Extended Enterprise Risk Management Driving performance through the third-party ecosystem

Similar documents
Extended Enterprise Risk Management Driving performance through the third-party ecosystem

Extended Enterprise Risk Management

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

Modernizing compliance: Moving from value protection to value creation

Enterprise compliance Acting on today s risks to avoid tomorrow s crises

Extended Enterprise Risk Management

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Creating a Risk Intelligent Enterprise: Risk governance

Creating a Risk Intelligent Enterprise: Risk sensing

Why Is Third Party Risk Management Important?

Turning risk into opportunity Third Party Governance & Risk Management

An intelligent approach to unlocking value in service delivery transformation Focus on risk from the start

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Outsourcing transparency evolution

Outsourcing banking processes: The question is no longer if, but how to effectively manage extended enterprises

Risk Advisory Services Developing your organisation s governance for competitive advantage

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

COMPLIANCE TRUMPS RISK

Going beyond risk and compliance: Legal functions embracing digital

Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

Reimagining the Risk Intelligent Enterprise

CORROSION MANAGEMENT MATURITY MODEL

Insurance Accounting & Systems Association (IASA): NY/NJ Chapter Spring 2014

Operational Risk Management (#DOpsRisk) Solutions suite

Creating a Risk Intelligent Enterprise: Scenario planning and war-gaming

DevSecOps Embedded Security Within the Hyper Agile Speed of DevOps

Deloitte Discovery Advisory Enabling an agile response to discovery, investigatory, and regulatory requests

Enterprise Risk Management in Health Care

Deloitte Leading Practices Solution for Utilities (DLeaPS-U) Empowering innovation at the core

Deloitte. M&A Institute

An Overview of the AWS Cloud Adoption Framework

Building a gross-to-net strategy in a fast changing market How evolved is your approach?

Third Party Risk Management ( TPRM ) Transformation

Shine a light on media accountability

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

Fraud Investigation & Dispute Services. Forensic analysis and global experience: the intelligent connection

Driving healthy growth

Software Asset Management Reducing costs, mitigating risk, gaining control. Ninety years in the Middle East

Extended enterprise risk management: New perspectives on a growing imperative The Dbriefs Governance, Risk, & Compliance series

The Future of Regulatory Productivity, powered by RegTech. Banking and Securities

VENDOR RISK MANAGEMENT FCC SERVICES

Boards and internal audit: Working together to strengthen risk management

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

Building A Holistic and Risk-Based Insider Threat Program

Outsourcing fails when no one connects the pieces

Capability-led Transformation in Banking. A robust approach for today s banking challenges

Mitigating compliance risk Implications for global supply chains

Adding insight to audit Transforming Internal Audit through data analytics

Generating value within the Risk Ecosystem Risk powers performance

RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISACA San Francisco Chapter

Welcome to the postmodern era for public sector ERP

EY Center for Board Matters Boards and internal audit

Emerging & disruptive technology risks

Data Standards in Oil & Gas

The credit card industry: navigating an evolving environment. EY Advisory Services

Deciphering third-party business risk in a period of weak commodity prices

Expert Reference Series of White Papers. Bridging IT Skills Gaps to Transform Your Business

Effective implementation of COSO s new anti-fraud guidance

On the road(map) again. Balancing the emerging regulatory requirements in the Middle East public sector

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Managing reputation risk. Laura Toni, Deloitte Romania November 28, 2014

Modernizing Compliance: Evolving From a Foundational Program to a Value-Creating Strategic Partner

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Enterprise MRO Services PRESENTED BY:

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Welcome. Integrating Strategic Risk into Enterprise Risk Management (ERM) 11/9/2015. Agenda. Evolving enterprise risk management (ERM) Strategic risk

11/9/2015. Welcome. Regulators, governments, analysts, and the street are paying much more attention to this particular management capability

Third Party Vendor Management and FDR Compliance

Value-added governance and controls: The need and application of strategic risk Paul Campbell, Katie Pavlovsky and Jeff Suchadoll

Ensuring Organizational & Enterprise Resiliency with Third Parties

Internal audit insights High-impact areas of focus

LI & FUNG LIMITED ANNUAL REPORT 2016

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

Making winning workforce decisions

Information governance for the real world

Integrated Business Planning plus Your journey towards digital end-to-end planning

The Role of the Board in Strategy & Risk. NACD National Conference Power Breakfast October 15, 2012

Delivering Real Value Through Strategic Sourcing

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

Social Analytics in Media & Entertainment The three-minute guide

Becoming agile A guide to elevating internal audit s performance and value. Part 1: Understanding agile internal audit

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

HR Metrics and Model for Modern Times

Enhancing deposit profitability Beat the marketplace squeeze by applying advanced analytics to your deposit business

Creating an agile control environment

4/26. Analytics Strategy

Third Party Governance and Risk Management

Financial Strength through Consumerism and Pricing Transparency

Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

Resource Management 2.0 The Next Chapter of Just-in-Time Resourcing

20 Signs That Your Business is Ready for Managed Services. Find out when your business will truly benefit from a technology provider.

The Benefits of First- and Second-Line Monitoring

International Finance Corporation

Certified Identity Governance Expert (CIGE) Overview & Curriculum

MANAGE RISK IN THE LEGAL DEPARTMENT

Your Business Needs Managed Services. Find out when your business will truly benefit from a technology provider.

Embracing Opportunity Demands an Internal Audit Transformation

Transcription:

Extended Enterprise Risk Management Driving performance through the third-party ecosystem

In a globalized business environment, no company is an island. The ecosystem of a typical company comprises an exceedingly large number of third parties. In general, a third party is any individual or entity with which the company does business, including customers, partners, agents, affiliates, vendors, and service providers. Taken together, these third parties who may hail from around the corner or around the globe constitute what we have termed the extended enterprise. Already extensive, the reach of the extended enterprise is poised to expand. Outsourcing, for instance, is expected to continue to grow at rates of 12 26 percent per annum across functions, according to Deloitte Consulting LLP's 2014 Global Outsourcing and Insourcing Survey. Taken together, these third parties who may hail from around the corner or around the globe constitute what we have termed the extended enterprise. As the extended enterprise reaches farther, and accordingly becomes more complex, companies acknowledge the need to manage their exposure to the actions of third parties in a strategic and proactive manner. Many businesses turn to point solutions that facilitate regulatory compliance or address high-profile vulnerabilities such as cyber security, often without consistently tying them to strategy. This fragmented approach, when not guided by an overarching vision, is no longer sufficient to mitigate interconnected thirdparty s throughout the enterprise and to avoid the consequences, which are escalating. But, how can a company go about formulating strategies for managing the extended enterprise and driving performance at the same time? And perhaps even more challenging, how can it justify the investment required to implement those strategies through a coordinated program? In our experience, the answers lie in expanding one s view of extended enterprise management to include value creation as well as value protection. Extended enterprise management can be a proactive lever for driving business performance, although most businesses see it mainly as a reactive means of protecting existing worth. In order for organizations to leverage their management processes to improve performance, it is critical to develop an end-to-end approach for sensing s systematically throughout the extended enterprise so that vulnerabilities can be addressed proactively. This approach is also known as extended enterprise management. Definition of extended enterprise management Extended enterprise management is the practice of anticipating and managing exposures associated with third parties across the organization s full range of operations as well as optimizing the value delivered by the third-party ecosystem. What does third-party look like? While one often thinks of data breaches involving IT providers, the tentacles of third-party extend into the farthest corners of the extended enterprise ecosystem. Consider these scenarios: An outsourced vendor for transaction processing decides to exit the business and provides little notice or transitional support An important distributor does not provide the amount of prime shelf space that had been agreed upon and instead leads with a competitor s product A contracted supplier does not deliver merchandise ontime, thus disappointing customers and damaging the company s brand reputation A customer organizes a boycott of the company s products via social media A critical vendor takes on more new accounts than it can handle, degrading service levels and disrupting processes `A sales agent routinely favors a competitor, causing revenue and market share to decline in an important region Several franchisees do not spend co-op advertising dollars as instructed, resulting in a poor consumer response to holiday promotions. Clearly, the spectrum of third-party is broad. It is challenging to define and catalog the full range of exposure because third-party is not a unto itself; rather, it is a combination of diverse s with various degrees of severity based on the nature of the relationships an organization has with its third parties. 2

Until recently, incidents related to the behavior and security practices of third parties were often inconvenient, but rarely catastrophic and few even considered the possibility that proactive management of third-party s across the extended enterprise could drive performance. Today, three forces are elevating the need for extended enterprise management and the benefits associated with it to new heights: 1) social media accelerates stakeholder reactions to third-party events, rapidly raising brand awareness, or conversely inflicting immediate reputational damage, if an incident goes viral; 2) the stakes are much higher, often affecting profitability for better or worse; and 3) companies are using outsourcing to a greater degree for both core and non-core processes. As a result, third-party incidents today can dramatically impact business performance positively or negatively by affecting cost, service quality, revenue, and brand. Cost: Escalation vs. containment Most companies know that a third-party incident can cost them dearly, but few realize just by how much. In terms of downside losses, there are several ways in which companies can incur unnecessary expenses, expose themselves to fines, or be held responsible for restitution not to mention the opportunity costs associated with not being able to serve existing customers or to pursue new business in the wake of a disruptive event. However, one of the more prominent and more costly s associated with third parties is regulatory non-compliance. This pressure is unlikely to ease anytime soon since regulatory scrutiny and associated penalties are intensifying throughout the world. A network within a network The Extended Enterprise is the concept that an organization does not operate in isolation, because its success is dependent upon a complex network of third-party relationships. Certification bodies Labs Licensing Franchisee Joint ventures Sales agents Distributors Inventory planning R&D Distribution and Sales Loyalty partners Fourth parties Tier 1-N suppliers Brokers/ Agents Shipping Contract manufacturing Infrastructure and application support Hosted vendor solutions Disaster Recovery Logistics Sourcing Legal Technology Licensed vendor solutions Organization Insurance Hardware lease Marketing Human Resources Advertising agency Media ad sales Customers Customer support Facilities Recruiting Payroll processing Warranty processing Office products Benefits providers Waste disposal Cleaning Call center Contractors 3

The US Foreign Corrupt Practices Act (FCPA) provides a poignant example. Enforced by the US Securities and Exchange Commission (SEC), the FCPA generally prohibits the payment of bribes to foreign officials to assist in obtaining or retaining business. It also requires issuers to maintain accurate books and records and have a system of internal controls sufficient to, among other things, provide reasonable assurances that transactions are executed and assets are accessed and accounted for in accordance with management's authorization. i The FCPA can apply to prohibited conduct anywhere in the world and extends to publicly traded companies and their officers, directors, employees, stockholders, and agents. Importantly, agents can include third parties acting on the company s behalf, such as consultants, distributors, joint-venture partners and others. ii The sanctions can be significant: since 2010, nine multinational companies have paid more than $100 million each to settle SEC charges and parallel criminal cases relating to FCPA violations. iii Cyber security is another area of top concern. In addition to bad publicity, the cost of a data breach is escalating, and if a third party is involved, it makes matters worse. According to an annual study conducted by the Ponemon Institute, the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than nine percent from $136 in 2013 to $145 in this year s survey. iv Notably, third-party involvement increases the cost of the data breach by $14.80 per record. v This can be a substantial amount of money, considering the large number of records that are often compromised in an incident. Supply chain disruption, too, is frequently tied to third parties, and it is also becoming more costly. In an annual study conducted by the Business Resiliency Institute in 2014, almost one quarter of respondents (23.6%) reported annual cumulative losses of 1 million or more due to supply chain disruptions. vi Additionally, 13.2 percent of respondents have recorded losses of 1 million or more arising from a single incident, up from 8.6 percent in last year s survey. vii Who was to blame when things went wrong? Outsourcer service failure ranked among the top three causes of disruption, cited by 35.8 percent of respondents. viii Service Quality: Degradation vs. optimization Under pressure from boards and the C-Suite, upperlevel managers today need not only to avoid the aforementioned financial consequences of third-party but also to manage contracts and performance in a manner that optimizes returns for the extended enterprise. Vendor management, however, is all too often neglected in terms of resource allocation. Deloitte Consulting LLP's 2014 Global Outsourcing and Insourcing Survey indicated the market is currently underinvested in the area of vendor management, particularly when it comes to tools, methods and processes. ix It is therefore not surprising that many survey respondents reported dissatisfaction with vendor performance. Nearly half said they are facing issues related to their service providers being reactive rather than proactive (49%), and delivering poor service despite achieving service levels (48%). x In addition to not getting what they ve paid for in terms of service, companies are often unaware of whether or not third parties are complying with their contracts and if they are remitting fees, royalties, etc., as required. As a means of enhancing third-party performance and optimizing revenue capture, more and more companies are discovering they can unlock value and reduce costs from a contract and compliance (CRC) program, which assesses contract terms and audits related transactions. Companies also have a tendency to underutilize or overutilize assets licensed from third parties, where software and IT represent a particularly egregious area of overspending or exposure to major fines. Here, a software asset management (SAM) program can help organizations mitigate the of inadvertently violating the terms of their licensing agreements while helping them avoid being over licensed. By some estimates, an effective SAM program has the potential to reduce company IT costs by up to 30 percent. xi Revenue: Contraction vs. expansion The consumer relationship is fragile. Customers are more prone to take their business elsewhere when they are disappointed or feel betrayed even when the offending action was made by a third party several steps removed from company headquarters. A study conducted by Javelin Strategy & Research found that consumers avoid doing business with organizations after a security breach, with financial and banking institutions, health care providers, and retailers losing up to a third of their customer/patient bases in the wake of an incident. xii The consumer relationship is fragile. Customers are more prone to take their business elsewhere when they are disappointed or feel betrayed even when the offending action was made by a third party several steps removed from company headquarters. 4

While driving away customers is an unpleasant prospect, the revenue implications of a company s third-party management practices can just as well be positive. For instance, proactive efforts to manage the extended enterprise can open doors to revenue opportunities by qualifying a company to do business with other entities. For instance, a leading multinational retailer recently tightened its sourcing standards to include a zero tolerance policy for unauthorized subcontracting. Additionally, the retailer now requires its suppliers to validate that all input materials and components have been obtained from permissible harvests consistent with international treaties and protocols. From the supplier s point of view, tighter sourcing standards such as these could be a blessing or a curse precluding some, while including others. From the buyer s standpoint, welldefined supplier standards, along with governance processes and enabling technologies, can form the backbone of a supply chain compliance optimization program. Such programs not only seek to ensure thirdparty adherence to policies and standards but also to drive revenue by aligning the extended enterprise with the company s broader business objectives such as improving product quality, entering new markets, and satisfying customer demands for sustainable sourcing. While the focus is often on protecting the organization from downside losses, companies that proactively manage their third-party s across the extended enterprise also stand to reap substantial upside benefits in terms of increased productivity. Brand: Diminishment vs. enhancement Last but not least, every type of third-party exposure discussed thus far ties into an overarching : the everpresent threat of brand damage. In today s interconnected world, trust equals value, with business leaders increasingly acknowledging the high financial impact of brand image and reputation. According to a study by the World Economic Forum, on average more than 25 percent of a company s market value is directly attributable to its reputation. xiii Furthermore, Deloitte Touche Tohmatsu Limited s 2014 Global Survey on Reputation Risk found 87 percent of executives rated reputation as more important than other strategic s, and 88 percent said their companies are explicitly focusing on managing reputation. xiv Despite this focus, companies are still concerned about their readiness, saying they are least prepared to manage reputation drivers in areas beyond their direct control, such as third-party ethics and competitive attacks. xv These types of situations, should they come to pass, require effective crisis management and decisive leadership not only to fix the problem but also to take advantage of associated opportunities to improve processes, strengthen vendor relations, and uphold the brand by being transparent and responsive. Extended enterprise management drives value Third-party is causing much unease among executives and board members, and for good reason. A typical Fortune 500 organization may use as many as 10,000 suppliers to meet its business objectives. xvi Small- and mid-sized organizations may use hundreds of suppliers, if not thousands. Executives are increasingly realizing that each and every one of these relationships has the power to affect shareholder value, negatively or positively and often exponentially in relation to the vendor s size and type of service provided. While the focus is often on protecting the organization from downside losses, companies that proactively manage their thirdparty s across the extended enterprise also stand to reap substantial upside benefits in terms of increased productivity, contract and asset optimization, flexibility, and expanded growth opportunities. Put another way: an awareness is dawning that extended enterprise management drives value. The case for a holistic approach The management landscape is often fragmented and decentralized. Accordingly, many organizations approach third-party management on an ad-hoc and selective basis through point solutions, addressing prominent pain points such as cyber and mandatory regulatory compliance as they arise. In our experience, a broad, cross-enterprise view is often missing, with lack of ownership being a common theme. For instance, despite the increasing focus on management, some organizations still do not have a dedicated officer. We ve also observed that many companies have not fully considered how to leverage the three lines of defense for managing and driving performance across the extended enterprise. The first line of defense is the business unit, which owns the third-party relationship and is accountable for managing associated s in alignment with policies and procedures. The second line of defense is a centralized governance program for extended enterprise management, which is responsible for establishing and enforcing policies/processes to ensure that third parties are managed consistently by the business. And, the third line of defense is internal audit, which is charged 5

A holistic approach The Extended Enterprise management operating model presents a holistic approach to managing third-party relationships at various life cycle stages, while considering business objectives and domains across your Extended Enterprise. Growth/ innovation Client experience Business Objectives Improved time to market Risk and compliance management Cost reduction Contractual Financial Compliance/ legal Cyber Credit Intellectual Property Business continuity Operations Risk Domains Strategic Quality Governance and oversight The operating model, committees, and roles and responsibilities for managing the extended enterprise Reputation Geopolitical Policies and standards Management s expectations of standards and processes to be used, to manage the extended enterprise and its related s Management processes Processes to manage s and improve performance across the third-party lifecycle Risk culture Tone at the top, clarity on appetite, appropriate training and awareness to promote positive culture Operating Model Components Tools and technology Use of tools and technology, predictive and analytics that enhance extended enterprise management processes Risk metrics and dashboard Use of internal and external data to measure and visualize s and performance of extended enterprise, tailored towards multiple levels of management Third-party relationship lifecycle Plan, evaluate, and select Contract and on-board Manage and monitor Terminate and off-board Third-party relationships Infrastructure Sell side Buy side 6

with administering a robust audit program aligned to the most critical extended enterprise s and controls as well as performing independent assessments. Beyond underinvesting in the three lines of defense, many companies are additionally prone to focus on their spend, or looking for the low-cost provider, when engaging a third party, as opposed to focusing on the vendor s profile, control environment, and ability to drive performance. In short, many companies are attempting to patch the leaks in managing the extended enterprise as opposed to repairing the whole structure. In addition to the emphasis placed on cost reduction over the last few years, some believe this state of affairs can be attributed to the proliferation of third-party relationships and the escalation of s that accompany them. The environment has changed, and few organizations have been able to keep up. At this point the question becomes: What should an organization do now? In our view, companies increasingly need to move toward a holistic extended enterprise management program that emphasizes value creation as well as value protection. Organizations now have the opportunity to establish a systematic and proactive approach to managing s across the third-party lifecycle, and in so doing, to unlock value and improve business performance. An operating model for implementing and integrating the various components of management across the thirdparty relationship lifecycle forms the foundation of this approach. To facilitate value realization, this model links the -management components to business objectives and domains across the extended enterprise. Four cornerstone capabilities Many companies believe they cannot take an end-to-end approach to managing the extended enterprise because securing executive sponsorship and getting people to take ownership can be an uphill climb. Furthermore, many businesses assume the task is too vast and they do not have the expertise and resources to build, execute, and sustain a comprehensive third-party oversight program. In our experience, these barriers are more perception than reality. It is neither necessary nor possible to do everything at once. It is rather a matter of identifying some practical steps to take toward establishing an extended enterprise management program or evolving an existing one. Most organizations can get a sense of what those steps might be by considering the extent to which they have developed the following cornerstone capabilities: Strategy and governance: Creating an agile and flexible governance model Does your organization link its management practices to value drivers? Does it have a formal strategy and governance model for managing third-party? Does it understand where the breakpoints are in its thirdparty relationships? Does it have a prescribed means of assessing and staying ahead of them? Does your organization proactively seek to bridge the gap between business executives and compliance and professionals? People: Managing relationships, compliance and regulations Does your company have dedicated roles for managing third-party across the extended enterprise? Has your organization aligned and strengthened its three lines of defense? Does executive ownership exist at the enterprise level? Are employees keeping up with emerging regulatory requirements? Are your third parties keeping up? Process: Navigating events that shape the extended enterprise Does your organization react to third-party events or does it actively seek to prevent them? Are management processes standardized across the enterprise and integrated with tools and data? Does your organization regularly consider how evolving technologies, market trends, and disruptive forces present opportunities and challenges to its third-party relationships? Does your organization have appropriate contracts in place with its third parties? Do you know if they are meeting expectations and complying with their contractual commitments? Can you readily assess the appropriateness of future delivery models? Are executives confident in their decisions to outsource or insource, build, or buy? Technology: Using data and analytics to make informed decisions What tools and technologies does your organization leverage to make informed decisions about its third-party relationships? What data does your organization already have access to? Can leaders make real-time decisions? If so, what key performance indicators does your organization monitor and analyze to support those decisions? If you answered no to most of these questions, your company s extended enterprise management program is likely in the earlier stages of development, where the organization may be managing some third-party s on an ad-hoc basis, using a few off-the-shelf tools, and perhaps beginning to implement dedicated roles and processes. More yes answers suggest it is further along the path toward integration and optimization later stages of maturity that are generally characterized by greater use of customized tools, proactive monitoring and decision-making, and the connection of leading practices to value drivers. 7

How does your approach stack up? The Extended Enterprise maturity model below is designed to help you understand where you are today, your ideal future state, the value the future state can bring to your organization. Strategy and Governance People Process Technology No formal governance Risk taking for quick fix benefits Individual effort Little management input Lack of training Few activities defined Fire fighting mode Simple and least expensive tools used, ad-hoc Initial Progress through the levels of maturity increases extended enterprise performance through both (i) controlled s, and (ii) enhanced benefits Minimal effort in reducing Risk taking for short term benefits Responsibilities built into existing roles Increased input from management Defined processes in siloes Functional, reactive problem solving Off-the-shelf tools used for problem solving Limited access to thirdparty data Managed Focus on preventing issues Risk aligns with medium-term enterprise-wide benefits Dedicated roles Invested executives within each silo Some training offered Coordinated processes across the business Monitoring and alerting leveraging dashboards, with some proactive issue resolution Adapted tools used for reporting and monitoring Defined Focus on preventing issues and creating value Intelligent taking, aligned with enterprise strategy Awareness of value of extended enterprise across the organization Enterprise-wide roles Executive ownership at the enterprise level Fully standardized processes, integrated with tools and data Proactive decision making using analytics, improving bottom-line and performance Customized tools, used for tactical decision making Value-additive tools Internal data centralized and easily accessible Integrated State-of-the-art practices, linked to value drivers Extended enterprise embedded in strategic planning and decision making Trained professionals with defined roles throughout the lifecycle Executive champions on both sides, aligning service delivery to strategic objectives Processes aligned with strategy, integrated into third parties Continuous improvement and proactive responsiveness Leveraging predictive and sensing analytics, tools and dashboards Highly-customized decision support tools Integrated external data sources that enhance insights Tools and analytics are key value driver and differentiator Optimized Maturity of extended enterprise program Destination known: Improved business performance Third-party is increasing for many enterprises, as are stakeholder demands for accountability and return on investment (ROI). When existing or impending regulations in certain industries are added into the mix, the potential cost of inaction becomes high. In this environment, complexity and resource constraints are no longer sufficient reasons to avoid taking an integrated approach to third-party management across the extended enterprise neither is fear of the unknown. Wherever your organization stands on the maturity curve, there are some next logical steps that can be taken now to establish an extended enterprise management program or to move your existing -management practices to the next level. While the journey may be different, the destination is the same: improved business performance through controlled s and enhanced benefits. 8

Risk management solutions Deloitte Advisory brings together the full breadth of its capabilities into a comprehensive suite of solutions designed to help you increase the performance of the extended enterprise and help your organization achieve your strategic business objectives. Strategy and program development Solutions to assess, design, and implement strategically aligned extended enterprise program Governance and operating model design Strategic assessment, tiering, and segmentation Crisis management and simulation modeling Regulatory compliance Evaluation and continuous monitoring Solutions to assess third parties and proactively sense and respond to extended enterprise s and opportunities Third-party vetting and screening Risk sensing Third-party assessments Contract compliance assessments and optimization Benchmarking Analytics and visualization Technology enablement Solutions to transform and continuously enhance extended enterprise management by designing, implementing, and deploying technology solutions Intelligence Governance/program management Risk and compliance Knowledge management The solutions range from those that can be integrated across the organization and/or to specific domains and specific third-party relationships. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 9

Extended Enterprise management in action From supply chain assessments to compliance audits and leading vendor-management practices, the following case studies illustrate the power of extended enterprise management strategies to drive business performance. Case #1: Supply chain food safety assessment A global Fortune 500 quick-serve restaurant chain sought to better manage supplier s and to improve food safety in emerging countries. The company was particularly challenged to understand and sense food-safety s not typically considered in the supply chain framework. To achieve these objectives, Deloitte assisted the company in defining a macro-environmental framework covering areas such as food safety hazards, third-party exposure, infrastructure and resources vulnerabilities, and local and international regulations. It also conducted brainstorming workshops to identify unknown known s that may be emerging or currently underappreciated. Based on the s identified, a supplier assessment was developed and 15 international site visits were completed. Through these visits, Deloitte identified several improvement opportunities that could be broadly applied in emerging countries around the world. Deloitte also helped the company develop a future state framework for managing food-safety supply chain, giving the company a roadmap for better sensing s and for transitioning from a rigid standards-based approach to a more-proactive model for managing the extended enterprise. Case #2: Software license compliance A global software company suspected that it was losing revenue through customer non-compliance with its licensing arrangements. The company engaged Deloitte to stem this revenue leakage. To do so, Deloitte first analyzed large volumes of data to identify high- third parties. It then performed compliance assessments of end customers, distributors, original equipment manufacturers (OEMs) and other third parties to identify revenue leakage in the extended enterprise. Ultimately, Deloitte assisted the organization in recovering lost revenue and provided guidance on prioritizing ongoing compliance audit activities. Building upon the success of these initiatives, the engagement has branched into similar assessments of other contractual relationships including licensing and royalty arrangements, hardware distribution channels, and working with end customers on software asset management (SAM) initiatives to help them maintain compliance with their contractual agreements and stop revenue leakage at the source. Case #3: Vendor management assessment and performance dashboard development Over the last five years, a large insurance company had reduced its gross expenses by 20 percent, while simultaneously increasing its dependency on third-party expertise. As a result, its extended enterprise expanded to comprise more than 2,400 vendors. However, its vendor management practices, including on-boarding and assessments, had not kept pace with the expansion. The company engaged Deloitte to conduct a holistic review of its vendor management strategy, lifecycle, and organizational structure, with the goal of helping the organization to maintain its bottom-line improvements while appropriately managing future demands, performance, and s associated with third parties. To achieve these objectives, Deloitte conducted a leading-practice assessment of the company s vendor management operating model, including governance, organizational design, operational management, procurement authorization, and technology deployment. The main deliverable was a target-state operating model for vendor management, toward which the company is moving today. Additionally, Deloitte developed business requirements for performance dashboards to monitor key vendors and s, and made recommendations on how the company could better use its third-party management technology. 10

i ii iii iv v vi vii Spotlight on US Foreign Corrupt Practices Act, US Securities and Exchange Commission, https://www.sec.gov/ spotlight/fcpa.shtml, accessed Jan. 20, 2015. Ibid. SEC Enforcement Actions: FCPA Cases, US Securities and Exchange Commission, https://www.sec.gov/spotlight/fcpa/ fcpa-cases.shtml, accessed Jan. 20, 2015. 2014 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC, May 2014, pp. 1-3. Ibid. Supply Chain Resilience 2014: An international survey to consider the origin, causes, and consequences of supply chain disruption, The Business Continuity Institute, p. 4. Ibid. viii Ibid. ix Deloitte Consulting LLP's 2014 Global Outsourcing and Insourcing Survey: 2014 and beyond, pp. 11-12. x xi xii Ibid. Fischer, Matt. Saving Money Through Software Asset Management, Computer Weekly, http://www.computerweekly. com/opinion/saving-money-through-software-asset-management, accessed January 21, 2015. Sales Drop as Corporate Data Breaches Rise According to New Study from Identity Finder: Javelin Research Findings Quantify the Costs of a Data Breach and Effect on Consumer Spending, press release, April 29, 2014, http://www. identityfinder.com/us/press/20140428164358 xiii World Economic Forum, 2012. xiv Deloitte Touche Tohmatsu Limited 2014 Global Survey on Reputation Risk: Reputation@, October 2014, www. deloitte.com/reputationsurvey, pp. 4, 11. xv Ibid. xvi Vendor Management Program Office Five Deadly Sins of Vendor Management, Deloitte 2013 11

Contacts For more information, please contact: Krissy Davis Partner Deloitte Advisory Finance and Operations Deloitte & Touche LLP +1 617 437 2648 kbdavis@deloitte.com Dan Kinsella Partner Deloitte Advisory Extended Enterprise Advisory Services Deloitte & Touche LLP +1 402 997 7851 dkinsella@deloitte.com Deepti Modgekar Senior Manager Deloitte Advisory Extended Enterprise Advisory Services Deloitte & Touche LLP +1 215 246 2528 dmodgekar@deloitte.com For further information, visit our website at www.deloitte.com/us/extendedenterprise This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this document contains the results of surveys conducted by Deloitte or its affiliates. The information obtained during the surveys was taken as is and was not validated or confirmed by Deloitte or its affiliates. Deloitte shall not be responsible for any loss sustained by any person who relies on this document. Copyright 2015 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback