Ken Turbitt Blog
Aidan Lawes Blog
Paul Gostick Blog
Dr Jenny Dugmore Blog
Shirley Lacy Blog
Alim Ozcan Blog
Juan Jimenez Blog
Ian Clayton Blog
Nas Ozcan Blog
Aidan Mills Blog

Digital Health Technology Vision 2018
Health organizations are embracing intelligent technologies but must do more to prepare for societal impact...

Ten Strategic Technology Trends for Government
Technologies that enable new service models for digital government must be at the top of the list for government organizations as they prioritize technology investments...


The Robots are Coming: Are CEOs Ready for the Era of Automation?
CEOs agree that robotics is going to make their companies more efficient, with 94% of those who've already adopted robotics saying that it's increased productivity in their business...


The 2015 Chief Digital Officer Study
More companies are appointing a Chief Digital Officer to join their C-suite - but are they doing it quickly enough?...


18th Annual Global CEO Survey
The United States has overtaken China as top target for growth for the first time in five years...

24 April 2018 | ITSM
Send to a colleague | Add to MY ITP

Third-Party Governance and Risk Management Survey
New report shows how Third-party Risk Management has continued to benefit from greater executive awareness and allowed organisations to tackle the topic with a renewed focus and investment...

57% of global organisations feel they do not have appropriate visibility of subcontractors engaged by their third parties (referred to as fourth/fifth parties), according to a new survey from Deloitte. A further 21% are unsure of oversight practices, and fewer still (2%) routinely review the risk subcontractors pose to their organisation.

”With GDPR coming into force across Europe next month, organisations will already be looking with renewed focus at theirthird party structures. For some, there is still a way to go to implement adequate subcontractor management. Compliance with GDPR not only covers organisations themselves, but also the contractors and subcontractors they engage. Under the regulation, subcontractors representing fourth and fifth parties must be appropriately monitored. Whilst the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards, and reporting data breaches within 72 hours. In the run up to May 25th, we’d expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers. There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify, the greater the reliance in terms of confidential data” said Kristian Park, extended enterprise risk management (EERM) partner, Deloitte.

Regular monitoring of subcontractors remains low, with just 2% of those surveyed engaging in this periodically, and 10% solely reviewing subcontractors identified as critical to continuity of business.

Park added: “This means that 88% of organisations are either dependent on their third parties to conduct subcontractor risk reviews, or have an unstructured, ad-hoc approach to fourth and fifth party oversight. This figure could also indicate that some organisations are simply unaware of their policy or, more alarmingly, do not have one.

“At the same time, the survey reveals that some organisations are already making additional investments into EERM initiatives. These organisations recognise the business case and see the opportunity to enable growth, innovation and business performance from their contractors and sub-contractors in a risk-intelligent way.”

Reliance on third parties continues to grow this year with over half (53%) of respondents reporting ‘some’ or ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered the two greatest contributory factors to increasing the risk inherent in this.

Despite critical levels of third party dependency, only 20% of organisations have streamlined their EERM systems and processes. 53 percent of this year’s respondents now believe that their journey to achieve EERM maturity is two to three years or more.

“This is a significantly longer journey than anticipated in earliersurveys, when respondents reported that this could be achieved in six months to a year”, said Park. “This reflects a more realistic time-frame, and we’d expect organisations to be closely aligning plans to address the expected regulatory outlook over this period.”

For additional information or to view “2018 Extended Enterprise Risk Management Survey”  click on the link https://bit.ly/2JrPBrR

About the survey

This is the third global survey on Extended Enterprise Risk Management. This year’s survey had 975 responses from organisations across 15 countries across the Americas, EMEA, and APAC. Survey respondents include CFOs, heads of procurement/vendor management, CROs, heads of internal audit, and compliance and IT risk function leads.

Deloitte Email to a colleague | Add to MY ITP

terms & conditions