Building an EERM Toolkit

Dan Kinsella


April 1, 2019


More enterprises are waking up to the importance of extended enterprise risk management (EERM)—the process of identifying and managing risks that come to the organization through third parties, vendors and other external sources. As the use of cloud services and other third parties continues to grow, EERM program maturity is becoming increasingly important to mitigate risks, safeguard compliance and drive business value and efficiency in the process. A Deloitte poll revealed that the majority of respondents (70%) indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties, with nearly half (47%) of respondents saying that their organizations had experienced some sort of risk incident involving the use of external entities in the last three years.

While it is no surprise that the C-suite and board are seeing more clearly the importance of developing a mature EERM program, the path to program maturity can still be challenging. In 2018, a Deloitte Touche Tohmatsu Limited global survey on EERM revealed that only one in five responding executives say their organization has an integrated or optimized EERM program. While integrated and optimized EERM mechanisms can improve the overall maturity of these programs, the apparent maturity lag suggests that, even if enterprise leaders are sold on the why, they may feel stuck on the how.

One way to address this problem is through the use of EERM tools—technology-driven systems, applications, controls, programs and methodologies that can help enterprises achieve program maturity. By using these tools, organizations are shifting the focus from claw-back recovery efforts to ongoing, pre-invoice validation to prevent problems from occurring in the first place. Organizations that effectively utilize EERM tools stand to gain the biggest ROI from greater efficiency, better compliance and fewer risks from reputation damage, regulatory missteps, consumer backlash and cyberattacks.

Putting EERM Into Practice

As third-party ecosystems grow, more effectively managing the associated risks can help organizations gain competitive advantage. A recent Deloitte white paper estimates those organizations that have a good handle on their third-party business partners can outperform their peers by an additional 4% to 5% in terms of growth to their bottom line.

An EERM tool is essentially a practical lens that focuses on a specific workflow or particular piece of your enterprise operations. These tools can assess the nature and severity of risks, gauge the “materiality” of threats for prioritizing remediation, and provide decision support for both tactical judgments and larger strategic business decisions that affect the whole company.

For example, cognitive technologies can cut down on labor intensive and repetitive tasks that can lead to error and inefficiency. In the past, the process of writing and revising third-party contracts has been largely manual. That can be trouble if regulatory changes—such as the EU’s General Data Protection Regulation (GDPR)—force you to renegotiate many contracts en masse. Cognitive technologies such as natural language processing can help organizations automatically perform textual analyses of their third-party contracts to pick up on language that could signal areas of risk related to GDPR and flag them for closer review.

Related EERM tools include workflow improvements to consolidate the security audit process for a third-party vendor that works with more than one part of the enterprise, eliminating the need for different departments to do their own security audit on the same vendor. And in government settings, the Federal Risk and Authorization Management Program (FedRAMP) process for assessing the security of cloud services can be simplified with templates that inherit data from FedRAMP-approved cloud service providers to get rid of redundant compliance validation on applicants that rely on such services. The cloud can also play an important role in enabling third-party risk management service providers to efficiently deliver services such as vendor background checks, vendor risk monitoring, payment solutions, and the like—at a much lower cost than building and maintaining proprietary solutions.

Many organizations are already using robotic process automation (RPA) for processing invoices and conducting compliance checks; some are beginning to redeploy it to more sophisticated risk analysis. For example, critical data about external-party relationships can reside in multiple procurement systems as well as in emails, spreadsheets and text documents. Where manually consolidating this data would be prohibitively labor-intensive, RPA tools can extract, highlight and reconcile the information across multiple systems with relatively little human intervention, improving EERM efficiency and scalability.

EERM tools continue to evolve with technology. Organizations are increasingly using blockchain, for example, to create distributed digital ledgers for a “single version of the truth” to safeguard transaction records and improve clarity about risk exposures. And sensing tools can automate the due diligence of examining third parties for cyberthreats, dark web exposure, negative news coverage, financial weakness and other risk factors.

The ROI of EERM Tools

These examples underscore how EERM tools are more than just good ideas for risk reduction—they are also good ideas for ROI and value creation. Especially among board members and others in stewardship roles in the organization, the default view of risk is typically a defensive one to guard against regulatory missteps. But the ROI side of the equation is clearer as EERM tools now give organizations the ability to apply risk management precisely where it is needed. Mature cost and revenue recovery efforts can help an organization save 1% to 5% on spending, with reviews of single third parties yielding millions of dollars to the actual bottom line.

Deloitte poll respondents indicated that their organizations are likely to invest in a number of emerging technologies and tools during the next 12 months, including cloud computing, robotic process automation, data visualization, cognitive technologies, and blockchain and internet of things applications. Such tools invariably pave the way to fewer silos in the organization—a good thing for the larger EERM mission and the overall health of the company. The reason is that compliance, procurement and other EERM-related issues are common challenges that happen to be expressed in different business contexts across the enterprise. Once there is a software or workflow improvement that can help address everyone’s problem, it is easier for that tool’s benefits to be understood—and adopted—organization-wide for a more holistic approach to governance.

As technology improves and organizations become more aware of potential economies of scale, more collaborative platforms and third-party risk services are likely to emerge. Another approach may be to offer “shared utilities” where the risk service provider conducts standard assessments that are shared across a group of organizations.

Reducing silos around EERM also improves risk-awareness and consistency. With the help of these tools, organizations can move toward a more centralized EERM approach to aggregate insights at an organization-wide level. Some organizations are adopting a middle ground between a siloed and a fully centralized model. In this “federated” model, EERM guidelines and oversight are centralized, while process execution remains distributed. Such an approach enables organizations to not only have a cross-risk view of third-party relationships and understand concentration of risk, but still customize execution of third-party risk management to be better positioned to address unique areas of the value chain.

Regardless of the formula used, organizations are getting better at leveraging EERM tools and their adoption is likely to increase as third parties take on more mission-critical, core functions in the organization. Robust EERM programs can be costly, but their net value has been proven time and time again in terms of security, risk aversion, process improvement and hard dollar savings.
Dan Kinsella is a partner in the Risk and Financial Advisory practice at Deloitte & Touche LLP.