EERM Survey: Businesses Unprepared to Manage Third-Party Risk During COVID-19

Brian Shaw
Brian Shaw
Third-Party Risk Management and Compliance, Coupa Software

Brian Shaw oversees Coupa’s Third-Party Risk Management and Compliance practice, ensuring customer success, focusing on results and striving for excellence through value as a service. He was formerly Director, Financial Services Sales for Opus Global (Hiperos and Alacra), which Coupa acquired in 2018.

Read time: 7 mins
EERM Survey: Businesses Unprepared to Manage Third-Party Risk During COVID-19

Over the past few years, a rise in regulatory activity related to third-party and supplier risk management was already making it difficult to manage enterprise risk, driving many companies to increase their focus on compliance with new regulations. Then COVID-19 appeared this year, testing every organization’s approach to third-party risk management.

The findings from Deloitte’s 2020 Extended Enterprise Risk Management (EERM) Third-Party Risk Management (TPRM) Global Survey highlight that while organizations were faced with challenges to manage third-party risk before COVID-19, the pandemic has demonstrated the huge strategic impact of third-party failures and how quickly some risks from unexpected events can strike.

Most organizations were unprepared for a large-scale disruption
Deloitte’s new research indicates that most organizations were unprepared to manage third-party risks in the event of a large-scale disruption like the COVID-19 pandemic. The Deloitte survey shows that in 2018 and 2019, organizations focused on data privacy, information security, and cyber risk. Many organizations neglected business resilience and continuity. Year-after-year, many firms had self-identified gaps in their risk management that are now creating challenges, such as sourcing critical parts from reliable suppliers, as these organizations respond to this global event. 

This year’s survey shows that nearly 50% of organizations are not allocating material EERM budgets to address third-party continuity. This widespread lack of the extended enterprise intelligence and planning necessary to effectively respond to high-impact events – combined with the growing strategic dependence on critical third parties – has left many companies challenged and looking for new solutions.

--> WATCH NOW: Managing Third Parties in a High-Risk Environment Webinar – Featuring Deloitte
Join Kristian Park and Ryan Flynn of Deloitte as they discuss establishing the proper controls to get ahead of increasing risk.

The piecemeal approach to risk management is risky business
According to Deloitte’s report, most organizations have made piecemeal investments in EERM for many years. By 2019 respondents had realized this approach had weakened their ability to do basic or core tasks well, such as understand the nature and criticality of third-party relationships (50%) and understand related contractual terms (43%). 

The piecemeal approach to risk management has also adversely impacted organizations’ ability to ensure that the monitoring of supplier risk management is proportionate to the risks involved – which is vital in a time of crisis. Organizations need one system that is monitoring risk and that alerts them to risk using both internal and external data. For example, visibility into contracts is vital to mitigate risk. By connecting visibility into contracts with data that is integrated with your P2P processes and systems, it becomes easier to manage and control contract terms and make timely adjustments as needed to reduce risk.

Those companies struggling with third-party risk management are working to figure out how to overcome the challenges of today’s unique environment. The first key is understanding that risk cannot be managed piecemeal. Finance and procurement leaders must collaborate to strategically deploy new integrated solutions that drive a streamlined approach to third-party risk management.

--> DOWNLOAD NOW: Insights For Effective Third-Party Risk Management

Survey respondents are largely dissatisfied with their EERM technology 
According to the Deloitte survey, organizations are struggling to understand and keep pace with the evolving technology landscape and are particularly concerned with EERM systems that do not seamlessly integrate with each other. Only 28% of respondents in 2020 are satisfied with their EERM technology solutions. Thirty-nine percent want to explore a different technology solution. 

This technology challenge is fueled by a backdrop of rapidly evolving solutions. The greatest worry about technology is that systems do not seamlessly integrate with each other, with 61% of organizations complaining about this issue – yet only 15% of organizations integrate or optimize their approach to managing risk with third parties.

Data is the first key to effective third-party risk management
Data is key to overcoming these challenges: Do you know what risks are hidden in your supply chain and third-party relationships? Do you have visibility into them? Which of your third parties have your data, your customer data, access to your network, or touch your customers? What about your suppliers’ suppliers? Today, any company without comprehensive data on their suppliers is at risk.  

Deloitte’s research emphasizes the importance of using data to manage critical third-party relationships. More responsive organizations understand what data is already available internally regarding third parties to identify areas of potential risk and to head off a supply chain disruption. For example, when a supplier has sole supply, low inventory levels, and so on. In addition to this, they use external data sources and information from the third party to fill in the gaps in internal information, including relevant attributes such as supplier delivery locations, financial health, and customer reviews.

Leaders are concerned about the cost of getting third-party risk management wrong
Reflecting the trend of a growing dependence on critical third-party relationships, organizations are increasingly concerned about the rising cost of getting third-party risk management wrong. The solution is to leverage a fully integrated modern cloud-based platform that can manage all your procurement, spend, and third-party relationships with shared data and applications.

There is also an urgent need for the boardroom and top executives to obtain actionable intelligence to manage the extended enterprise on a real-time basis. In addition, the pandemic has increased the desire for better visualization of data and online alerts to enable action and make top-level reporting more succinct and smarter.

Accelerated by the need for a rapid response and recovery to the global pandemic, Deloitte expects continued investment in tech-enabled transformation initiatives in pursuit of increased efficiency and effectiveness. The desire for seamless integration across technology platforms used for EERM prompts the major ERP, P2P, and risk management platform vendors to upgrade the functionality of their solutions.

Risk management should not be an isolated function
The survey finds that the evolution of EERM into a wider discipline is the next logical step to establish holistic mechanisms that manage all types of risks across all categories of third parties – and that this evolution will be enabled by emerging technologies and more developed third-party risk management frameworks.

To ensure third-party risk management is not ineffectively managed in a silo, responsive organizations have developed new executive dashboards for C-level and Board-level leadership to support dialogue and communication on third-party risks, impact, and response. This also requires access to organized, integrated, cross-functional data, including external sources of data.

With the right data, visibility, and control mechanisms in place – an integrated holistic third-party risk management framework – a company gains access to real-time knowledge of what is happening on the ground and enables rapid corrective actions. For a deep dive on the subject, see Coupa's eBook: Insights For Effective Third-party Risk Management.

Read more about emerging trends related to critical third parties in the full Deloitte EERM report, and get best practices for improving your TPRM in our blog post, 3 Key Elements to Effective Third-Party Risk Management.


Brian Shaw oversees Coupa’s Third-Party Risk Management and Compliance practice, ensuring customer success, focusing on results, and striving for excellence through value as a service. He was formerly Director, Financial Services Sales for Opus Global (Hiperos and Alacra), which Coupa acquired in 2018.