The document discusses extended enterprise risk management (XERM). It defines XERM as an end-to-end approach to systematically identify risks across a company's extended enterprise in order to proactively address vulnerabilities. It identifies four key capabilities for XERM - strategy and governance, people, process, and technology. It also provides a framework for assessing the maturity of a company's extended enterprise risk management program.
2. 2
Agenda
Understanding XERM
Need for XERM
Holistic Approach for XERM
Four cornerstone capabilities
Maturity of Extended Enterprise Program
EXTENDED ENTERPRISE RISK MANAGEMENT
3. EXTENDED ENTERPRISE RISK MANAGEMENT 3
The Extended Enterprise
● Globalized business environment - no company is an island.
● Ecosystem of company comprises an exceedingly large number of third parties - including customers,
partners, agents, affiliates, vendors, and service providers.
● “THE EXTENDED ENTERPRISE.”
● The reach of the extended enterprise is poised to expand.
Private bank sourcing customer through DSA provided with asset serviced through service providers. Data
entry in one system by separate team of outsourced manpower and funding by BANK by entry in another
system. Documents scanning and storage by different operators at third party location.
4. EXTENDED ENTERPRISE RISK MANAGEMENT 4
Fragmented Approach – Existing Mechanism
● Exposure to the actions of third parties to be managed in a strategic and proactive manner.
● Most companies cover key items i.e. regulatory compliance or cyber security
● No conscious and consistent link to strategy.
● Fragmented approach - when not guided by an all-encompassing vision – is no longer sufficient to mitigate
interconnected third-party risks at enterprise level
● Consequences of non – managing exist - which are escalating.
5. EXTENDED ENTERPRISE RISK MANAGEMENT 5
Some Examples
● An outsourced vendor for transaction processing decides to exit the business and provides little notice or
transitional support
● An important distributor does not provide the amount of prime shelf space that had been agreed upon
and instead leads with a competitor’s product
● A contracted supplier does not deliver merchandise on-time, thus disappointing customers and damaging
the company’s brand reputation
● A customer organizes a boycott of the company’s products via social media
● A critical vendor takes more new accounts than it can handle, degrading service levels / disrupting process
● A sales agent routinely favors a competitor, causing revenue and market share to decline in an important
region
● Several franchisees do not spend co-op advertising dollars as instructed, resulting in a poor consumer
response to holiday promotions
6. EXTENDED ENTERPRISE RISK MANAGEMENT 6
Challenges
● Formulating strategies for managing the extended enterprise and driving performance at the same time?
● Justify the investment required to implement those strategies through a coordinated program?
… what should the company do…
7. EXTENDED ENTERPRISE RISK MANAGEMENT 7
Extended Enterprise Risk Management
● Answers lie in expanding one’s view of Extended Enterprise Risk Management (XERM)
<<<VALUE CREATION AS WELL AS VALUE PROTECTION>>>
● XERM - An end-to-end approach for sensing risks systematically throughout the extended enterprise so
that vulnerabilities can be addressed proactively.
● XERM –
● A proactive lever for driving business performance
● A reactive means of protecting existing worth (some believe so).
8. EXTENDED ENTERPRISE RISK MANAGEMENT 8
What is XERM
● XERM is
● the practice of anticipating and managing
● exposures associated with third parties
● across the organization’s full range of operations
● optimizing the value delivered by the third-party ecosystem.
9. EXTENDED ENTERPRISE RISK MANAGEMENT 9
Elevating XERM
● Three forces elevating the need for XERM are:
● social media accelerates stakeholder reactions to third-party events, rapidly raising brand awareness,
or conversely inflicting immediate reputational damage, if an incident goes viral;
● the stakes are much higher, often affecting profitability for better or worse; and
● companies are using outsourcing to a greater degree for both core and non-core processes.
● Third- party incidents can dramatically impact business performance—positively or negatively—by
affecting:
● cost
● service quality
● revenue
● brand
10. EXTENDED ENTERPRISE RISK MANAGEMENT 10
Cost: Escalation vs. containment
● A third-party incident can cost them dearly. By how much – not sure?
● Downside losses: several ways of incurring unnecessary expenses - fines, restitution, opportunity costs of
business loss (existing customers / new), new business in the wake of a disruptive event.
● Regulatory non-compliance: Pressure is unlikely to ease anytime soon since regulatory scrutiny and
associated penalties are intensifying throughout the world.
● Customers can take their business elsewhere if they feel disappointed or betrayed even for offending
action of a third party.
● Cyber security is another area of top concern.
● Bad publicity,
● Cost of a data breach is escalating, and if a third party is involved, it makes matters worse.
● Supply chain disruption – mostly tied to third parties
11. EXTENDED ENTERPRISE RISK MANAGEMENT 11
Service quality: Degradation vs. optimization
● Pressure from boards and the C-Suite for managing contracts and performance to optimize returns for the
extended enterprise.
● Vendor management is often neglected in terms of resource allocation.
● Market is currently underinvested in the area of vendor management - tools, methods and processes.
● Reported dissatisfaction with vendor performance.
● Service providers are:
● Being reactive rather than proactive and
● Delivering poor service despite achieving service levels
● Customer Angle
● Companies face challenge in collecting contracted fees, royalties, etc..
● Customers also have a tendency to underutilize or overutilize licensed assets like software license.
12. EXTENDED ENTERPRISE RISK MANAGEMENT 12
Revenue: Contraction vs. expansion
● Dissatisfied customers can take their business elsewhere.
● Consumers avoid doing business with organizations after a security breach.
● Driving away customers is an unpleasant prospect.
13. EXTENDED ENTERPRISE RISK MANAGEMENT 13
Brand: Diminishment vs. enhancement
● Every type of third-party exposure is an all-embracing risk: threat of brand damage.
● In interconnected world, trust equals value.
● On average more than 25% wealth of a company’s market value is directly attributable to its reputation.
● Companies are concerned about their readiness
● Least prepared to manage reputation risk drivers in areas beyond their direct control - such as third-party
ethics and competitive attacks.
14. EXTENDED ENTERPRISE RISK MANAGEMENT 14
Leveraging Three Lines of Defense
● Companies are not aware how to leverage the “three lines of defense” for managing risk and driving
performance:
● First line of defense: The business unit, which owns the third-party relationship and is accountable for
managing associated risks in alignment with policies and procedures.
● Second line of defense: Centralized governance program for XERM, for establishing and enforcing
policies / processes to ensure that third parties are managed consistently by the business.
● Third line of defense: Internal audit, for the most critical extended enterprise risks and controls as well
as performing independent assessments.
15. EXTENDED ENTERPRISE RISK MANAGEMENT 15
Business Objective
Business
Objective
Growth /
innovation
Client
experience
Cost
reduction
Improved
time to
market
Risk and
compliance
management
17. EXTENDED ENTERPRISE RISK MANAGEMENT 17
Operating Model
Operating Model
Components
Governance and
oversight: The
operating model,
committees, and
roles and
responsibilities for
managing the
extended enterprise
Policies and
standards:
Management’s
expectations of
standards and
processes to be used,
to manage the
extended enterprise
and its related risks
Risk culture: Tone at
the top, clarity on
risk appetite,
appropriate training
and awareness to
promote positive risk
cultureTools and
technology: Use of
tools and technology,
predictive and risk
analytics that
enhance extended
enterprise risk
management
processes
Management
processes: Processes
to manage risks and
improve
performance across
the third-party
lifecycle
Risk metrics and
dashboard: Use of
internal and external
data to measure and
visualize risks and
performance of
extended enterprise,
tailored towards
multiple levels of
management
18. EXTENDED ENTERPRISE RISK MANAGEMENT 18
Third Part Relationship Cycle
Third-party
relationship
lifecycle
Plan,
evaluate
and select
Contract
and on-
board
Manage
and
monitor
Terminate
and off-
board
19. EXTENDED ENTERPRISE RISK MANAGEMENT 19
Four cornerstone capabilities
● Companies often believe they cannot take an end-to-end approach to manage XERM as:
● securing executive sponsorship and getting people to take ownership can be an uphill climb.
● the task is too vast and they do not have the expertise and resources to build, execute and sustain a
comprehensive third-party oversight program.
● These barriers are more perception than reality.
● It is neither necessary nor possible to do everything at once.
● It is rather a matter of identifying some practical steps to take toward establishing an XERM program or
evolving an existing one.
Most organizations can get a sense of what those steps might be by considering the extent to which they have
developed four cornerstone capabilities – as explained:
20. EXTENDED ENTERPRISE RISK MANAGEMENT 20
Strategy and governance: Creating an agile and flexible governance model
● Does your organization link its risk management practices to value drivers?
● Does it have a formal strategy and governance model for managing third- party risk?
● Does it understand where the breakpoints are in its third-party relationships?
● Does it have a prescribed means of assessing and staying ahead of them?
● Does your organization proactively seek to bridge the gap between business executives and compliance
and risk professionals?
21. EXTENDED ENTERPRISE RISK MANAGEMENT 21
People: Managing relationships, compliance and regulations
● Does your company have dedicated roles for managing third-party risk across the extended enterprise?
● Has your organization aligned and strengthened its three lines of defense?
● Does executive ownership exist at the enterprise level?
● Are employees keeping up with emerging regulatory requirements?
● Are your third parties keeping up?
22. EXTENDED ENTERPRISE RISK MANAGEMENT 22
Process: Navigating events that shape the extended enterprise
● Does your organization react to third-party events or does it actively seek to prevent them?
● Are risk management processes standardized across the enterprise and integrated with tools and data?
● Does your organization regularly consider how evolving technologies, market trends, and disruptive forces
present opportunities and challenges to its third-party relationships?
● Does your organization have appropriate contracts in place with its third parties?
● Do you know if they are meeting expectations and complying with their contractual commitments?
● Can you readily assess the appropriateness of future delivery models?
● Are executives confident in their decisions to outsource or insource, build, or buy?
23. EXTENDED ENTERPRISE RISK MANAGEMENT 23
Technology: Using data and analytics to make informed decisions
● What tools and technologies does your organization leverage to make informed decisions about its third-
party relationships?
● What data does your organization already have access to?
● Can leaders make real-time decisions?
● If so, what key performance indicators does your organization monitor and analyze to support those
decisions?
24. EXTENDED ENTERPRISE RISK MANAGEMENT 24
Conclusion
● If answer is “no” to most of these questions:
● The company’s XERM program is in the earlier stages of development.
● Organization may be managing some third-party risks on an ad-hoc basis, using a few off-the-shelf
tools, and perhaps beginning to implement dedicated roles and processes.
● More “yes” answers means:
● It is further along the path toward integration and optimization —later stages of maturity
● Generally characterized by greater use of customized tools, proactive monitoring and decision-making,
and the connection of leading practices to value drivers.
25. EXTENDED ENTERPRISE RISK MANAGEMENT 25
Maturity of extended enterprise program
Capabilities Initial Managed Defined Integrated Optimized
Strategy and
governance
Risk taking for
quick fix benefits
No formal
governance
Minimal effort in
reducing risk
Risk taking for short
term benefits
Focus on preventing
issues
Riskaligns with
medium-term
enterprise - wide
benefits
Focuson preventing issues
and creating value
Intelligent risk taking, aligned
with enterprise strategy
State-of-the-art practices, linked
to value drivers
Extended enterprise embedded in
strategic planning and decision
making
People
Individual effort
Little
management
input
Lack of training
Responsibilities
built into existing
roles
Increased input
from management
Dedicated roles
Invested executives
within each silo
Some trainingoffered
Awareness of value of
extended enterprise across
the organization
Enterprise-wide roles
Executive ownership at the
enterprise level
Trained professionals with
defined roles throughout the
lifecycle
Executive champions on both
sides, aligning service delivery to
strategic objectives
Process
Few activities
defined
Fire - fighting
mode
Defined processes
in siloes
Functional, reactive
problem solving
Coordinated processes
across the business
Monitoring and alerting
leveraging dashboards,
with some proactive
issue resolution
Fully standardized processes,
integrated with tools and data
Proactive decision - making
using analytics, improving
bottom-line and performance
Processes aligned with strategy,
integrated into third parties
Continuous improvement and
proactive responsiveness
Leveraging predictive and sensing
analytics, tools and dashboards
Technology
Simple and least
expensive tools
used, ad-hoc
Off-the-shelf tools
used for problem
solving
Limited access to
third-party data
Adapted tools used for
reporting and
monitoring
Customized tools, used for
tactical decision making
Value-additive tools
Internal data centralized and
easily accessible
Highly - customized decision
support tools
Integrated external data sources
that enhance insights
Tools and analytics are key value
driver and differentiator
26. 26
Looking for commencing a journey towards operational excellence…
EXTENDED ENTERPRISE RISK MANAGEMENT