Extended enterprise risk management...The Extended Enterprise Lack of compliance – Third party...

Extended Enterprise Risk ManagementDriving performance through the extended enterprise

October 2015

2 Extended enterprise risk management—Driving value through the extended enterprise Copyright © 2015 Deloitte Development LLC. All rights reserved.

A network within a networkThe Extended Enterprise

Illustrative example of the extended enterprise

The Extended Enterprise is the concept that an organization does not operate in isolation, because its success is dependent upon a complex network of third-party relationships.

Presenter

Presentation Notes

Business operations have changed dramatically in recent years. Organizations are increasingly relying on third parties—individuals or entities that have a business relationship with an organization—to advance their business objectives, reduce costs and perform critical functions. In an ideal world, this allows organizations and their teams to focus on their core mission. Companies use third parties for a variety of reasons: access specialized talent not available in house, reduce time to market, lower service delivery costs, improve customer experiences, etc. These third parties can take many forms — traditional vendors, business partners, service providers etc. They form a complex and extended network of relationships, and there are often “fourth parties”, making the web more complex An organization does not operate in isolation, because it relies on third party relationships for its success – this is the Extended Enterprise Using third parties is set to increase In the Deloitte 2014 outsourcing survey, 89% of respondents said they expect an increase Yet, 69% said they were challenged to get the most out of their vendors Key points: Our clients are clearly struggling with this Responsibility for third parties is often in siloes at the dark blue node level; there’s often little consistency How can we help our clients get the most out of these relationships?


Key risks in the networkThe Extended Enterprise

Lack of compliance – Third party acts corruptly to gain business advantage for organization resulting in hefty fines or is not in compliance to Environment, Conflict Minerals, Health and Safety, Labor Rights etc. regulations

Loss of reputation – Risk to the reputation of the organization from the use of third party relationships due to a myriad of reasons including misuse of intellectual property; poor product quality; lack of compliance to human rights and environmental regulations, etc.

Data risk – Loss, misuse or mishandling of critical data of the organization or its customers by a third party relationship can result in financial loss; hefty fines and decrease in shareholder value

Product recall – Poor product quality, safety issues or faulty packaging by third parties can lead to product recalls resulting in recall costs, lawsuits from consumers, increased costs from settlements, and lost revenue from missed sales opportunities

Supply chain disruption – Key third party business disruption due to bankruptcy, geo political issues, macro risks etc. can result in supply chain disruption

Poor Performance– Lack of sustained performance from third party relationships resulting in costly mistakes, over allocation of capital to oversee relationship and defeating the purpose of outsourcing strategy

Extended Enterprise• Sell side• Buy side• InfrastructureFinancial impact– Financial loss from under-reporting of revenue from licensees,

royalty partners, distributors, franchisees etc. and over-payments for services from third party relationships

1

2

3

4

5

6

7


Broad spectrum of third party riskThe Extended Enterprise

An outsourced vendor for transaction processing decides to exit the business and provides little notice or transitional support

A contracted supplier does not deliver merchandise on-time, thus disappointing customers and damaging the company’s brand reputation

A critical vendor takes on more new accounts than it can handle, degrading service levels and disrupting processes

An important distributor does not provide the amount of prime shelf space that had been agreed upon and instead leads with a competitor’s product

Extended Enterprise -Example scenarios

where business objectives / reputation

may be impacted

Several franchisees do not spend advertising dollars as instructed, resulting in a poor consumer response to holiday promotions.

1

2

3

4

5


Opposing objectives of entity and associated third partiesThe Extended Enterprise

• Cost – Business entity wants to obtain the services at the least cost VS third party objective may be to maximize profitability through high price to cost ratio.

• Service levels/Quality – Business entity aims at aggressive service level definitions, inclusive of adequate compensation in case of failure VS Third party aims at minimal service level definitions, with least possible give back.

• Service termination – Business entity would prefer an agreement with ease of contractual termination VS Third party would aim at a lengthy, and relatively difficult process of service relationship termination.

Key criteria to be monitored • Reliability

• Availability

• Operational Readiness

• Security


Driving performance and controlling riskThe Extended Enterprise

The Extended Enterprise is integral to the cost expended and revenue generated by your organization, putting it in the position to fuel or inhibit a variety of business benefits.

The Extended Enterprise is central to key cost and revenue drivers in your business

Manage these vital relationships effectively to drive performance

• Facilities management • Technology• Human resources • Legal • Customer support

Your Organization

Buy

sid

e

Sourcing Assorted Vendors

Sell

side

Partnerships Distribution and Sales Channels

infr

astr

uctu

re

Leverage key benefits• Product or service innovation• Expand and gain entry to new markets• Access to talent• Access to advanced technologies• Continue focusing on core business processesBe aware of the risks (illustrative risks)• Financial: Revenue leakage and increased costs • Business continuity: Service interruption• Reputation: Reduced brand perception • Operational: Decreased control over operational processes/service

levels • Strategic: Misalignment to organization’s strategic objectives• Cyber: Poor data security due to reliance on third party safeguards• Compliance: Business interruption and hefty fines due to lack of

regulatory compliance by third party

Drive performance• Increase revenue• Minimize costs• Enhance value derived from third-party relationships

End Customers

Presenter

Presentation Notes

The extended enterprise can be bucketed as follows: Relationships that drive revenue - sell side relationships Relationships that drive cost - infrastructure and buy side relationships for the organization We’ve already talked about the multitude of benefits, which can be derived across all types of relationships That said, they also bring risk: revenue leakage, theft of trade secrets, increased chance of service interruption, brand reputation concerns, poor data security, lack of compliance to regulations, etc. A couple of examples: In 2011, Apple ended up suing its long time key supplier of chips, Samsung for patent and trademark infringement. The case was built on the similarity of design between iPhone 4 and the Galaxy S via access to design documents as supplier of chips. 3 years later, a jury ruled that Samsung had to pay $119 M to Apple for trademark infringement. At AT&T in April 2014, the accounts of an unknown number of AT&T customers were compromised. Sensitive personal information including social security numbers, birth dates, and private account details were accessed. AT&T reported that “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization.” The employees in question were trying to make requests from the customer’s accounts to receive codes to ‘unlock’ AT&T phones so that they could be sold in a secondary mobile market. Key points: We typically seek to control risk, and stop bad things happening- all our competitors are also focused on this This is great, but effectively managing the extended enterprise also drives performance and enables the benefits to be realized- this is our differentiated point of view in the marketplace We are creating value and driving performance through effective risk management in the extended enterprise Increase revenue: Identify and recover under-reported sell side revenue and increase working capital Minimize costs: Rationalize cost side third parties to gain pricing advantage, perform due diligence and enter into right relationships to reduce costly supply interruptions, limit regulatory issues and associated penalties Enhance value of the third party: Reduce operational issues, gain efficiency by automating processes, improve service levels, better respond to fluctuation in market demand, use analytics and sensing to seize new opportunities, control brand perception, better leverage intellectual property,


Management challengesThe Extended Enterprise

There are several challenges with managing the Extended Enterprise. The findings from Deloitte's 2014 outsourcing & insourcing survey, which had representation from twenty two industry sectors is telling:

* Deloitte's 2014 global outsourcing and insourcing survey

How would you rate your extended enterprise management capabilities?

Percentage of respondents who rate themselves above average

Presenter

Presentation Notes

Our 2014 Outsourcing and insourcing survey is very telling. Extended enterprise management was recognized as a critical factor for successful outsourcing, yet organizations continue to be challenged by staffing shortfalls, poor tooling and immature service integration. The bar for extended enterprise risk management capabilities will likely keep rising as companies seek to leverage multi-third party or multi-functional strategies [Highlight a few points above]


Management challengesThe Extended Enterprise

Management challenges could be both internal and external. Some of the key challenges and questions we are hearing in the marketplace regarding the Extended Enterprise include:

• Where are the breakpoints in our third party relationships? How do we assess and stay ahead of them?

• How do we bridge the gap between those in the business and our compliance and risk staff?

• How can we turn this program into one that evaluates value and does so on a recurring basis?

• What tools and technologies should we leverage to make informed decisions about our third party relationships?

• What data do we already have access to? What should we be monitoring and analyzing to make real time decisions?

• How do we determine whether to outsource or insource, build or buy? What delivery models should we take advantage of?

• How will evolving technologies, market trends, or disruptive forces present opportunities and challenges to our third party relationships?

• How do we keep up with the emerging regulatory requirements? Are our third parties keeping up?

• How do we ensure that appropriate contracts are in place with third parties, that they are meeting expectations, and complying with contractual commitments?

Driving performance

Creating an agile and flexible

governance model

Using data and analytics to

make informed decisions

Managing relationships,

compliance, and regulation

Navigating events that shape the extended enterprise

Presenter

Presentation Notes

As noted, the goal is to continually drive performance, control risk, and realize the anticipated benefits It’s easier said than done, and we’re hearing a number of common themes and challenges. [Highlight a few points above] [Bring in a personal client story if possible] [Open it up to the audience to see what their clients are struggling with?] Key points: These trends / challenges also represent opportunity and we can drive even more performance / value For example, there’s a vast whitespace with respect to data and analytics and how our clients leverage that information (particularly related to proactively managing risks associated with 3rd party relationships) Additional challenges 1. Having executive support to view the extended enterprise through a single lens governance model as opposed to individual business unit decisions 2. Build vs buy acumen using a value lens 3. Effectiveness measure and analytics 4. How to turn this into a program that evaluates value on a recurring basis


A holistic approachThe Extended Enterprise

The Extended Enterprise management operating model presents a holistic approach to managing third-party relationships at various life cycle stages, while considering business objectives and risk domains across your Extended Enterprise.

Third-party relationship

lifecycle

Third-party relationships

Plan, evaluate and select Contract and on-board Manage and monitor Terminate and off-board

Business objectives Growth/innovation Cost reduction Improved time

to marketClient experience Risk and compliancemanagement

Risk domains

Reputation risk

Contractual risk Financial risk

Business continuityrisk

Operating model

components

Governance and oversight

The operating model, committees, and

roles and responsibilities for

managing the extended enterprise

Policies and standards

Policies and standards to govern

expectations and manage the third

party lifecycle, processes and related risks

Management processes

Processes to manage risks and

improve performance across the third-party lifecycle

Tools and technology

Use of tools and technology,

predictive and risk analytics that

enhance extended enterprise risk management

processes

Risk metrics anddashboard

Use of internal and external data to

measure and visualize risks and performance

of extended enterprise, tailored towards multiple

levels of management

Risk cultureTone at the top,

clarity on risk appetite, appropriate

training and awareness to

promote positive risk culture

Sell side

Infrastructure

Buy side

Policies and standards

Management’s expectations of standards and

processes to be used, to manage the extended enterprise and its related risks

Financial risk

Operations risk

Credit risk Compliance / Legal risk

Geopolitical risk

Cyber risk

Strategic risk

Intellectual Property risk

Quality risk

Presenter

Presentation Notes

The risks in the extended enterprise could prevent a company from meeting it’s business objectives For example, increased financial risk might impact a cost reduction objective These risks manifest themselves in various parts of the lifecycle For example if your contracts are poorly structured they can impact you in every phase of the relationship Clearly, they can also exist in various types of third party – Buy / Sell / Infrastructure Key points: Organizations need to focus on each of the Operating model components in order to achieve business objectives, mitigating risks throughout the lifecycle with various types of third parties By working with clients to implement these operating model components, we can establish a systematic, proactive and structured approach to managing the extended enterprise


Three lines of defenseThe Extended Enterprise

Organization

First line of defense: Business unit

• Owns the third party relationship and is accountable for managing the risk in alignment with policies and procedures

Second line of defense: Centralized extended enterprise risk management governance program that

• Establishes and enforces policies/processes to ensure that third parties are managed consistently by the business

• Supports the business through provision of tools and templates to enable standard practices and reporting

• Performs independent monitoring, and evaluation of performance and compliance

• Oversees the program broadly across the enterprise to ensure that it is in line with strategy and the appropriate extended enterprise risks are being managed at an enterprise and geographic level

Third line of defense: Internal Audit

Robust internal audit program aligned to the most critical extended enterprise risks and controls and performs independent assessments

A well-structured risk management approach incorporating the three lines of defense helps the organization achieve efficiency and enables the right level of management involvement based on the Extended Enterprise’s risk and performance impact to the organization.

Board: Is aware of the sourcing strategy and risk the strategy brings, and confirms that the risk is sufficiently managed


Role of Internal AuditThe Extended Enterprise

• Internal Audit has a special role, since the primary customer of Internal Audit team is the “entity charged with oversight of management activities”, there is organizational Independence. The IA also being close to the day to day business can aid in drafting a Robust, Objective and Independent Audit program addressing the risks arising from Extended Enterprise.

• Corporate governance (as it drives policies, processes and structures used by organization to direct activities, achieve organizational objectives and stakeholder interest protection) is a key aspect in addressing / mitigating/controlling risks arising from the extended enterprise. Internal Audit is one of the 4 pillars of Corporate governance , the other 3 being “Board of Directors”, “Management” and “External Auditors”.

• Chief Audit Executive (CAE) as part of the Senior management, may participate in reporting on any significant risks the organization faces to the Audit Committee, or ensure management reporting is effective for that purpose – inclusive of any risks / potential issues pertaining to third parties.

• Participating & contributing in conversations such as – a) Does the entity have a complete inventory of all existing relationships and agreements ? b) has risk assessment been performed for each relationship ? c) ownership and accountability of compliance for existing relationships ? d) Entity controls to ensure reporting related to / from third parties is accurate ? e) do existing SLAs address the key risks associated with relationships ?


Step - 5Risk Measurement, Monitoring and control – Document mgmt.’s processes in place for ongoing monitoring of third party. Mgmt. should establish ongoing expectations and limitations, compare program performance to expectations and ensure all parties to the arrangement are fulfilling their responsibilities.

Step - 2Third Party Management – Interview key mgmt. personnel to identify high-risk third party relationships.

Step – 3Risk assessment and planning - For the key third party relationships identified in step #2, assess mgmt.’s level of planning & risk assessment

Step – 4Vendor due Diligence – For key third party relationship identified in step #2, assess mgmt.’s level of due diligence. Did mgmt. perform an investigation of third party vendor prior to entering into the relationship

Step - 1Establish an audit program to evaluate third party relationships. Defining the objective and scope of the audit.

Role of Internal Audit – Repeatable audit program


Business Expectations – What needs of the business is the third party expected to fill ?

Importance of the relationship – how critical is the relationship of the third party to the business entity?

Staff expertise – are there individuals within the business entity who can perform the services, in case the risk of working with the third party proves greater than the business would like ? Is staff trained to monitor the third party service delivery ?

Cost Benefit Relationship – Does the potential benefits from the relation outweigh the risks or associated costs ?

Exit Strategy – If the relationship goes poorly, can the business entity withdraw from the relation, with minimal impact ?


Risk Assessment and Planning


Background Checks – References, prior performance, licensing and certification, Key individuals, legal proceedings, business model ?

Cash Flow – can management clearly establish how cash flows (both incoming and outgoing) between third party, the business entity and any stakeholders / members of business ?

Financial and Operational control review – SSAE16’s, independent audit results and/or regulatory reports.

Contractual Provisions and Legal Review.

Accounting considerations – Have potential accounting complexities been adequately considered by qualified personnel, such as a CPA ?


Vendor Due Diligence


Evaluate the service provider’s financial condition periodically, periodically review audit/security reports and evaluate the adequacy of the service provider’s systems and controls –security, availability, integrity, confidentiality

Monitor changes in key service provider project personnel allocated to the institution. Determine adequacy of training provided to its employees.

Regularly review reports documenting the service provider’s performance. Determine if the reports are complete and accurate. Evaluate the provider’s ability to support & enhance the institution’s strategic objectives.

Periodically meet with the contract parties to discuss performance / operational issues. Review invoices to assure adequate charges for services rendered. Review service provider performance against SLA

Maintain records regarding contract compliance, revision and dispute resolution. Periodically review the service provider’s contingency plan, to ensure mission critical services can be restored within an acceptable timeframe.


Risk Measurement, Monitoring & Control


Program automationThe Extended Enterprise

Managing the extended enterprise risk with a robust, secure and integrated technology platform provides the appropriate level of upstream and downstream visibility and accountability that is critical to better performance and risk management.

Higher Quality Information

Process Optimization

Intelligent Risk Management

Reduced Costs

Integrating the right information gives management visibility into quality data and allows them to make better risk informed decisions, in a timely fashion

With structured process flows, redundant/ non-value add activities are eliminated, activities are streamlined to reduce lag time and inconsistency, responsibilities are correctly allocated

Processes can be tailored to address risks inherent to the product/ service being outsourced with consistent application for same type of relationships for intelligent risk management

Proactive decision making, visibility into performance and compliance of extended enterprise and optimized processes result in cost reduction, providing return on investments in technology

Effective Capital AllocationIdentifying areas where there are redundancies or inefficiencies allows financial and human capital to be allocated more effectively

Presenter

Presentation Notes

A strong solution should provide (i) simple integration, (ii) ease of use, (iii) enable accountability and consistent practices while being adaptable, (iv) have strong reporting capabilities to allow for visibility and quick decision making and (v) have global reach.


• Focus on preventing issues• Risk aligns with medium -

term enterprise-wide benefits

• Dedicated roles• Invested executives within

each silo• Some training offered

• Coordinated processes across the business

• Monitoring and alerting leveraging dashboards, with some proactive issue resolution

• Adapted tools used for reporting and monitoring

The Extended Enterprise maturity model below is designed to help you understand where you are today, your ideal future state, the value the future state can bring to your organization.

Process

Technology

How does your approach stack up?The Extended Enterprise

People

Strategy and Governance

InitialManaged

DefinedIntegrated

Optimized

Maturity of extended enterprise program

• No formal governance• Risk taking for quick fix

benefits

• Individual effort • Little management

input• Lack of training

• Few activities defined• Fire fighting mode

• Simple and least expensive tools used ad-hoc

• Minimal effort in reducing risk

• Risk taking for short term benefits

• Responsibilities built into existing roles

• Increased input from management

• Defined processes in siloes

• Functional, reactive problem solving

• Off the shelf tools used for problem solving

• Limited access to third-party data

• Focus on preventing issues and creating value

• Intelligent risk taking, aligned with enterprise strategy

• Awareness of value of extended enterprise across the organization

• Enterprise wide roles• Executive ownership at the

enterprise level

• Fully standardized processes, integrated with tools and data

• Proactive decision making using analytics, improving bottom-line and performance

• Customized tools, used for tactical decision making

• Value additive tools• Internal data centralized

and easily accessible

• State of the art practices, linked to value drivers

• Extended enterprise embedded in strategic planning and decision making

• Trained professionals with defined roles throughout the lifecycle

• Executive champions on both sides, aligning service delivery to strategic objectives

• Processes aligned with strategy, integrated into third parties

• Continuous improvement and proactive responsiveness

• Leveraging predictive and sensing analytics, tools and dashboards

• Highly -customized decision support tools

• Integrated external data sources that enhance insights

• Tools and analytics are key value driver and differentiator

Optimized

Presenter

Presentation Notes

Although extended enterprise programs will differ for each organization, there is a common goal: to consistently and effectively manage each third-party’s performance and risk This requires enterprise-wide accountability, including support from the business, as well as procurement, legal, risk management, information technology, compliance, and other functions. As a starting point, we can measure a client’s maturity with respect to their governance, people, processes, and supporting technology Key points: Many of our clients are operating in the “managed” block; key themes include: Responsibility for managing the EE in siloes, with no overarching oversight Processes that differ across parts of the business (e.g., licensees managed very differently to distributors) No real consideration of whether the use of given third party adds value or contributes to corporate strategy Basic level tools that are used tactically Conversely, we can help them: Develop a consistent and overarching approach Help not just to fight fires, but predict issues and opportunities Work with technology that enables third parties to operate more effectively


Risk management solutionsThe Extended Enterprise

Deloitte brings together the full breadth of its capabilities into a comprehensive suite of solutions designed to increase the performance of the extended enterprise and help your organization achieve your strategic business objectives.

The solutions range from those that can be integrated across the organization and/or to specific risk domains and specific third party relationships.

• Intelligence• Visualization and analytics• Governance/ program management• Risk and compliance• Knowledge management

Technology enablement

Solutions to transform and continuously enhance extended enterprise risk management by designing, implementing and

deploying technology solutions

• Third party due diligence• Third party assessments• Risk sensing• Third party assurance

Evaluation and continuous monitoring

Solutions to assess third parties and proactively sense and respond to

extended enterprise risks and opportunities

• Governance and operating model design

• Strategic risk assessment, tiering, and segmentation

• Crisis management and simulation modeling

• Regulatory compliance

Strategy and program development

Solutions to assess, design and implement strategically aligned extended enterprise program

Presenter

Presentation Notes

Many organizations believe they cannot take an end-to-end approach to improve the maturity of their EE program because the task is too vast and they do not have the expertise and resources We have a host of capabilities that can help our clients move their EE risk management program towards a higher level of maturity We have organized these capabilities into three main categories: Strategy and Program development: Putting program level approaches in place Evaluation and Continuous monitoring: Asess third parties and proactively sense and respond to risks/ opportunities Technology enablement: Transform and continuously enhance EERM We can help, either with specific issues/ relationships/ risk domains (applying solutions above in isolation) or an end to end basis (combining elements above) Although clients may continue to buy point solutions to address a specific problem, it behooves us to have an understanding of our comprehensive capabilities (within and outside of F&O that are relevant to the extended enterprise), so we can change the aperture of our dialog with our clients and differentiate ourselves in the marketplace.

Copyright © 2015 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about

Extended enterprise risk management...The Extended Enterprise Lack of compliance – Third party...

Documents

Transcript of Extended enterprise risk management...The Extended Enterprise Lack of compliance – Third party...