Most companies lack confidence in managing third-party risks

4 April 2016

More than 90% of companies surveyed feel ill-equipped to manage risk posed by using third-party organisations.

In a survey of 170 global organisations by Deloitte, a large majority said they had faced a disruptive incident involving a third party in the past three years. This could include loss of data by a third party or failure to deliver a service or product on time. Almost all companies said they were not confident in the tools used to manage third-party risk.

Despite this, the majority of organisations believed third parties would play an important role in the year ahead, according to the survey.

Deloitte’s 2016 Third-party Governance and Risk Management Survey aimed to get an idea of where global companies stood on managing risk posed by third parties. It also highlighted the increasing frequency and impact of third-party disruptions, and the need for organisations to invest in better governance and risk management related to third parties.

The survey found that 78.1% of respondents expresses a moderate to high level of confidence in their organisation’s awareness and commitment to managing third-party risk.

However, nearly all survey respondents (94.3%) felt low to moderate levels of confidence in the tools and technology currently used to manage their third-party risk, while 88.6% felt the same about the quality of third-party risk management processes.

Almost nine in 10 (87%) organisations have faced a disruptive incident involving a third party in the past three years. Twenty eight per cent faced major disruption while 11% said they experienced a complete third-party failure.

The survey found that 26.2% of respondents had suffered reputational damage, 23% had been non-compliant with regulatory requirements, and 20.6% had experienced a breach of sensitive customer data, all arising out of third-party actions.

Meanwhile, 73.9% of respondents believed third parties would play a highly important or critical role in the year ahead. This is up from 60.3% a year earlier.

Kristian Park, partner and global head of third-party governance and risk management at Deloitte, said: “With reliance on third parties set to grow, now is the time to address the ‘execution gap’ between risk and readiness. The impact of third-party incidents ranges from reputational damage, regulatory and data breaches, through to actual lost revenue and future business.”

Fines issued directly from third-party failure ranged from £1.3m to £35m, reaching £650m for those firms operating internationally and subject to global regulation, according to Deloitte. Resultant share price falls, could see investors incur significant losses.

The increasing frequency of third-party incidents has motivated organisations to improve their risk management, according to Park. He said that third-party risk management was starting to feature more consistently in board-level discussions, with more than half of survey respondents wanting to have integrated third-party risk management systems in place in the next year.

“Rolling out common and unified standards remains a challenge as businesses are increasingly decentralised,” said Park. “Encouragingly, though, 86% of those surveyed have already started.”

The survey was based on the responses of more than 170 senior management members from organisations that mostly had annual revenues in excess of US$1 billion. Sectors included financial services, energy and resources, manufacturing, public sector, technology, media and telecom, consumer business, healthcare and life sciences, and business, infrastructure and professional services.

Central London and Cheltenham
Salaries: Central London: £38,656 - £43,186/Cheltenham: £35,736 - £40,011
Central London and Cheltenham
Salaries: Central London: £48,305 - £56,163/Cheltenham: £45,341 - £53,023
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates