The flip sideFrom zero to thirty: Instituting your extended enterprise risk management (EERM) program

For many organizations, the global third-party ecosystem (known as the extended enterprise) has grown larger and more complex. It’s also become an important source of strategic advantage. But managing this extended enterprise has become increasingly challenging.

One solution: Extended enterprise risk management (EERM), which can help organizations better anticipate and manage exposures associated with third parties across the full range of operations.

Disruptive events have led to business continuity issues, reputational damage, and regulatory enforcement actions and penalties. Third-party risk (as well as fourth- or fifth-party risk deeper in the extended enterprise ecosystem) may have been considered isolated risks to specific areas of the business. But in some “headline” stories involving damaged corporate reputations, the culprit often wasn’t the organization itself but a third-party provider.

Learning to recognize, anticipate, and manage extended enterprise risk can help dramatically reduce exposure. It can also lead to business improvements that can drive value creation.

How can you “go from zero to thirty”—accelerating from zero to a safe “cruising speed”—within your EERM program? And how can EERM help your organization improve financial performance, reduce regulator and stakeholder scrutiny, enhance brand and reputation, and optimize margins and cost control? Continue to read the flip side to find out.

As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services, and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/ us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About the flip side Risk isn’t just about mitigation. That’s why this series looks at the other side of risk—the positive side, where potential, un-tapped value resides. Learn how viewing risk through a different lens can help you spot value-creating opportunities.

Many factors motivate companies to implement or accelerate an EERM program. But they boil down to profitability, exposure, and cost. There’s a real need to focus on EERM now because of the rapid increase in the number of connections beyond the walls of your organization—and beyond the walls of your business partners. Historically, third parties were relegated to less critical functions or considered risks outside your control. Today, the role of third parties in core functions that sit close to strategy and value creation is on the rise. Adding to this complexity is an ever-growing global organizational footprint for many enterprises that have branches or representatives on multiple continents.

Why should you get to a safe cruising speed—now more than ever before—and as soon as possible?

Improved financial performance: Joint ventures, business partnerships, franchise agreements, and other third-party relationships are investments—and should be managed to maximize a return. How the relationship is defined, executed, and governed is directly linked to the profitability and financial performance of the relationship. EERM involves assessment of enterprise and operational risks—before and during the relationship—with respect to the structure, objectives, and operating priorities (including expected outcomes and results) of the relationship.

Reduced regulator and stakeholder scrutiny: Problems in partner organizations, even in the outer reaches of your ecosystem, can cascade rapidly, causing late deliveries, product recalls, or negative consumer reactions. Increasing levels of scrutiny and legal obligations—in regulated and other industries—are more likely to lead to fines or other enforcement actions. Financial services firms are an obvious target for regulators, but they’re not alone.

What’s the upside of strengthening EERM?

Third parties, themselves, are subject to the same trends. That means your enterprise may be dependent on widely dispersed fourth or even fifth parties. Risk is no longer a concern solely with respect to the third parties you’re directly doing business with. It’s also a concern with respect to your third parties’ suppliers and partners. That translates into a startling level of global complexity that’s beyond the scope of much risk management thinking.

From zero to thirty: Instituting your EERM program. The flip side. 2

Source: Deloitte Global thirdparty risk survey, 2016.

When authorities look at any kind of disruption, they pay attention to operational models and governance structures, including the ability to have visibility and strong governance over third parties. In financial services, regulators have defined expectations for the role of the board of directors, senior management, and internal audit. The board will want to know how you employ third parties, who they can hold accountable for third-party relationships at an enterprise level, and what kind of risk defenses you have in place.

Better reputation and brand management: Accelerated news cycles, the rise of social media, and an increasing allegiance to brands with strong ethical and sustainability values. These trends have amplified the scope and speed at which brands can become subject to negative ramifications. Even if the cause may originate elsewhere, it’s the enterprise that suffers. Often with lasting impact on brand reputation.

Improved margins and better cost control: Aside from simply reducing risk exposure, EERM can provide opportunities to rethink practices as well as drive value and competitive advantage. For example, supplier rationalization and consolidation can result in better pricing, enhanced reliability, improvements in meeting service level agreements (SLAs), and other synergies. Or in the instance of a business partnership, how you assess and govern strategic, reputational, and geopolitical risks can reduce exposure to unforeseen operating challenges. It can also allow you to proactively manage market and product strategy to mitigate financial losses.

In other words, don’t simply look at managing risk as a means to protect value but also a means to create value. Consider the upside and the opportunity to enable innovation and facilitate expansion into new markets. Or even gain access to skills and capabilities not available inside your organization.

The “zero to thirty” concept is about enhancing your EERM. But also recognizing that it’s easy to get overwhelmed when first considering the complexity of the extended enterprise, risk and cost consequences, and strategic opportunities. We believe the focus should be on starting deliberately and thoughtfully and then building from there.

Who are you really doing business with? If you don’t know, find out. Those relationships and risks can provide you with a clearer line of sight into your extended enterprise ecosystem. And the starting point to develop a more mature EERM approach.

How can you get from zero to thirty?

From zero to thirty: Instituting your EERM program. The flip side. 3

Consider these three steps to begin:

1. Look at your ecosystem and the big picture: Understand what current practices work well and how they can be leveraged for a future state. Then determine which area of the business might be ripe for a pilot program to show quick wins and stakeholder buy-in.

2. Assign accountability: Charge an executive with developing a governance structure and program that links extended enterprise risk management to business objectives. Managing risk and driving performance requires accountability at a high level in the organization. It also requires a holistic and proactive view of the extended enterprise and your approach to risk.

3. Understand your risk posture: Define what your risk appetite is and map that against the risk third parties are bringing to your organization. Improved management can be as simple as rationalizing relationships, getting transparency into the third parties involved in your extended enterprise, and then reducing that number as needed.

How can you get from zero to thirty?

Krissy DavisPartner | Deloitte AdvisoryExtended Enterprise RiskDeloitte & Touche LLP+1 617 437 2648kdavis@deloitte.com

Chris ThackraySpecialist Leader | Deloitte AdvisoryExtended Enterprise Risk ManagementDeloitte & Touche LLP+1 585 364 5914cthackray@deloitte.com

Let's talkIf you’re interested in learning more, please contact us.

Copyright © 2016 Deloitte Development LLC. All rights reserved.

This publication contains general information only and Deloitte Advisory is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.