk, butabout fourth- or fifth-party risk as well. Unfortunately,compliance and regulatory standards don't typically differentiate.Large companies need to own whatever risk affects their enterprise,especially in light of recent regulations like the EU's General Data Protection Regulation (GDPR),which includes requirements to manage risk from subcontractors aswell.

The Dbrief poll found that a majority of respondents believetheir organization will keep investing in EERM programs over thenext 12 months. Within that majority, 24 percent believe theirorganization is most likely to invest in exploring and adoptingtechnology to support their existing extended ERM programs.

As both of these recent surveys show, many organizations aregearing up to address risk drivers as they strategize to activatevalue-creation opportunities in their supply chain. Many companiesare beginning to use EERM to exploit the upside of risk. Thisaffirms the idea that risk management can, and likely will, be avital performance lever going forward.

Of course, ongoing effort is required to realize the advantagesfrom this changing perception of risk management. Organizationsneed to place ownership and accountability for EERM in the C-suite.Doing so should help the company improve engagement andunderstanding of EERM by key stakeholders, including the leadersmost able to drive the effort.

Dan Kinsella is apartner in the Risk and Financial Advisory practice at Deloitte& Touche LLP, serving as the extended-enterprise andthird-party assurance leader. He combines business and technologyexperience to help clients create and optimize their extendedenterprise through cost and revenue recovery services. Hespecializes in creating efficient exchange of risk informationsynergies in the marketplace. Kinsella leads Advisory ServiceDelivery Transformation, helping clients' efforts in sharedservices and outsourcing environment improvements.