The Deloitte research shows that companies estimate a third-party failure would cost them between US$0.5 to $1 billion, or more. These figures show a marked increase since 2015, when large multinational businesses estimated the cost of a third-party failure at between US$2 to $50 million.
Deloitte’s Extended Enterprise Risk Management (EERM) survey was undertaken between November 2019 and January 2020, prior to the outbreak of COVID-19 being declared a global pandemic. The global survey collates results of more than 1,145 respondents in all major industry segments, from 20 countries around the world. At this point in January 2020, 17 percent of organizations had faced a high-impact third-party risk incident in the past three years (up from 11 percent of organizations in 2019). High-impact third-party risk incidents relate to incidents with a severe impact on customer service, financial position, regulatory compliance and/or reputation.
Looking at the ways in which they could be financially affected, 30 percent of organizations surveyed thought share prices could fall by 10 percent or more if a third-party incident was not adequately managed.
Investment in responsible business
For the first time in five years, a desire to be a responsible business that effectively manages social and environmental issues throughout its supply chain was one of the key reasons companies invest in third-party risk management. Almost half (43 percent) cited it as a reason for investment. Despite this, a large proportion were still not allocating budget to associated areas – 74 percent of respondents had not allocated funds to managing climate risk, 57 percent to environmental risk and 54 percent to modern slavery and labor.
Over half (59 percent) of respondents thought they were under-investing in EERM, though this fell from 70 percent last year. Budget for managing third-party risk was skewed towards certain areas, including information security, cyber risk, data privacy, and health and safety. This is largely in line with the largest proportion of third-party incidents, which were related to cyber risk, bribery corruption and information security.