Third-Party Governance and Risk Management: The Threats Are Real

Third-party governance
and risk management

The threats are real
Global survey 2016
GO
Contents
Foreword 1
Executive summary 2
Key findings 5
The third-party ecosystem 7
Managing third-party risk 17
Third-party governance 25
Technology and delivery models 31
About the authors 35
Third-party governance and risk management contacts 36

Foreword
Welcome to our 2016 global survey on Third-party Governance and Risk Management (TPGRM).
In this survey, the second in a series of publications on this topic, we provide the results from
over 170 organizations on the key issues and trends impacting their approaches to managing
and mitigating third-party risk.
The results show that TPGRM is starting to rapidly mature in many The majority of these organizations had annual revenues in excess of
organizations, not just to enable enterprise-wide visibility of the risks US$1 billion. Additional insight was also obtained from subsidiaries of
that third parties present, but, more importantly, to be able to exploit group organizations with some degree of decentralization around
the full spectrum of opportunity that the extended enterprise can create third-party management and others with lower annual revenues.
for them.
We hope this report will enable you to enhance your understanding
This report reflects the survey responses of over 170 senior members of organizational positioning in relation to your peer group across
of management from a variety of organizations across all industries. a number of key issues that span the management of third parties
The respondents were typically responsible for governance and risk and related risks in a rapidly-changing context, e.g. increasing
management around third parties, including Chief Finance Officers, decentralization and autonomy of operating units in organizations,
Heads of Procurement/Vendor Management, Chief Risk Officers, Heads disruptive technology and globalization. The peer group perspective
of Internal Audit and those leading the Compliance and Information should also assist you in strategic decision-making around evolving
Technology (IT) Risk functions in organizations. The respondents issues such as emerging delivery models and technology infrastructure
represented eight major industry segments covering: for third-party risk management. This, in turn, is intended to help you
not merely manage third-party risk, but also highlight the opportunity
• Financial Services (FS) that third parties create for your organization.
• Energy & Resources (E&R)
• Manufacturing (MF)
• Public Sector (PS)
• Technology, Media, and Telecom (TMT)
• Consumer Business (CB)
• Healthcare & Life Sciences (HLS)
• Business, Infrastructure, and Professional Services (BIPS)
Third-party governance and risk management The threats are real 1

Executive summary
TPGRM is emerging as a board level focus area Third-party ecosystem
The emerging strategic perspective, together with the severity
for many organizations in 2016. The survey of consequences of third-party-related incidents, is compelling
results show how investment by organizations organizations to swiftly “catch-up” in upgrading the maturity of their
in TPGRM has increased year on year and third-party governance and risk management processes – to create, as
well as to protect, organizational value.
that organizations are now in the process of
either implementing or refining the existing The results of the survey demonstrate how a renewed set of drivers,
implementation of TPGRM processes and which are directly aligned to long-term value-creation (such as business
agility, access to specialized skills and knowledge, innovation, process-
frameworks. improvement, and other sources of sustainable competitive advantage),
are now motivating organizations to rapidly enhance the management
At the same time the survey reveals significant of risks within their global third-party ecosystems. The desire to achieve
gaps in the tools, technology, and underlying short-term cost-savings remains an important consideration, but is
processes that must be addressed to ensure that diminished in relative importance.
the emerging organizational commitment to

managing third-party risk achieves the intended
objectives. 44.9% of respondents
feel that flexibility and scalability will be
the top emerging driver for third-party
Deloitte believes that the increasing frequency engagement.
of third-party incidents, negatively impacting
organizational reputation, earnings, and
shareholder value, is currently the single-most
compelling driver for organizations to invest in
TPGRM. 55.1% of respondents
aspire to have integrated third-party risk
management systems in a year or more,
with 16.5% aspiring to be “best in class”.
2
Managing third-party risk Third-party governance
As incidents relating to third parties continue to rise, organizations are It is encouraging to see third-party risk starting to feature consistently
becoming more and more concerned about any disruption to customer- on the Board agenda in the more forward-looking organizations,
service this can create or any regulation this may breach, given the supported by increasing organizational awareness and commitment to
growing severity of the related punitive action by regulators and this issue. However, the survey reveals a wide “execution gap” resulting
customers. At the same time, increasing decentralization of operating from the inability of supporting tools, technology, and processes, to
units in organizations is starting to create challenges to a unified and achieve intended results, despite the organizational commitment and
consistent approach to TPGRM, driving organizations to mandate high-level governance framework.
consistent third-party management standards across their operating
units and aspiring to increase their monitoring and assurance activities
over third parties. Mind the execution gap
94.3%
87%
of respondents have
only low to moderate levels of confidence in
of respondents have faced a
the tools and technology used to manage
disruptive incident with third parties in the last
third-party risk and 88.6% have a similar level
2-3 years of which…
of confidence in the quality of the underlying
risk management processes, despite significantly
higher levels of confidence in organizational
commitment and governance frameworks –
28%
creating the execution gap.
faced major disruption and...
11% experienced a complete

third-party failure.

Delivery models Reputation on the line
As the demands of TPGRM keep increasing, the majority of organizations As businesses take the concept of the extended enterprise to new
are investing in centralized in-house functions to support the management levels, the survey confirms how third parties are exposing businesses to
of third-party risk, with a smaller proportion of organizations moving new risks such as the threat of high-profile customer-service disruption
to external service provider-based models. A significant minority remain and other major business failures. Where these risks have been realized,
undecided on their future course of action. this has compromised organizational reputation, broken down business
continuity, and even attracted substantial penalties and regulatory
enforcement action.
To insource or outsource TPGRM?
58.4% of respondents are

The threats are real
increasingly moving to a centralized in-house
function to support third-party management
with only 8% to external provider-based
26.2% of respondents
have suffered reputational damage, 23% of
models while as many as 33.6% are unsure respondents have been non-compliant with
about their future direction. regulatory requirements, and 20.6% have
experienced breach of sensitive customer data –
all arising out of third-party actions.
86.0% of respondents now

mandate consistent third-party standards across
their operating units to manage these threats.
4
Key findings
The third-party ecosystem Managing third-party risk Third-party governance Technology and delivery
models
1. As dependence on third 3. Third-party risk incidents are 6. Third-party risk is starting 9. Existing technology platforms
parties becomes increasingly on the increase with customer- to feature consistently on for managing third parties
critical, organizations are being service disruption and regulatory Board agendas with CEO/ are considered inadequate.
compelled to rapidly “catch- breach being considered the Board-level responsibility in the
up” in enhancing the maturity top risks. more progressive organizations
of their TPGRM processes. or those operating in highly 10. Organizations are in the
regulated environments. process of deciding between
4. Increased monitoring and centralized in-house models
2. The drivers for third-party assurance activity over third and external service provider-
engagement are progressively parties is believed to significantly 7. Visits to third-party locations are based models for third-party
shifting from a focus on cost reduce third-party risk. considered the most effective monitoring.
to a focus on value, reflecting method to gain assurance over
organizational recognition of third-party management.
the strategic opportunity that
third parties can create for 5. Organizational commitment to
them. third-party risk management is 8. Most organizations are
not supported by confidence mandating consistent third-party
in the related technology and governance standards amidst
processes. increasing decentralization of
operating units.

This page has been intentionally left blank
The third-party ecosystem
1. As dependence on third parties becomes • Finally, the dependence on individual third parties will further
increase as organizations choose to work with a smaller number
increasingly critical, organizations are being of global strategic partners in an environment where consolidation
compelled to rapidly “catch-up” in enhancing activity is ongoing within the third-party marketplace.
the maturity of their TPGRM processes. Against this backdrop, a year ago only 9.5% of respondents had
The survey demonstrates how organizations continue to rapidly integrated or optimized their TPGRM systems. The survey confirms
enhance their dependence on global third-party ecosystems that organizations are now being compelled to rapidly “catch-up” in
(extended enterprise) to garner the benefits of collaboration. taking a holistic and proactive approach to third-party risk; 71.6% of
Of respondents, 73.9% believe that third parties will play a highly respondents expect to be able to integrate and optimize their third-
important (44.8%) or critical (29.1%) role in the year ahead, up from party risk management system, including 16.5% of respondents aspiring
60.3% a year ago. to be “best-in-class” in a year or more.
Survey respondents believe that this increasing dependence on third
73.9%
parties arises from four key drivers:
• Organizations have now gone far beyond the traditional focus on of respondents
leveraging third parties in their direct supply chain (suppliers and believe that third parties will play a highly
vendors), with an increasing proportion of third parties in sales, important or critical role in the year ahead,
distribution, and support services, in addition to alliance and joint up from 60.3% a year ago.
venture partners. The increasing use of new technologies (such as the
cloud and cloud-based applications) that facilitate collaboration and Against this backdrop, only 9.5% of
enable businesses to enhance their virtual boundaries, will further respondents had integrated or optimized their
accelerate this trend; TPGRM systems a year ago. Organizations are
rapidly catching up, with 71.6% of respondents
• Secondly, the nature of the tasks being executed through third expecting to be integrated and optimized in a
parties is becoming more critical than ever before, thus increasing year or more, including around 16.5% aspiring
the severity of consequences on disruption or failure. In the words to be “best-in-class”.
of one respondent, “Third parties are increasingly carrying out
activities traditionally carried out by direct employees, in particular
interacting with customers”;
• Thirdly, respondents believe that the pursuit of lower-costs will

continue to drive businesses to “continue to identify and work
with high-quality but lower-cost vendors and other third parties in
emerging markets”;

Increasing dependence on third-party ecosystem
Deloitte point of view % of Respondents

50
Organizational focus on third-party risk has traditionally been reactive and dependent upon who is
40
driving the activity. This has typically been procurement teams focused on suppliers and vendors, or 30
brand and intellectual property (IP) protection functions focused on distribution channels and 20
non-authorized manufacturers. Such a decentralized approach to risk has led to micro-focus on risk 10
areas that interest certain parts of a business or certain functions (for example, operational performance 0
Past (a year or more Present Future (a year or more
from a supply chain perspective or information security from a corporate security angle). earlier) ahead)
Minor Low Moderate
Organizations are only now starting to depart from this siloed approach and take a Board and leadership- High Critical
led holistic, proactive approach to risk as a source of organizational value. This covers all categories of Dependence based on critical factors, including number of third-parties, criticality,
third parties and all areas of risk, considering operational risk factors (e.g. performance, quality standards, proportion of businesses involved, etc.
delivery times, KPI/SLA measurement) with reputational/financial risk factors (e.g. labour practices, an
Increasing maturity of TPGRM systems
understanding of financial health, appropriate charging mechanisms and adherence to these), and legal/
% of Respondents
regulatory risks (e.g. compliance with bribery regulations, awareness of global industry standards as they
60
apply to third parties, Environment and Health & Safety compliance). 50
40
30
Deloitte recommends that organizations look at all risks (as highlighted above) across the third-party 20
ecosystem in a consistent manner and do so in such a way that does not overburden third parties. 10
0
In particular, adaptive risk management questionnaires should be used so that third parties are not Past (a year or more Present Future (a year or more
overwhelmed with questions and requests for evidence. earlier) ahead)
Initial Managed Defined
In addition, Deloitte specialists, who have significant experience of working with organizations undergoing Integrated Optimized
similar transformations, consider respondent aspirations to be optimistic in their estimation of the time
and effort required to achieve this organizational transformation. Given the diverse range of stakeholders, Maturity level definition:
Respondents rated the maturity of their organization’s approach to third-party risk management
processes, and technology impacted by this transformation, respondent organizations which believe that based on the following elements:
they would be able to substantially complete their transformational journey in the next year, may actually • Structure of third-party management organization;
take much longer to do so as such programs typically span a 2-3 year timeframe. • Clarity of related roles and responsibilities;
• Stakeholder awareness and commitment to third-party risk management;
• Skills, bandwidth, and competence in management of third-parties; and
• Process and supporting technology for third-party risk management.
Rates:
Initial: None or very few of the elements addressed.
Managed: Some of the elements addressed with limited effort.
Defined: Consideration given to addressing all the elements with room for improvement.
Integrated: Most of the elements addressed and evolved.
Optimized: “Best in class” organization – all of the elements addressed and evolved.
8
Treading the Aspirational Path to Excellence (by industry segment):
The survey reveals that organizations across the eight major industry Degré de maturité des systèmes de GETGR
segments are adopting varying stances in the extent of dependence on Le parcours vers
third parties, along a continuum ranging from lower to a higher level Exploitation Entreprise modèle :
l’excellence
of dependence. On a second dimension, they are at varying levels of incomplète :

Potentiel inexploité
Recours concerté et
contrôlé à des tiers
maturity in their risk and governance approach to third parties. Maximale

(processus
ou occasion manquée
de recourir à des tiers
descendants et
Based on the above two criteria – the extent of dependence on third parties, and the maturity of bien établis)
governance processes – these organizations, grouped by industry segment, can be mapped to a two-by-
two grid (in the figure at the right) as set out in our TPGRM whitepaper in 2015. This grid can be used by Sensibilisation Manque de
insuffisante : contrôle :
organizations to understand their current positioning as a first step to developing plans for reinventing Manque de Recours non concerté
Minimale
themselves as the Role Models (upper-right-hand quadrant) who, as explained below, are able to maximize (évolution
sensibilisation à ou non contrôlé à des
entités tierces
l’utilisation de tiers
the opportunities through the third-party ecosystem, while managing the related risks. nécessaire) ou aversion pour le
risque
Dépendance à
l’égard de tiers
Basse Haute
Dependence on third-party ecosystem
Consumer
BIPS E&R FS HLS Manufacturing TMT Public Sector
Business
Past Moderate High Critical High Moderate Moderate Moderate Critical
Present Moderate High Critical Critical Moderate Moderate High Critical
Future Moderate High Critical Critical Critical Critical High Critical
Level of maturity in TPGRM systems
Consumer
BIPS E&R FS HLS Manufacturing TMT Public Sector
Business
Past Managed Managed Managed Managed Managed Managed Managed Managed
Present Defined Managed Defined Integrated Managed Integrated Defined Defined
Future Defined Integrated Integrated Optimized Defined Optimized Integrated Optimized

The Role Models: The “best-in-class” organizations are clearly those that are able to leverage their third-party ecosystem more extensively with a
higher planned dependence on them. They are also the organizations that are in a more mature stage of implementation of the related governance
and risk management mechanisms, implemented top-down from the Board and C-suite. These organizations would therefore be the best
positioned to maximize the opportunities arising from the use of third parties as a valuable organizational asset. It is likely that these organizations
will involve third parties in higher value processes, considering and managing a greater level of risks in a dynamic, agile, and innovative way in their
pursuit of business value.
Treading the aspirational path to excellence
Past Present Future

Optimized
Optimized
Optimized
Unfulfilled Role model Unfulfilled Role model Unfulfilled Role model

Integrated
Integrated
Integrated
Defined
Defined
Defined
Managed
Managed
Managed
Initial
Initial
Initial
Unaware Uncontrolled Unaware Uncontrolled Unaware Uncontrolled
Minor Low Moderate High Critical Minor Low Moderate High Critical Minor Low Moderate High Critical
Extent of dependence on third-party ecosystem Extent of dependence on third-party ecosystem Extent of dependence on third-party ecosystem
Financial Services Energy & Resources Manufacturing Public Sector Technology, Media, & Telcom
Consumer Business Healthcare & Life Sciences Business, Infrastructure, & Professional Services
At the opposite extreme are the organizations that continue to have limited use of the third-party ecosystem and that have not implemented or
matured in their implementation of governance mechanisms and practices. Such organizations are likely to face the greatest potential challenges to
erosion of organizational value. Accordingly, they can be classed as the Unaware; those that are likely to experience erosion in their profitability and
organizational value, which may eventually threaten survival. For such organizations it is likely that any limited use of third parties would be focused on
lower-value generating and less-risky activities. They may still face several threats and hazards in these limited pursuits of organizational value.
10
Organizations that have a higher dependence on third parties in
their aspiration for higher organizational value, without the requisite The “best-in-class” organizations
evolution in governance mechanisms to give them the required control,
are likely to be unable to manage the various threats they face as are those that are able to
they engage with their third-party ecosystem and can be considered
Uncontrolled. leverage their third-party
Finally, organizations that will continually remain Unfulfilled are ecosystem more extensively.
those that have limited leverage of third parties despite maturing in
governance mechanisms and practices. They are likely to be perpetually They are also the organizations
facing significant opportunity loss, leading eventually to threats of value
erosion and survival challenges. that are in a more mature
This aspirational path to excellence across the key industry segments, stage of implementation with
as revealed by the survey, is set out on page 10.
related governance and risk
As can be seen, organizations across all the industry segments are
treading this aspirational path of excellence, some quicker than others, management mechanisms.
with those in the Business and Professional Services (BIPS) segment
transitioning the slowest. This is a reflection of the nature of their
businesses around service delivery, rather than product delivery.
Accordingly, they do not have a “product-based” supply or distribution
chain and therefore tend to involve third parties at a significantly lower
level than other product-based industries.

The third-party ecosystem (cont.)
2. The drivers for third-party engagement are Emerging drivers
Emerging drivers for engaging third parties that reflect an increasing
progressively shifting from a focus on cost focus on organizational value-enhancement are increasingly becoming
to a focus on value, reflecting organizational more significant. The survey reveals that organizational agility,
recognition of the strategic opportunity that characterized by the need for flexibility and scalability, is emerging
as the most powerful value-driver for future third-party engagement
third parties can create for them. (44.9% of respondents, up from 34.6% a year ago). Similarly, the
The survey reconfirms how new and emerging strategic drivers for opportunity to bring in product or service innovation by leveraging
third-party engagement such as strategic agility, competitive advantage, specialized knowledge or skills from third parties is also rapidly
innovation, and performance improvement, are being focused upon to enhancing its dominance as a key future driver (26.9% of respondents,
enhance organizational value. up from 10.3% a year ago).
Traditional drivers With regard to services provided by the third-party ecosystem, as many
As previously stated, the pursuit of cost savings continues to remain as 20.5% of respondents are expecting to improve their performance
one of the key factors driving the increasing dependence on third from the implementation of best practices related to specific processes
parties. At the same time, the survey reveals that increasing use of operated by third parties, representing a significant increase from 9.0%
third parties is not about cost reduction alone. The survey reveals that a year ago. In addition, 21.8% of respondents expect third parties to
cost saving/cost reduction is rapidly losing its dominance as the most be a source of competitive advantage (up from 10.3% a year ago).
significant traditional driver for third-party engagement. Only 42.3% of
respondents consider this to be a key future driver, down from 57.1% a
year ago. Cost savings/cost reduction is rapidly losing its dominance as the most significant
traditional driver for third-party engagement with only 42.3% of respondents
Other traditional drivers such as the need to reduce operational risk considering it a key future driver, down from 57.1% a year ago.
through the involvement of third parties (12.2% of respondents a year
ago) or improve overall quality parameters (6.4% of respondents a year
ago) are also declining or remaining unchanged in relative importance,
as reflected by 12.8% and 3.8% of respondents, respectively,
considering the above as key future drivers.
44.9% see the need for organizational agility characterized by
flexibility and scalability (up from 34.6% a year ago) to be the strongest emerging
value-driver for future third-party engagement.
12
Changing drivers for third-party engagement
Traditional drivers
% of Respondents
Deloitte point of view
60 The increasing recognition of the strategic opportunity that third parties can create
for organizations resonates with Deloitte’s experience that effectively governed
50
third-party relationships can be a significant source of organizational value. This can
40 arise, for example, from product or service innovation, expansion to new markets,
and access to skills and capabilities not available internally, including the capability
30 to operate with greater agility. In addition, some organizations are now able to
effectively benefit from third parties as their knowledge partners, or even as trusted
20
advisors, to catalyze organizational innovation, provide strategic insights and feature
10 on organizational advisory boards.
0 Deloitte believes those organizations that have a good handle on their third-party
earlier) ahead) business partners can not only avoid the punitive costs and reputational damage,
but stand to gain competitive advantage over their peers outperforming them by
Cost savings/cost reduction Manage operational risks
Improve on overall quality parameters an additional 4-5% ROE (which, in the case of Fortune 500 or FT500 companies,
can mean additional EBITA in the range of US$25-500 million). Academic
Emerging drivers researchers concur with this view. When stakeholders can appreciate improvements
% of Respondents
in governance, controls, and risk management that upgrade their long-term
50
expectations, equity values will rise.
40
30
20
10
0
earlier) ahead)
Flexibility and scalability

Implement best practices related to specific processes
operated by third-parties
Product or service innovation by leveraging specialized
third-party knowledge
Enhance competitive advantage

Survey results by industry segment
The increasing importance of emerging drivers over Changing drivers for third-party engagement (% of respondents) Changing drivers for third-party engagement (% of respondents)
traditional drivers for third-party engagement persists as a
general trend across most of the industry segments. This BIPS Consumer Business
trend is probably the most dominant in the Consumer Traditional drivers Traditional drivers
Business segment, with 57.1% of respondents focused % of respondents % of respondents
on cost savings a year or more ahead rapidly decreasing 70 70
to 28.6% a year or more ahead. On the other hand, 60 60
organizations in the Business, Infrastructure, and 50 50
Professional Services (BIPS) segment aspire to continue to
40 40
increase their focus on cost savings (22.2% of respondents
30 30
a year or more ago to 33.3% a year or more ahead).
20 20
10 10
0 0
Past (a year or more Present Future (a year or Past (a year or more Present Future (a year or
earlier) more ahead) earlier) more ahead)
Cost savings/cost reduction Manage operational risks Cost savings/cost reduction Manage operational risks
Improve on overall quality parameters Improve on overall quality parameters
Emerging drivers Emerging drivers

% of respondents % of respondents
70 70
60 60
50 50
40 40
30 30
20 20
10 10
0 0
Past (a year or more Present Future (a year or more Past (a year or more Present Future (a year or more
earlier) ahead) earlier) ahead)
Flexibility and scalability Flexibility and scalability
Implement best practices related to specific processes operated by Implement best practices related to specific processes operated by
third-parties third-parties
Product or service innovation by leveraging specialized third-party Product or service innovation by leveraging specialized third-party
knowledge knowledge
Enhance competitive advantage Enhance competitive advantage
14
Changing drivers for third-party engagement (% of respondents) Changing drivers for third-party engagement (% of respondents) Changing drivers for third-party engagement (% of respondents)
Energy & Resources Financial Services Health & Life Sciences

Traditional drivers Traditional drivers Traditional drivers
% of respondents % of respondents % of respondents
70 70 70
60 60 60
50 50 50
40 40 40
30 30 30
20 20 20
10 10 10
0 0 0
Past (a year or more Present Future (a year or Past (a year or more Present Future (a year or Past (a year or more Present Future (a year or
earlier) more ahead) earlier) more ahead) earlier) more ahead)
Cost savings/cost reduction Manage operational risks Cost savings/cost reduction Manage operational risks Cost savings/cost reduction Manage operational risks
Improve on overall quality parameters Improve on overall quality parameters Improve on overall quality parameters
Emerging drivers Emerging drivers Emerging drivers

70 70 70
60 60 60
50 50 50
40 40 40
30 30 30
20 20 20
10 10 10
0 0 0
Past (a year or more Present Future (a year or more Past (a year or more Present Future (a year or more Past (a year or more Present Future (a year or more
earlier) ahead) earlier) ahead) earlier) ahead)
Flexibility and scalability Flexibility and scalability Flexibility and scalability
Implement best practices related to specific processes operated by Implement best practices related to specific processes operated by Implement best practices related to specific processes operated by
third parties third-parties third-parties
Product or service innovation by leveraging specialized third-party Product or service innovation by leveraging specialized third-party Product or service innovation by leveraging specialized third-party
knowledge knowledge knowledge
Enhance competitive advantage Enhance competitive advantage Enhance competitive advantage

Changing drivers for third-party engagement (% of respondents) Changing drivers for third-party engagement (% of respondents) Changing drivers for third-party engagement (% of respondents)
Manufacturing Public Sector TMT

Traditional drivers Traditional drivers Traditional drivers
70 70 70
60 60 60
50 50 50
40 40 40
30 30 30
20 20 20
10 10 10
0 0 0
Past (a year or more Present Future (a year or Past (a year or more Present Future (a year or Past (a year or more Present Future (a year or
earlier) more ahead) earlier) more ahead) earlier) more ahead)
Cost savings/cost reduction Manage operational risks Cost savings/cost reduction Manage operational risks Cost savings/cost reduction Manage operational risks
Improve on overall quality parameters Improve on overall quality parameters Improve on overall quality parameters
Emerging drivers Emerging drivers Emerging drivers

70 70 70
60 60 60
50 50 50
40 40 40
30 30 30
20 20 20
10 10 10
0 0 0
Past (a year or more Present Future (a year or more Past (a year or more Present Future (a year or more Past (a year or more Present Future (a year or more
earlier) ahead) earlier) ahead) earlier) ahead)
Flexibility and scalability Flexibility and scalability Flexibility and scalability
Implement best practices related to specific processes operated by Implement best practices related to specific processes operated by Implement best practices related to specific processes operated by
third-parties third parties third-parties
Product or service innovation by leveraging specialized third-party Product or service innovation by leveraging specialized third-party Product or service innovation by leveraging specialized third-party
knowledge knowledge knowledge
Enhance competitive advantage Enhance competitive advantage Enhance competitive advantage
16
Managing third-party risk
3. Third-party risk incidents are on the increase As well, 26.2% of respondents have suffered reputational damage
arising from third-party action in the last 2-3 years, while 23.0% have
with customer-service disruption and regulatory ended up being non-compliant with regulatory requirements with 8.7%
breach being considered the top risks. of these respondents facing a fine or financial penalty as a result of
this non-compliance. Another 23.0% of respondents have experienced
As businesses take the concept of the extended enterprise to new financial or transaction-reporting errors, 20.6% have dealt with a
levels, the survey confirms how third parties are exposing businesses to situation where sensitive customer data has been breached through
new risks such as the threat of high-profile customer-service disruption third parties, and 10.3% have actually lost revenue.
and other major business failures. Where these risks have been realized,
this has compromised organizational reputation, broken down business
87%
continuity, and even attracted substantial penalties and regulatory
enforcement action.
of respondents have
Respondents consider disruption in client service due to third-party faced a disruptive incident associated with
action as the most critical risk, closely followed by the breach of third parties in the last 2-3 years, of which
regulation or law by third parties being attributed to their organization. 28% faced major disruption and 11%
Reputational damage, supply-chain breakdown, financial fraud/exposure complete third-party failure – reducing their
caused by third-party action also feature on the list of critical risks. confidence in the related governance and risk
In addition, respondents are anxious about any failure in financial management processes.
viability of a third-party that can impact their ability to deliver.
The threats arising from the actions of third parties are real. Of
respondents, 87% have faced a disruptive incident associated with third
parties in the last 2-3 years, out of which 28% faced major disruption
and 11% experienced a complete third-party failure – reducing their
confidence in the related governance and risk management processes.

Top areas of third-party engagement risk, ranked in order of criticality
Risk areas Rank Deloitte point of view

The severity of consequences of negative actions by third parties
Disruption in customer-service due to third parties 1 on organizational reputation, earnings, and shareholder value is
currently the single-most compelling driver for organizations to
Breach of regulation or law through third-party action 2 invest in either implementing or refining TPGRM processes and
Reputational damage arising from third-party behaviour 3 frameworks.
Breakdown in supply chain due to failure of third parties 4 Deloitte believes that the financial services sector will continue
to dominate industry-specific regulation around the world,
Financial fraud or exposure created by third-party behaviour 5 impacting the use of third parties, which is expected to get more
rigorous. Similar regulation however, is also expected to grow
Failure of financial viability of third-party impacting delivery 6 in other industry sectors such as life sciences and healthcare,
chemicals, food and retail, etc., together with global regulation
Impact of third-party incidents actually faced by respondents such as the US Foreign Corrupt Practices Act (FCPA) impacting
all industries, irrespective of where the related organizations are
headquartered.
Deloitte estimates that the failure by large multinational

businesses to appropriately identify and manage third parties
can lead to fines and direct compensation costs or other revenue
losses in the range of US$2–50 million, while action under global
legislation such as the US FCPA can be far higher, touching
US$0.5–1 billion. This point of view resonates with academic
26.2% 23.0% 23.0% 20.6% 10.3% research which has established that punishment by regulators
Reputational damage Financial or transaction Non-compliance with Breach of sensitive Lost business causes losses to shareholders that are, on average, 10 times the
reporting errors regulatory requirements customer data
size of the fine itself and negatively impacts share prices by an
average of 2.55% in the three days after the announcement,
where direct harm to customers and investors is involved. This of
course is in addition to the significant reputational damage that
an organization will incur.
18
The survey reveals that concerns around the breakdown in their Impact of third-party incidents actually faced by respondents
service supply chain features higher amongst organizations engaged Nature of third-party incident (% of respondents)
in Business, Infrastructure, and Professional Services (BIPS) as well as 40

those in Healthcare and Life Sciences (HLS), compared to respondents
from other industry segments, given the nature of their business. 30
Similarly, concern around fraud by third parties ranks higher than others
for Consumer Business, Technology, Media, and Telecom (TMT) and 20
Manufacturing industries while Public Sector undertakings appear to be
most perturbed about failure in financial viability of their third parties. 10
In terms of the related impact of third-party incidents, organizations in 0

the BIPS segment (33.3% of respondents) as well as in Healthcare and Reputational damage Financial or transaction Non-compliance with Breach of sensitive Lost business
reporting errors regulatory requirements customer data
Life Sciences (33.3% of respondents) appear to have faced revenue
BIPS Consumer business E&R FS HLS Manufacturing Public sector TMT
losses arising from third-party-related failures but with significantly
lower experience of financial or transaction errors. Additionally, BIPS
organizations have faced a comparatively lower impact of regulation
and loss of customer data.
Top third-party-related risks ranked in order of criticality
Consumer
Risk areas BIPS E&R FS HLS Manufacturing Public sector TMT
business
Disruption in customer-service due to
third parties 4 3 1 1 4 3 2 6
Breach of regulation or law through
third-party action 4 6 3 2 3 3 3 5
Reputational damage arising from
third-party behaviour 1 4 4 4 1 2 4 3
Breakdown in supply chain due to failure
of third parties 1 2 5 3 1 6 5 4
Financial fraud or exposure created by
third-party behaviour 6 1 2 5 6 1 6 1
Failure of financial viability of
third-party impacting delivery 3 5 6 6 5 5 1 2

Managing third-party risk (cont.)
4. Increased monitoring and assurance activity
over third parties is believed to significantly
reduce third-party risk. 59.7% of respondents are
enhancing their monitoring activities and
Organizations are undertaking a number of key initiatives to address the
risks that the increased use of third parties creates for them. Enhanced
monitoring of third parties appears to be the top initiative in this regard,
being taken up (by 59.7%). Of respondents, 57% are are stepping
up their assurance activities over third parties as their key initiative to
reduce third-party risk.
57.1% are increasing their
assurance activities over third parties as their
key initiative to reduce third-party risk.
Respondents recognize that stakeholders across various levels and
functional areas (for instance, business owners, supply chain teams,
and compliance groups) have a role to play in these monitoring and
Risk reduction initiatives taken up by respondents
assurance activities. Each of these players brings a unique set of
perspectives and skills to risk management, which can be an invaluable
asset to the business. In keeping with the principle of the “Three Lines
of Defence”, they perceive the need to be able to orchestrate their
activities to ensure that there is complete clarity on respective roles and
responsibilities. This ensures that limited risk management resources
are deployed effectively across the organization to address the most
significant areas of concern.
Enhancing the rigour of disciplined contracting, “business case

articulation and due diligence” for third parties are some of the other
key risk reduction initiatives being taken up by 44.5% and 38.7% of 59.7%
Enhanced monitoring
57.1%
Enhancing assurance
44.5% 38.7%
More disciplined contracting Enhanced business case and
36.1%
Enhancing visibility
respondents, respectively. of third-parties activities over third-parties (e.g. centralized templates due diligence for involving and transparency
approach) third-parties in a specific area
20
The survey results indicate that the prioritization of initiatives to reduce third-party risk vary by industry
segment. The following industries have prioritized other initiatives over enhanced assurance and monitoring
of third parties:
Deloitte experience indicates that organizations have been
benefiting from assurance and monitoring activities by being
• Energy & Resources (E&R): Enhancing visibility and transparency (80.0% of respondents)
able to identify and remediate significant unseen risks such as
• Healthcare & Life Sciences (HLS): Enhancing visibility and transparency (66.7% of respondents)
non-compliance with anti-bribery legislation, lack of appropriate
• Manufacturing: Enhancing business case and due diligence (85.7% of respondents) followed by more
physical and IT security, and overcharging compared to
disciplined contracting (71.4% of respondents)
contractual rates (in the range of 3-10% of total spend). Only
• Public Sector (PS): More disciplined contracting (75.0% of respondents)
now are organizations expanding their third-party monitoring
• Technology, Media, and Telecom (TMT): More disciplined contracting (46.7% of respondents)
and assurance activities to cover all risks and all third-party
types, having previously focused on a particular type of risk or a
subsection of third parties.
Key initiatives associated with third-parties
Key initiative (% of respondents) The organizational clamour for increasing monitoring and
100 assurance-related activities around third parties demonstrates
90 growing organizational realization that the implementation of
80
70
controls to manage third-party risks is not a one-time activity.
60 Given the dynamism in the external environment as well as
50 within their extended enterprise, organizations must continually
40 ensure that changing conditions have not made these controls
30 out-of-date. In addition, more and more organizations are
20
starting to appreciate the need to continually evaluate the
10
0
effectiveness of these controls to reconfirm that they are
Enhanced monitoring Enhancing assurance More disciplined Enhanced business case and Enhancing visibility and working effectively, using various monitoring mechanisms.
of third-parties activities over third-parties contracting (e.g. centralized due diligence for involving transparency
templates approach) third-parties in a specific area
In particular, the lack of organizational confidence in the tools
and technology used for third-party management, resulting in
absence of reliable data in this area (described in another section
of this report), reinforces the need for “other organizational
assurance mechanisms” to obtain comfort on third-party
management.

Managing third-party risk (cont.)
5. Organizational commitment to third-party
Organizational confidence appears to be the highest in the awareness and
risk management is not supported by commitment to managing third-party risk, with
confidence in the related technology and
processes.
Survey respondents have indicated varying levels of organizational
78.1% of respondents expressing a moderate to high-level
of confidence in this domain of third-party risk management. However,
confidence in the different domains of TPGRM. Organizational organizational confidence is the lowest in the areas of tools and technology,
confidence appears to be the highest in the level of awareness of monitoring mechanisms and the quality of processes to support third-party risk
various stakeholders in third-party risk management processes and their management, with the vast majority of respondents expressing moderate to
commitment to managing third-party risk. Of respondents, 78.1% have low levels of confidence in these domains.
have expressed a moderate to high-level of confidence in this domain.
Closely related to stakeholder awareness is the clarity with which the Domains of third-party risk management where confidence is moderate to high
ownership of related risk management activities is known to those
tasked with the performance and oversight of the framework. As
many as 77.9% of respondents have expressed a moderate to high-
level of confidence. This high-level of confidence also extends to the
organization of third-party risk management as well as the skills,
competence, and training of the relevant individuals.
However, higher levels of confidence are not mirrored in the related 78.1% 77.9% 73.9% 73.2%
tools, technology, and processes. For instance, organizational
confidence is the lowest in the areas of tools and technology, 78.1%
Awareness and commitment
to managing third-party risk
Awareness and commitment
77.9%
Clarity of roles and
responsibilities
Clarity of roles and
73.9%
Skills competence and training
Skills competence and training

73.2%
Organization of
third-party risk management
Organization of
monitoring mechanisms, and the quality of processes to support to managing third-party risk responsibilities third-party risk management
third-party risk management with as many as 94.3%, 93.5%, and Domains of third-party risk management where confidence is moderate to low
88.6% respondents, respectively, expressing moderate to low levels of
confidence in these domains.
94.3% 93.5% 88.6% 78.9%

94.3%
Tools and technology
used for risk management
Tools and technology
93.5%
Management and
monitoring mechanisms
Management and
88.6%
Quality of third-party
risk management processes
Quality of third-party
78.9%
Disciplined escalation framework
Disciplined escalation framework

used for risk management monitoring mechanisms risk management processes
22
Analysis of the survey results indicates that there is divergence amongst Domains of TPGRM where confidence is moderate to high (% of respondents)
respondents across industry segments in the TPGRM domains where Third-party risk management domain
the survey has revealed an overall higher level of confidence associated 100
90
with them. For instance, only 50% of respondents from Public Sector
80
(PS) have moderate to high-levels of confidence in the manner in 70
which third-party risk management is organized, the clarity of roles 60
and responsibilities, together with related skills competence and 50
training. This is significantly lower than the other industry segments, 40
implying that Public Sector organizations may require stronger levels of 30
20
accountability amongst its senior officials responsible for third-party risk
10
management. Further, respondents within the Business, Infrastructure, 0
and Professional Services (BIPS) industry segment as well as Consumer Awareness and commitment to Clarity of roles and responsibilities Skills competence and training Organization of third-party risk
managing third-party risk management
Business have indicated lower levels of confidence in awareness and
commitment around third-party risk management, with only 44.4%
and 57.1% respondents having moderate to high confidence levels,
respectively.
Domains of TPGRM where confidence is moderate to low (% of respondents)
Third-party risk management domain
100
90
Deloitte point of view 80
70
Deloitte perceives an emerging “execution gap” in TPGRM. 60
This gap is the result of organizational commitment not being 50
supported by the ability of the related tools, technology, and 40
30
processes to achieve intended results.
20
10
In spite of the overall strategy and governance framework 0
Tools and technology used Management and monitoring Quality of third-party risk Disciplined escalation framework
having been put in place in a larger number of respondent
for risk management mechanisms management processes
organizations, there is more to do in strengthening third-party
risk management tools and technology, together with the
underlying processes and monitoring mechanisms.
Addressing this execution gap would go a long way in reducing

the potential for failure, while augmenting organizational
capability to maximize the opportunities from their third-party
ecosystem.

Third-party governance
6. Third-party risk is starting to feature
consistently on the Board agendas with Third-party risk features consistently on Board agendas, with varying levels
CEO/Board-level responsibility in the more
progressive organizations or those operating in of urgency at 39% of respondent organizations but with critical
urgency at a further 16.1%. Ultimate accountability for third-party risk
highly regulated environments. management resides in the CEO or Member(s) of the Board in 46.6% of
With the increasing strategic importance of third parties, the survey respondent organizations.
demonstrates how TPGRM is rapidly becoming a Board and top leadership-
level issue. Being viewed for decades as an operational-level issue rather
than a Board or top leadership issue, this rethinking now presents a
transformational opportunity for the more progressive organizations
leveraging their extended ecosystem. Third-party risk on the Board agenda (% of respondents)
The survey reveals that the ultimate accountability for third-party risk 16.1% 16.1% 10.2%
management resides in the CEO or Member(s) of the Board in 46.6% 0.8% 4.2%
19.5%
of respondents. This is in addition to other members of the C-suite such 2.5%

as the Chief Procurement Officer (CPO), the Chief Risk Officer (CRO), 4.2%
and the Chief Finance Officer (CFO) being ultimately responsible for 18.6%
third-party risk in a further 16.9%, 9.3%, and 5.1% of respondents,
respectively.
39% 16.9%
Third-party risk features consistently on the Board agenda in 39% of 27.1%

respondents with varying levels of urgency, but with critical urgency
25.4%
in a further 16.1% of respondent organizations, representing the more 9.3%
5.1%
progressive organizations and those that operate in highly regulated
environments. Features consistently as a critical Member(s) of the Board Individual Vendor or Alliance
item on the Board agenda. Manager
Chief Executive Officer (CEO)
However, third-party risk is still discussed reactively in 25.4% of Periodically on the agenda with Head of Internal Audit
Chief Finance Officer (CFO)
respondents, only in response to third-party incidents, while a further varying urgency.
Head of Compliance
18.6% of organizations engage in this Boardroom discussion only Reactively in the agenda in Head of Risk or Chief Risk Officer
response to incidents.
intermittently, with a low level of importance. This indicates that Chief Procurement Officer or CPO Not clear/dependent on type
Intermittently on Board agenda of third party
this transformational thinking is still to make a substantial impact with low importance. Head of Vendor/Alliance
on a number of organizations where regulatory pressures are lower, Not on the Board agenda.
Management
or in those organizations that are yet to experience the negative
consequences of a major third-party-related risk incident.

16.1% 16.1% 10.2%
0.8% 19.5%
4.2%
2.5%
4.2%
18.6%
39%
Level of ultimate accountability for risk management (% of respondents) 16.9%
Ultimate accountability for third-party risk management
Deloitte point of view 27.1%
25.4%
The survey results echo the growing organizational
16.1%
acceptance
16.1% 10.2% 9.3%
5.1%
of the need for enhanced accountability for third-party risk 0.8% 4.2%
19.5%
management at their Board and the C-suite level to ensure 2.5%
Features consistently as a critical Member(s) of the Board Individual Vendor or Alliance
the explicit linkage of risk and strategy in maximizing the item on the Board agenda. Manager
4.2% Chief Executive Officer (CEO)
opportunities from their third-party
18.6% ecosystem. Following the Periodically on the agenda with Head of Internal Audit
financial crisis, key regulators/governance bodies now agree on varying urgency.
Head of Compliance
the Board’s central role in approving and monitoring strategy, Reactively in the agenda in Head of Risk or Chief Risk Officer
response
16.9% to incidents.
in keeping with their fiduciary duties to shareholders. The 39%
Board Chief Procurement Officer or CPO Not clear/dependent on type
therefore needs to understand the risks and ensure appropriate with low importance.
27.1% Head of Vendor/Alliance
risk management, which would further enable them to strike a Not on the Board agenda.
Management
25.4% growth, performance,
better balance between risk oversight, 9.3%
5.1%
and strategy.
Features consistently as a critical Member(s) of the Board Individual Vendor or Alliance
Deloitte further believes that Board
item on and C-suite
the Board ownership
agenda. The Chief
survey results indicate divergence in the Manufacturing and in the Business, Infrastructure, and
Manager
Executive Officer (CEO)
and oversight of TPGRM is critical to be able to exploit
Periodically on the agenda with the Professional Services (BIPS) industry Head segments where
of Internal Audit a significantly large proportion of respondents do not
opportunities and manage thevaryingrisks urgency.
from third parties efficiently have third-party risk management featuring in their Board agenda at all or only intermittently (Manufacturing:
and effectively. This also facilitates multiple
Reactively stakeholder
in the agenda in buy-in at Head of Risk or Chief Risk Officer Head of Compliance
response to incidents.
42.9% of respondents in total; BIPS 44.4%). On the other hand, the Healthcare and Life Sciences (HLS)
the functional level. industry segment appears
Chief Procurement to have third-party
Officer or CPO risk featuring
Not clear/dependent on type most consistently as a critical item on the Board
with low importance. agenda
Head with 66.7% of respondents in this category.
of Vendor/Alliance
Management
Not on the Board agenda.
Third-party risk on the board agenda
(% of respondents)
80
60
40
20
0
Not on the Board agenda Intermittently on Board Reactively in the agenda in Periodically on the agenda Features consistently as a
agenda with low response to incidents with varying urgency critical item on the Board
importance agenda
26
Third-party governance (cont.)
7. Visits to third-party locations are considered
the most effective method to gain assurance
over third-party management. 69.5% of respondents periodically visit third-party locations based
on risk assessment as the most effective way of gaining assurance over third parties.
The survey reveals that respondents obtain assurance over third-party However, internal controls testing drives the approach to such assurance in the vast
management activities through a combination of methods, some of which majority of cases (80.5%) with the other 19.5% driving their approach through
are more popular or effective compared to others. detailed transaction testing.
Visiting third-party locations periodically based on risk assessments appears

to be the most popular method for gaining assurance over third-party Most effective methods of gaining assurance over third-party management (% of respondents)
management activities, with 69.5% of respondents making such on-site visits. Visiting third-party locations
periodically based on risk assessment 69.5%
In-house internal audit reviews represent the second most popular and
effective method of gaining third-party assurance, practised by 62.7% of
In-house internal audit 62.7%
respondent organizations. In addition, controls self-assessments by third Control self-assessments
by third parties
39.8%
parties, remote assessments with direct access to third-party systems/data,
and desktop audits represent the other key assurance methods, although Remote assessments with direct
access to third-party systems and data 22.9%
not considered as effective as on-site reviews or in-house internal audit
procedures. Desktop audits 22.0%
Use of contractors or outsourced internal audit providers to perform third- What drives the approach to on-site third-party reviews?
party audits is also rapidly gaining popularity as an effective method for

obtaining assurance over third-party management.
19.5%
Some respondents have expressed their dependence on external audits

and service provider audits under SSAE16/ISAE3402 standards. However,
most of these audits cover the risk of material financial statement
misstatements only and may not address the wider set of strategic,
operational, reputational, legal, and regulatory risks that a best-in-class
framework should holistically and proactively address. They may also not
cover the specific obligations contained in an organizations contracts with 80.5%
its third parties.
Internal control testing

Detailed transaction testing for all risks

There is a fair degree of consistency in the methods of gaining assurance on third-party activity across the
industry segments, all of whom rely heavily on risk-based visits to third-party locations as well as in internal
audit procedures, as indicated below:
Deloitte experience in the area of TPGRM indicates that the
Dominant methods of gaining assurance over third-party management growing complexity of third-party risks requires a holistic and
Method of gaining assurance deep understanding across a diverse group of organizational
90
stakeholders, as well as disparate groups of third parties in
80 the extended enterprise. This results in the utilization of a
70 combination of methods for gaining assurance over third-
60 party management, striking a balance between efficiency and
50
effectiveness. Visits to third-party locations is identified
40
30
by respondents as being the most effective method of
20 gaining assurance, further recognizing the relational impact
10 that this creates.
0
Visiting third-party locations In-house internal audit Control self-assessments by Remote assessments with Desktop audits
periodically based on risk third-parties direct access to third-party However, it is interesting to note that internal controls testing
assessment systems and data drives the approach to on-site third-party reviews in more
BIPS Consumer business E&R FS HLS Manufacturing Public sector TMT than 80% of cases, with detailed transaction testing for all
risks driving the approach in less than 20% of cases. There is
During these periodic risk-based on-site reviews, the proportion of respondents relying on internal controls clearly room for improvement here to adopt a review approach,
testing, rather than detailed transaction testing across all risks is the highest in Business, Infrastructure, and based on increasing the extent of detailed transaction testing
Professional Services (BIPS), Healthcare & Life Sciences (HLS), and Public Sector (PS) where the level of detailed supported by available data that would significantly improve
transaction testing appears to be insignificant, with the sole focus being on internal controls. the quality of assurance obtained. Deloitte specialists believe
On the other hand, Energy & Resources (E&R) organizations seem to be doing the most detailed transaction that reversing the mix, with 20% of controls testing and 80% of
testing, with 57.1% of respondents adopting this approach. transaction testing, should be the benchmark that organizations
should strive to attain in this area. This would provide evidence-
What drives the approach to on-site third-party reviews?
based assurance around the operating effectiveness of a control
100
90 as opposed to relying on an assessment of its design.
80
70
60
50
40
30
20
10
0
Internal control testing Detailed transaction testing for all risks
28
Third-party governance (cont.)
8. Most organizations are mandating consistent
third-party governance standards amidst
increasing decentralization of 75.5% of respondents today have a partial through to a high degree
of decentralization, reflecting a potential challenge to a holistic and unified approach
operating units. to third-party risk management. However,
A decentralized organization is one where the decision-making authority is
86%
not vested in a central group or individual but is dispersed across business
units and divisions to achieve divisional flexibility with which to react to
local environmental and operational contingencies. mandate common third-party standards to ensure a consistent
approach across business units.
The survey confirms that global organizations are increasingly being
managed through degrees of decentralization across their various
operating units and entities. Of these respondents, 75.5% today have
Increasing degree of decentralization in respondent Mandating third-party standards
a partial through to a high degree of decentralization, reflecting a organizations
potential challenge to a holistic and unified approach to third-party risk
management.
7% 7%
14%
As many as 86% of respondents mandate common third-party standards
17.5%
to ensure a consistent approach to third-party risk management across
decentralized and often diverse business units.
27.3%
The survey also reveals that the general trend is to have a combined
approach to formulating these standards, representing a mix of existing
industry-specific (e.g. HIPAA standards for safeguarding of personal
identifiable or private information for patient data handled or managed by
third-party service providers) or generally accepted functional standards 86%
(ISO 22301 standard for business continuity in relation to business 41.2%
processes operated by third parties), supplemented by organization-specific

standards particularly in those areas where no such generally accepted Highly centralized Organizations that mandate standards for third-parties
standards exist. More centralized than decentralized Organizations that DO NOT mandate standards
Partly decentralized
Respondents have also indicated that the domains covered by these third- More decentralized than centralized
party standards are continually expanding and extending to areas such
Highly decentralized
as code of conduct and ethics, regulatory compliance, minimum wage
requirements, information security and privacy, etc.

The degree of decentralization appears to be the highest in the
Increasing degree of decentralization in respondent organizations (%)
following industries. A high proportion of respondents in these
70
industries consider their organization to be more decentralized than
centralized or to be highly decentralized: 60
50
• Healthcare and Life Sciences (HLS) (66.7% of respondents) 40
• Public Sector (62.5% of respondents) 30
• Business Infrastructure and Professional Services (BIPS) (55.6% of
20
respondents)
• Manufacturing (42.9% of respondents) 10
0
Highly centralized More centralized than Partly decentralized More decentralized than Highly decentralized
We do, however, see consistency across all industry sectors in the way decentralized centralized
that organizations mandate third-party standards to be applied across
all business units and divisions.
Mandating third-party standards (%)

90
Third-party governance and risk management is clearly evolving 80
70
as a crucial organization-wide matter that cannot be left to the
60
discretion of a divergent group of operational-level personnel 50
in the multiple divisions of an institution that operates with a 40
moderate to a higher level of decentralization. The survey results 30
20
portray organizational response to maintain a holistic and unified
10
approach to TPGRM through a consistent framework reinforced 0
through the mandating of common third-party standards across BIPS Consumer business E&R FS HLS Manufacturing Public sector TMT
a widening set of domains. Organizations that mandate standards for third parties Organizations that DO NOT mandate standards
30
Technology and delivery models
9. Existing technology platforms for managing Confidence in tools and technology is the lowest across all the domains of third-party
third parties are considered inadequate. risk management, with
Organizational confidence in tools and technology is the lowest across all

the domains of third-party risk management, with 56.1% of respondents
rating their confidence level as low and another 38.2% of respondents
56.1% of respondents rating their confidence level as low and
another 38.2% respondents rating their confidence as moderate.
rating their level of confidence as moderate.
The survey provides further insight that there is no clear dominance of a

particular type of technology or tool that respondents use for third-party
29.8% of respondents utilize their ERP platform for third-party risk
management while the remaining 70.2% represent a range of solutions, including
risk management. While 29.8% of respondents utilize their ERP platform bespoke solutions, generic and third-party specific risk management software and a
combination of multiple systems, together with manual processes and spreadsheets.
for third-party risk management, the remaining 70.2% represent a range of
solutions, including bespoke solutions, generic and third-party specific risk
management software, and a combination of20.2% multiple systems, together Respondents are united in their desire for an integrated set of tools that would address as many of the
with manual processes and spreadsheets. In many cases, respondents are
29.8% dimensions of third-party risk management as possible.
challenged by the absence of organizational integration of the multitude
Desired functionality of third-party software
of tools and technologies that may be used to manage different aspects of
third-party risk, or even different types of third parties across various parts Enabling the performance of risk
of a large global organization, operating with
20.2%a partial or high degree of assessments 61.1%
decentralization. Facilitating and recording due
14.9% diligence activities 45.1%
Technology platforms used for third-party Blocking payments unless the
management 14.9%
third-party has been appropriately
approved for use
22.1%
ERP platform (e.g. SAP, Oracle module) Recording key performance
20.2% Generic risk software package (not

indicators (KPIs) and other
performance data
67.3%
specific to third-party management):
Facilitating documentation and
29.8% An ‘off the shelf’ solution tailored to the
organization (e.g. Archer, Open Pages)
escalation of issues 33.6%
Producing top management
Third-party management software
package: An “off the shelf” solution reports and dashboards 36.3%
tailored to the organization (e.g. Hiperos)
Evaluating concentration risk,
20.2% Bespoke software: software package
specifically coded for third-party risk
scheduling third-party reviews
and other features
5.3%
14.9% management at your organization
Multiple platforms, typically a
14.9% combination of bespoke, packaged,
and manual/unknown
ERP platform (e.g. SAP, Oracle module)
Generic risk software package (not
specific to third-party management):
An ‘off the shelf’ solution tailored to the
organization (e.g. Archer, Open Pages) Third-party governance and risk management The threats are real 31
Third-party management software
The results of the survey indicate a range of tool and technology solutions Technology platforms used for third-party management (%)
in use across all the industry segments, although generic risk management 60
software platforms do not appear to be popular in Consumer Business, 50

Energy & Resources, Healthcare & Life Sciences, Manufacturing and the
40
Public Sector as tools to help manage third-party risk.
30
20
There is no doubt that the lower level of organizational confidence 0

ERP platform (e.g. SAP, Generic risk software Third-party management Bespoke software: software Multiple platforms,
in the tools and technology for TPGRM creates a burning issue Oracle module) package (not specific to software package: An package specifically coded typically a combination of
to be addressed with urgency. The inadequacy of tools and third-party management): “off-the-shelf” solution for third-party risk bespoke, packaged, and
technology reduces the effectiveness of reliable and timely data, An “off-the-shelf” solution tailored to the organization management at your manual/unknown
tailored to the organization (e.g. Hiperos) organization
adversely impacting organizational ability to make appropriate (e.g. Archer, Open Pages)
risk-informed decisions, as well as being able to implement
optimized processes tailored to the type of product or service
being outsourced. Deloitte experience indicates that appropriate
tools and technology can significantly reduce pre-contract, post- Key software functionality (%)
contract, and ongoing tracking/monitoring activities, thus making 100
available time for risk management personnel to complete their 90
80
third-party risk management activities effectively.
70
60
50
40
30
20
10
0
Enabling the Facilitating and Blocking payments Recording key Facilitating Producing top Evaluating
performance of risk recording due unless the third performance documentation and management concentration risk,
assessments diligence activities party has been indicators (KPIs) escalation of issues reports and scheduling
appropriately and other dashboards third-party reviews,
approved for use performance data and other features
32
Technology and delivery models (cont.)
10. Organizations are in the process of deciding
While
between centralized in-house models and
external service provider-based models for
third-party monitoring. 58.4% of respondents are progressively moving to a centralized
in-house function to support third-party risk management, as many as 33.6% of
Establishing a centralized in-house function for third-party management respondents are not clear on the future organizational choice of an in-house vs. an
seems to be the approach that the majority of respondents are adopting,
with 58.4% of respondents in this category. It is expected that this external service provider model.
centralized function would cover most of the key activities related to
third-party management, including on-going risk assessments (80.3%);
third-party monitoring activities (80.3%) and co-ordination (56.1%); tracking Expected functions of centralized in-house risk management team
remediation activities (57.6%); and on-going monitoring requirements
(50.0%). It would also be responsible for various administrative activities, Ongoing regular risk assessments 80.3%
such as filing of contracts and amendments (48.5%), archiving evidence
related to third-party management (33.3%), and would assist in the Third-party monitoring activities 80.3%
implementation of third-party contract termination plans (25.8%).
Risk management coordination
activities 56.1%
There is a perception among some respondents that in-house models
can adapt better to the needs of larger global organizations, particularly Tracking remediation activities 57.6%
where diverse operating groups are involved, with varying degrees of
decentralization. Tracking ongoing monitoring
requirements 50.0%
33.6% Archiving evidence related to
It should also be noted that as many as 33.6% of respondents are not yet
clear on the future organizational choice of an in-house vs. an external third-party risk management 33.3%
Filing of contracts and
service provider model. 58.4%
amendments 48.5%
Assisting in implementing
Organizations considering in-house vs. external service provider-based third-party
risk management models
termination plans 25.8%
8%
Increasingly moving to a centralized

33.6% in-house function to support third-party
management
Increasingly moving to an external
58.4% service provider model for third-party
management
Neither of these/Not sure
8%
Increasingly moving to a centralized Third-party governance and risk management The threats are real 33
in-house function to support third-party
management
The preference for moving to a centralized in-house function for
Organizations considering in-house vs. external service provider-based third-party risk management models (%)
third-party risk management rather than to an external service provider
100
appears to be consistently higher across all industry segments as
90
revealed by the following data. However, a very large proportion of 80
respondents in the Consumer Business, Manufacturing, Technology, 70
Media and Telecom (TMT) and Public Sector industries – 50%, 42.9%, 60
50
40% and 37.5% respectively – remain undecided.
40
30
20
10

Increasingly moving to a centralized in-house function to support Increasingly moving to an external service provider model for
The choice between a centralized in-house model for TPGRM third-party management third-party management
versus an external service provider-based model is a vital decision Neither of these/Not sure
that can have far-reaching strategic consequences, which need
to be carefully considered and not undertaken recklessly. Deloitte
believes that organizations moving to a centralized in-house Expected functions of centralized in-house risk management team (%)
function in this regard are primarily driven by the need to retain 100
90
organizational control over this critical activity. This is enhanced
80
by a better organizational understanding as well as the ability to 70
manage a diverse group of stakeholders that an external provider 60
may be unable to match. 50
40
Deloitte experience further indicates that lack of understanding 30
20
of their third-party ecosystem, together with inadequate
10
knowledge of the marketplace of external providers, may be 0
resulting in a significant proportion of organizations remaining Ongoing regular Third-party Risk Tracking Tracking Archiving Filing of Assisting in
risk assessments monitoring management remediation ongoing evidence related contracts and implementing
undecided in this matter, although many of them are already activities coordination activities monitoring to third-party risk amendments termination
working with contract staff to assist them in the related tasks. activities requirements management plans
34
About the authors
Kristian Park, DTTL, EMEA Leader, Contract Risk & Compliance
Kristian co-leads Deloitte’s Global Third-Party Governance and Risk Management team
as well as the Contract Risk & Compliance team in the Europe Middle East and Africa
region, helping clients with third-party risk, supply chain risk and contract risk. He has
worked across all industry sectors, from Life Sciences, Financial Services, Energy, Sports,
Technology to Media and Consumer Business. As a UK-based partner, Kristian focuses
on third-party Governance and Risk Management, working with clients to develop
governance frameworks to identify and manage all types of third-party risks, looking at
both process and technology solutions; performing inspections of third-party business
partners on behalf of a client; and assessing third-party compliance with contractual
terms and conditions. In addition, Kristian is responsible for Deloitte’s UK Software
Asset Management and Software Licensing teams and assists clients in managing their
software licensing obligations – driving efficiencies and savings.
Sanjoy Sen is a Doctoral Research Scholar at Aston Business School, UK, specializing
in strategic governance related to third-party risk, having earlier worked as a partner
at Deloitte and another global professional services firm. He has over 26 years of
experience in risk and governance in the UK, Gibraltar and various countries in the
Middle East and in India. This includes assisting clients in strengthening their corporate
governance mechanisms, establishing enterprise-wide risk management frameworks
to support governance mechanisms, and reviewing/addressing specific business and
technology risks.

Contacts
Tim Scott Baskaran Rajamani
Partner, Enterprise Risk Services Partner, Enterprise Risk Services
[email protected] [email protected]
Poonam Singh Anne-Heloise Bedard

Partner, Enterprise Risk Services Senior Manager, Enterprise Risk Services
[email protected] [email protected]
36
Deloitte, one of Canada’s leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited
liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of
which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member firms.
© Deloitte LLP and affiliated entities. 16-3973

Third-Party Governance and Risk Management: The Threats Are Real

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Third-Party Governance and Risk Management: The Threats Are Real

Uploaded by

Copyright:

Available Formats

Third-party governance

and risk management

About the authors 35

Third-party governance and risk management contacts 36

Third-party governance and risk management The threats are real 1

the emerging organizational commitment to

11% experienced a complete

Third-party governance and risk management The threats are real 3

58.4% of respondents are

86.0% of respondents now

Third-party governance and risk management The threats are real 5

Survey respondents believe that this increasing dependence on third

• Thirdly, respondents believe that the pursuit of lower-costs will

Third-party governance and risk management The threats are real 7

Deloitte point of view % of Respondents

of dependence. On a second dimension, they are at varying levels of incomplète :

maturity in their risk and governance approach to third parties. Maximale

Dependence on third-party ecosystem

Third-party governance and risk management The threats are real 9

Treading the aspirational path to excellence

Past Present Future

Level of maturity in TPGRM systems

Level of maturity in TPGRM systems

Third-party governance and risk management The threats are real 11

Flexibility and scalability

Third-party governance and risk management The threats are real 13

Emerging drivers Emerging drivers

Energy & Resources Financial Services Health & Life Sciences

Emerging drivers Emerging drivers Emerging drivers

Third-party governance and risk management The threats are real 15

Manufacturing Public Sector TMT

Emerging drivers Emerging drivers Emerging drivers

Third-party governance and risk management The threats are real 17

Risk areas Rank Deloitte point of view

Deloitte estimates that the failure by large multinational

in Business, Infrastructure, and Professional Services (BIPS) as well as 40

In terms of the related impact of third-party incidents, organizations in 0

Top third-party-related risks ranked in order of criticality

Third-party governance and risk management The threats are real 19

Enhancing the rigour of disciplined contracting, “business case

Third-party governance and risk management The threats are real 21

Skills competence and training

94.3% 93.5% 88.6% 78.9%

Disciplined escalation framework

Addressing this execution gap would go a long way in reducing

Third-party governance and risk management The threats are real 23

of respondents. This is in addition to other members of the C-suite such 2.5%

Third-party risk features consistently on the Board agenda in 39% of 27.1%

Third-party governance and risk management The threats are real 25

Visiting third-party locations periodically based on risk assessments appears

party audits is also rapidly gaining popularity as an effective method for

Some respondents have expressed their dependence on external audits

Internal control testing

Third-party governance and risk management The threats are real 27

processes operated by third parties), supplemented by organization-specific

Third-party governance and risk management The threats are real 29

Mandating third-party standards (%)

Organizational confidence in tools and technology is the lowest across all

The survey provides further insight that there is no clear dominance of a

20.2% Generic risk software package (not

software platforms do not appear to be popular in Consumer Business, 50

There is no doubt that the lower level of organizational confidence 0

Increasingly moving to a centralized