Uneasy with your company’s third-party risk? Looking for some validation that your organization is normal? No worries — a fresh survey from Deloitte confirms that plenty of other organizations have only a precarious grip on their third parties, too.
The report, released Tuesday and based on data from a Deloitte webcast held in October, found that 70 percent of respondents indicated a moderate to high level of dependency on “external entities” that might include third, fourth or fifth parties. Also, nearly half (47 percent) said their organizations had experienced some sort of risk incident involving use of external entities in the last three years.
Topping the worry list was cybersecurity; 38 percent of respondents said they expect that to be their biggest concern in the coming year. Another 20 percent cited legal or regulatory risks, and 11 cited operational risks. See nifty pie chart, below.
More interesting, and reassuring, was that 52 percent of respondents said their board was somehow in charge of overseeing risk in the extended enterprise — which is where oversight should be, given the pervasive and severe risk that third parties can pose.
Then again, 19 percent of respondents answered “Didn’t know/Not applicable,” which is troubling. I wish we could get more analysis into what those people were thinking. (Not applicable, really? Who has no exposure to third parties?)
My question: while the board should indeed oversee risk governance in the extended enterprise, I’m not quite sure which part of the board should have that responsibility.
First, the audit committee has enough work as things are, monitoring financial reporting and internal controls. So assigning oversight of “extended enterprise risk management” (EERM, Deloitte calls it, because we don’t have acronyms in this line of work already) to a board’s risk committee makes more sense, but (a) plenty of boards still don’t have one; and (b) extended enterprise risk is growing specifically thanks to technology — cloud computing, social media, and the like.
That is, technology now creates enough potential for disruption that tech might deserve a board committee of its own: a technology risk committee, for example. To intertwine technology risks and extended enterprise risks is tricky business, and a board wouldn’t want one of them to eclipse its attention to the other. At the least, a risk committee overseeing EERM would need a clear charter specifying how it approaches technology and all the disruption it can now bring.
As for cybersecurity risks specifically, Deloitte recommends that compliance or audit executives ask four fundamental questions about third parties before they creep into your extended enterprise:
- Do they take a secure-by-design approach?
- Do they use a secure system development life cycle?
- Are their developers trained in the security aspects that you want achieved?
- Do they conduct error testing?
These stats from Deloitte also remind me of the Ponenom Institute’s recent survey of third parties and security risks, which painted a downright alarming picture of weak oversight. Some of those stats from Ponemon:
- Only 29 percent of respondents say a third party would contact them about the data breach;
- Only 37 percent of respondents say they have sufficient resources to manage third-party relationships;
- Only 35 percent of respondents rate their third-party risk management program as highly effective;
- 57 percent of respondents do not know if their organizations’ vendor safeguards are sufficient to prevent a breach.
- Only 34 percent of respondents say they have a comprehensive inventory of all their third parties.
One other telling detail from Ponemon, that reflects some of the board points raised above: Among organizations that are “high performers” at third-party risk management, 53 percent discuss the issue regularly with the board of directors. Among the others, the figure is 25 percent.
What we don’t know from the Ponemon Report is which committee of the board fields third-party risk at those high-performing organizations. We have a better sense of it from Deloitte.
What we also don’t have, alas, is a clear, universal set of standards for managing third-party risks in your extended enterprise. That’s still something every compliance officer needs to figure out for yourself.