Third Party Governance and Risk Management

Size: px

Start display at page:

Download "Third Party Governance and Risk Management"

Lucas Scott
5 years ago
Views:

1 Third Party Governance and Risk Management 23 October 2017

2 Agenda Today s discussion topics Third Party Ecosystem Insights from the Deloitte Global Third Party Risk Management Survey Third party risk management frameworks Evolution of third party audits: from third party audits to real time assurance 2

3 Introductions Deloitte facilitator Mark Bethell Director, Extended Enterprise Risk Management

4 1. Third Party Ecosystem the Extended Enterprise 4

5 Third Party Ecosystem The Extended Enterprise 5

6 Third Party Ecosystem The role of internal audit 6

7 2. Insights from the Deloitte Global Third Party Risk Management survey 7

8 Organizational progress in TPGRM since last year appears modest although increasing awareness of risks is expected to prime 2017 and 2018 as years for accelerated maturity Survey responses collected during heightened uncertainty (Brexit vote in UK and presidential elections in US). Report based on 536 responses, a significant increase from 170 last year. Covers 11 countries across the Americas, Europe Middle East and Africa (EMEA) and Asia/Pacific across all key industry segments. Respondents typically include those responsible for TPGRM: Chief Finance Officers, Heads of Procurement/Vendor Management, Chief Risk Officers, Heads of Internal Audit, and Compliance and Information Technology (IT) Risk Heads. 8

9 Despite increasing executive awareness of risks and some associated improvements in TPGRM, five key areas exist where further effort is required by most organizations 9

Dependency and vulnerability Despite high dependency on third-parties, organizations are not fully equipped

53.3 percent of respondent organizations have a high or critical level of dependence 53.

1 percent have integrated or optimized their EERM mechanisms with others aspiring to do so within the next

10 Dependency and vulnerability Despite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties 53.3 percent of respondent organizations have a high or critical level of dependence 53.3% Significant increase 4.5% However, only 20.1 percent have integrated or optimized their EERM mechanisms with others aspiring to do so within the next 1-3 years Some increase 40.5% 40.5 percent of respondents reported some increase in dependence on third-parties in the last one year with a further 4.5 percent experiencing significant increase 10

6 percent of respondents are fully prepared to deal with the increased uncertainty in the external environment.

1 percent of respondents have faced at least one thirdparty related incident in the last three years.

11 Dependency and vulnerability Despite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties Just 11.6 percent of respondents are fully prepared to deal with the increased uncertainty in the external environment. A significant majority of 72.3 percent of respondents are only somewhat prepared 74.1 percent of respondents have faced at least one thirdparty related incident in the last three years. As many as one in five respondents have faced a complete third-party failure or an incident with major consequences in the last three years percent of respondents have faced noncompliance with regulatory requirements (compared to 23.0 percent in 2016) percent have suffered reputation damage. 11

Relationship management Understanding of third-parties is increasing but comprehensive, data-driven risk management and capability to predict emerging risks is still developing 55.

12 Relationship management Understanding of third-parties is increasing but comprehensive, data-driven risk management and capability to predict emerging risks is still developing 55.4 percent of respondents have a reasonable to excellent understanding of third parties, with the other 44.6 percent having only low or some level of understanding 46.6 percent do not have any organisation initiatives to enhance maturity of contractual data to increase the understanding of their third parties. Just 13.6 percent of respondents have forward-looking vigilance capabilities to identify imminent risks and performance issues of third parties that are well integrated into their processes of managing their extended enterprise, while 78.9 percent are at various stages of development of such capabilities 53.8 percent consider their level of knowledge of third party contract terms and related data to be limited, including respondents who recognize this is inadequate

Governance and risk management processes Despite executive sponsorship there is still a long way to go to get processes and technology working effectively The proportion of

6 percent Ultimate responsibility for thirdparty risk management rests with the Board, CEO, CFO, CPO or other members of the C-suite in 74.

13 Governance and risk management processes Despite executive sponsorship there is still a long way to go to get processes and technology working effectively The proportion of respondents sceptical about TPGRM technology in their organizations is 90.6 percent Ultimate responsibility for thirdparty risk management rests with the Board, CEO, CFO, CPO or other members of the C-suite in 74.6 percent of responses A similar lack of confidence relating to the quality of TPGRM processes is also only marginally up from 82.5 percent to 86.4 percent, indicating a slight improvement and increased focus in this area. Third-party risk features consistently or periodically on the Board agenda in 53.2 percent of respondent organizations 13

14 Technology platforms An integrated TPGRM technology platform that addresses the needs of every organization has not emerged 19.9 percent of respondents are using TPGRM relevant modules of broader GRC solutions, while 17 percent are using specific TPGRM solutions Using features of an existing ERP system is still the most popular solution as a technology platform for TPGRM, as outlined by 43.9 percent of respondents. Only 9.1 percent of respondents supported this by the use of bespoke solutions to achieve integration needs. At least one out of two survey respondents now combine more than one technology platform to address TPGRM requirements. 14

Emerging delivery models New delivery models are emerging to bring consistency and sought-after skills, enable collaboration, and address decentralization challenges in the wider organization As many

15 Emerging delivery models New delivery models are emerging to bring consistency and sought-after skills, enable collaboration, and address decentralization challenges in the wider organization As many as 62.4 percent of respondents are equally or more decentralised than they are centralised. Over 59 percent of respondents are moving to increasingly centralised in house functions to support TPGRM percent of respondents are moving to an external service provider based managed service model for third party management which also reflects an emerging trend percent of respondents are already utilising information hubs (community models) on third party risk available as market utilities or intending to do so in the near future. However, 51.3 percent of respondents are unaware of this emerging trend % 15

16 3. Third party risk management frameworks 16

17 Delivery Scoping Focus on Third Party Risk Management Third Party Risk Management Frameworks: Core components 17

18 4. Evolution of third party audits: from third party audits to real time assurance 18

Evolution of third party risk reviews From reactive to proactive Over the past 15 years, third party risk reviews have evolved from a heavily manual process to a technology-enabled solution with a

19 Evolution of third party risk reviews From reactive to proactive Over the past 15 years, third party risk reviews have evolved from a heavily manual process to a technology-enabled solution with a focus on strategic impact rather than compliance aspects. Further, leading practice is focused upon a proactive approach to limit cash leakages before the occur, compared to the more traditional reactive approach. 19

20 Annual spend Supplier assurance framework A tiered approach Under the leading model, a tiered approach organizes suppliers into risk thresholds based on a combination of annualized spend and operational risk factors, and assurance activities become risk-based, focused, and optimized. Suppliers that are deemed the highest risk should be subject to continuous monitoring. Real-Time Assurance Review of expenditures on an ongoing basis to prevent cost leakage before it occurs and enhance decision making through the use of advanced data analytics Standardized Testing Traditional supplier reviews are performed on a defined frequency as established by the organization. Leverage use of advanced data analytics and standardized testing to attain maximum coverage over spend and expedite review process Operational risk/complexity Ad Hoc Reviews Horizontal reviews across multiple contracts to be completed in order to gain coverage over specific clauses (e.g. early payment discounts, volume discounts, most favoured pricing) 20

21 Standardized testing 21

22 Extended Enterprise Risk Management Standardized testing Standardized testing enables businesses to mitigate risk, minimize costs, and increase operational efficiency by leveraging the power of data analytics to review 100% of available data. This refined process helps minimize operational disruption, and typically yields recoveries and cost savings in the range of 3-5% of total spend reviewed. The Challenges Uncertainty over supplier spend and ambiguous contract clauses The Benefits Increase transparency and establish an audit culture amongst operators. Enable businesses to drill down in areas where they have experienced supplier issues in recent years Extrapolated findings are difficult to recover from suppliers High volume of transactions reviewed via non-standardized attest processes, resulting in lengthy reviews and payment cycles Lack of robust central repository to maintain contracts and templates that do exist are not leveraged as intended Lack of standardized rate tables Inconsistent understanding of contract terms between businesses and their suppliers Review 100% of spend in scope and minimize need for extrapolation of findings Enable faster review and payment of invoices, enabling businesses to take advantage of early payment discounts Support creation of a supplier database to enable benchmarking comparisons across the supplier basis (e.g. rates, productivity) Ability to scale up and expand coverage across the supplier base with minimal incremental effort Reviews are self-funding and realized cash recoveries can be reinvested in the program to fund remediation activities and additional reviews 22

23 Real-Time Assurance as part of a leading framework 23

24 Real-Time Assurance (RTA) What is it? Real-Time Assurance is a leading edge, end-toend, technology based approach that allows for efficient and effective review of expenditures on an ongoing basis to prevent cost leakage and enhance decision making through the use of advanced data analytics. Leveraging an RTA approach will dramatically improve many of the contract set-up and invoice review challenges that face organizations throughout the procure-to-pay lifecycle. Data is collected on a weekly basis and reconciled against known, site-level data (e.g. swipe card records). Using data analytics, any unsupported charges are immediately identifiable and can be sent back to the supplier for validation. The supplier can only invoice for validated charges, meaning overpayments are prevented. The process is tailored to achieve Key Performance Indicators that are crucial to the business, such as early pay discounts achieved and overpayments prevented. 24

25 Real-Time Assurance (RTA) The benefits SMARTER RTA supports the creation of a global supplier database that can be used to inform decision making (e.g. strategic sourcing, benchmarking) while also facilitating the ability to scale up and expand coverage across the supplier base with minimal incremental effort. BETTER RTA prevents leakages before they occur, minimizing operational disruption for suppliers and preserving commercial relationships by eliminating the need for costly settlement negotiations. Further, automated assurance reduces the reliance and administrative burden on local FTEs, enabling employees to focus efforts on higher value activities. FASTER Real-Time exception reporting and analytics enhances the control environment, while also enabling the faster invoice payment cycles and realization of early payment discounts! Results of a Typical Assurance Program Resource and data limitations result in only 2/3 s of in scope spend actually being reviewed. Traditional assurance programs ONLY identify cash leakages of 3-5% of contract spend. Only 50% of findings identified are actually recovered following settlement negotiations. Assurance activities cost millions of dollars globally with limited ability to increase coverage Reviews are operationally disruptive and can deteriorate commercial relationships with suppliers Accretive value to be realized through RTA Increase spend coverage up to 5x and enhance program scalability Realize full value of leakage prevention of 5-10% Real-Time exception reporting prevents cash leakages before they occur, resulting in % collection of billing errors. Enable significant reduction in cost of attest (~30-50%) due to process automation, saving millions of dollars Data analytics expedite review periods, minimizing operational disruption and enabling realization of early payment discounts! Through RTA, organizations can realize a return up to 5X greater than traditional assurance models! 25

26 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) Fax: +44 (0)