• Current students
      • Student centre
        Enrol on a course/exam
        My enrolments
        Exam results
        Mock exams
      • Course information
        Students FAQs
        Student induction
        Course enrolment information
        Key dates
        Book distribution
        Timetables
        FAE Elective Information
      • Exams
        Exam Info: CAP1
        E-assessment information
        Exam info: CAP2
        Exam info: FAE
        Reasonable accommodation and extenuating circumstances
        Timetables for exams & interim assessments
        Interim assessments past papers & E-Assessment mock solutions
        Main examination past papers
        Information and appeals scheme
        JIEB: NI Insolvency Qualification
      • CA Diary resources
        Mentors: Getting started on the CA Diary
        CA Diary for Flexible Route FAQs
      • Admission to membership
        Joining as a reciprocal member
        Conferring dates
        Admissions FAQs
      • Support & services
        Recruitment to and transferring of training contracts
        CASSI
        Student supports and wellbeing
        Learning Hub data privacy policy
        Online Payment FAQs
        Audit qualification
    • Students

      View all the services available for students of the Institute

      Read More
  • Becoming a student
      • About Chartered Accountancy
        The Chartered difference
        What do Chartered Accountants do?
        5 Reasons to become a Chartered Accountant
        Student benefits
        School Bootcamp
        Third Level Hub
        Study in Northern Ireland
        Events
        Blogs
        Member testimonials 2022
        Become a Chartered Accountant podcast series
      • Entry routes
        College
        Working
        Accounting Technicians
        School leavers
        Member of another body
        International student
        Flexible Route
        Training Contract
      • Course description
        CAP1
        CAP2
        FAE
        Our education offering
      • Apply
        How to apply
        Exemptions guide
        Fees & payment options
        External students
      • Training vacancies
        Training vacancies search
        Training firms list
        Large training firms
        Milkround
        Training firms update details
        Recruitment to and transferring of training contract
        Interview preparation and advice
        The rewards on qualification
        Tailoring your CV for each application
        Securing a trainee Chartered Accountant role
      • Support & services
        Becoming a student FAQs
        Who to contact for employers
        Register for a school visit
    • Becoming a
      student

      Study with us

      Read More
  • Members
      • Members Hub
        My account
        Member subscriptions
        Annual returns
        Application forms
        CPD/events
        Member services A-Z
        District societies
        Professional Standards
        Young Professionals
        Careers development
      • Members in practice
        Going into practice
        Managing your practice FAQs
        Practice compliance FAQs
        Toolkits and resources
        Audit FAQs
        Other client services
        Practice Consulting services
        What's new
      • Overseas members
        Working abroad
        Working in Australia
        Overseas members news
        Tax for returning Irish members
      • In business
        Networking and special interest groups
        Articles
      • Public sector
        Public sector news
        Public sector presentations
      • Support & services
        Letters of good standing form
        Member FAQs
        AML confidential disclosure form
        CHARIOT/Institute Technical content
        TaxSource Total
        Audit Qualification requirements
        Pocket diaries
        Thrive Hub
    • Members

      View member services

      Read More
  • Employers
      • Training organisations
        Authorise to train
        Training in business
        Manage my students
        Incentive Scheme
        Recruitment to and transferring of training contracts
        Securing and retaining the best talent
        Tips on writing a job specification
      • Training
        In-house training
        Training tickets
      • Recruitment services
        Hire a qualified Chartered Accountant
        Hire a trainee student
      • Non executive directors recruitment service
      • Support & services
        Hire members: log a job vacancy
        Firm/employers FAQs
        Training ticket FAQs
        Authorisations
        Hire a room
        Who to contact for employers
    • Employers

      Services to support your business

      Read More
☰
  • The Institute
☰
  • Home
  • Articles
  • Students
  • Advertise
  • Subscribe
  • Archive
  • Podcasts
  • Contact us
Search
View Cart 0 Item
  • Home/
  • Accountancy Ireland/
  • Articles/
  • Leadership/
  • Latest News/
  • Article item

Risk management in the real world

Dec 03, 2018
When monitoring third-party risks, it is important that entities focus on value creation as well as value protection.

Outsourcing is an increasingly a key strategic decision for many businesses, allowing them to focus on core corporate activities. However, when things go wrong in third-party relationships, companies may be exposed to significant reputational, regulatory, strategic and financial risks. There are two notable recent examples of high-profile third-party failures in Ireland:

The Central Bank of Ireland imposed fines on financial institutions in relation to the governance and control of outsourced services delivered by third parties; and
In 2018, a restaurant chain in the UK was forced to close more than 560 of its 900 outlets as “operational issues” at a new distribution partner left deliveries “incomplete or delayed”. This is estimated to have cost the restaurant chain in question £1 million per day in lost sales.

In 2016, the Central Bank of Ireland warned that poor management of third-party relationships is putting banks at risk, citing “very serious failings” in relation to the governance of these arrangements and brandishing some cases as “astonishing”. Specific criticism related to poor management of outsourced arrangements, lack of oversight and a lack of engagement and challenge from boards.

Extended enterprises

The operational environment of many companies has expanded to include third-party service providers. Taken together, these third parties constitute what we term “the extended enterprise.” We continue to see companies struggle to identify, measure, report and monitor third-party risks within their extended enterprise. This has led to companies being exposed to a variety of risks and failing to maximise the upside of third-party relationships.

The challenge for businesses is to formulate an extended enterprise risk management strategy that proactively manages the risks associated with the extended enterprise while also driving performance. In our experience, the answers to this challenge lie in expanding one’s view of third-party risk management to incorporate value creation as well as value protection.

For companies to leverage their risk management processes to improve performance, it is critical that they develop an end-to-end approach for sensing risks systematically throughout the extended enterprise so that vulnerabilities can be addressed proactively. We term this approach ‘extended enterprise risk management’ (EERM).

Extended enterprise risk management

EERM is the practice of anticipating and managing exposures associated with third parties across the full range of operations, as well as optimising the value delivered by third-party relationships. The risk management landscape is often fragmented and decentralised. Many companies have not agreed and documented their risk appetite. They may approach third-party risk management on an ad hoc basis, addressing prominent areas such as cyber risk and regulatory compliance as they arise.

Crucially, many companies do not have a broad pan-company view of all current third-party engagements and the associated risks. A common theme that emerges here is a lack of ownership of risks across the company. For example, despite the increasing focus on risk management, some companies still do not have a dedicated risk officer. Additionally, many companies are not appropriately utilising the three lines of defence to manage risk and drive performance across the extended enterprise.

The first line of defence is the business unit, which owns the third-party relationship and is accountable for managing associated risks in alignment with policies and procedures. The second line of defence is a centralised governance programme for extended enterprise risk management, which is responsible for establishing and enforcing policies/processes to ensure that third parties are managed consistently by the business. The third line of defence is internal audit, which is charged with administering a robust audit programme aligned to the most critical extended enterprise risks and controls as well as performing independent assessments.

In addition to underinvesting in the three lines of defence, many companies focus excessively on quantitative metrics – contract income and expenditure, for example – when engaging a third-party. When assessing third parties, companies should always include appropriate qualitative metrics – vendor quality, technical capabilities, vendor risk profile, control environment, and ability to drive performance, for example.
By not having a defined EERM framework in place, many companies are concentrating on firefighting rather than maximising the benefits that can arise from well-managed third-party relationships.

Driving value 

Companies increasingly need to move toward a holistic approach to EERM that emphasises value creation as well as value protection. This typically involves establishing a systematic and proactive approach to managing risks across the third-party lifecycle and, in so doing, unlocking value and improving business performance.

An operating model for implementing and integrating the various components of risk management across the third-party relationship lifecycle forms the foundation of this approach. To be fully effective, such models must be aligned to the company’s overarching risk appetite and risk management framework. The model should link the individual components of risk management to agreed and documented business objectives and the company’s risk registers.

Four cornerstone capabilities 

Many companies believe they cannot take an end-to-end approach to managing the extended enterprise because securing executive sponsorship and getting people to take ownership can be an uphill battle. Additionally, many businesses think that the task is too vast and they do not have the expertise and resources to build, execute and sustain a comprehensive third-party oversight programme.

In our experience, these barriers are more perception than reality. It is neither necessary nor possible to do everything at once. Companies should consider some practical steps to take toward establishing an EERM programme or evolving an existing one. Many companies can get a sense of what those steps might be by considering the extent to which they have developed the following cornerstone capabilities.

Strategy and governance

This involves the creation of an agile and flexible governance model:

  • Is there a defined and documented strategy and governance model for managing third-party risk?
  • Is there a defined policy to assess third-party requirements prior to entering into relationships?
  • Are third-party risk management activities linked to value drivers agreed and documented?
  • Have you identified, agreed and documented critical key performance indicators (KPIs) for all third-party relationships?
  • Have you agreed and documented how third-party KPIs will be reported and monitored?
  • Are there defined processes in place to identify new and emerging third-party risks? 

People

This involves managing relationships, compliance and regulations:

  • Is senior management sufficiently invested in EERM?
  • Are the employees charged with responsibility for third-party risk management receiving sufficient and appropriate training?
  • Is there sufficient investment in the three lines of defence to deliver effective monitoring of third-party risks?
  • Are there defined and documented roles for managing third-party risk across the extended enterprise?

Process

This involves navigating events that shape the extended enterprise:

  • Are there appropriate contracts in place with all third parties?
  • Do monitoring processes allow for the reliable assessment of third-party performance?
  • Does the company react to third-party events or actively seek to prevent them?
  • Are risk management processes standardised across the company and integrated with tools and data?
  • Is sufficient consideration given to how evolving technologies, market trends and disruptive forces present opportunities and challenges to third-party relationships?

Technology

This involves using data and analytics to make informed decisions:

  • What tools and technologies are employed to make informed decisions about third-party performance?
  • What transactional data are you entitled to access?
  • Does the company’s IT and systems support KPI monitoring, reporting and performance assessment?

Factors to consider in assessing your third-party risks  

The complexity of the extended enterprise and resource constraints are no longer sufficient reasons to avoid taking an integrated approach to third-party risk management. Wherever your company stands at present in relation to EERM, some practical steps can be taken now to establish an EERM programme or to move your existing risk management model to the next level. The following factors should be considered.

Strategy and programme

This involves the development of EERM solutions to assess, design and implement a strategically aligned extended enterprise programme. These may include:

  • Conducting an enterprise-wide strategic third-party risk assessment; and
  • Developing the governance and operating model for EERM including KPIs, reporting and monitoring mechanisms.

Evaluation and continuous monitoring

This involves the selection and application of a suite of solutions to measure third parties and proactively sense and respond to extended enterprise risks and opportunities. These may include:

  • The selection of quantitative and qualitative metrics/KPIs;
  • Third-party risk assessment processes; and
  • Contract compliance mechanisms.

Technology enablement

This involves the selection and application of technology solutions to transform and continuously enhance EERM. These may include:

  • Systems design and deployment;
  • Data analytics; and
  • Reporting protocols.

Conclusion

Effective EERM programmes allow companies to align third-party risk management to strategic objectives and deliver enhanced returns on investment by emphasising value creation as well as value protection. 

Crucially, there is no ‘one size fits all’ EERM model or programme. Each company faces unique challenges and therefore, EERM programmes tend to be bespoke by nature. Time spent on EERM programme design is rewarded in the longer term.

Finally, successful EERM programmes are continuously re-assessed to ensure that the model being applied remains appropriate at all times.

Jimmy Crowley is a Senior Manager in Risk Advisory in Deloitte Ireland.

The latest news to your inbox

Useful links

  • Current students
  • Becoming a student
  • Knowledge centre
  • Shop
  • District societies

Get in touch

Dublin HQ

Chartered Accountants
House, 47-49 Pearse St,
Dublin 2, Ireland

TEL: +353 1 637 7200
Belfast HQ

The Linenhall
32-38 Linenhall Street, Belfast
Antrim BT2 8BG, United Kingdom.

TEL: +44 28 9043 5840

Connect with us

CAW Footer Logo-min
GAA Footer Logo-min
CARB Footer Logo-min
CCAB-I Footer Logo-min

© Copyright Chartered Accountants Ireland 2020. All Rights Reserved.

☰
  • Terms & conditions
  • Privacy statement
  • Event privacy notice
LOADING...

Please wait while the page loads.