Your organization’s ecosystem is probably bigger than you think, and a big ecosystem presents bigger risks. Dan Kinsella is the Extended Enterprise Risk Management Leader at Deloitte Risk and Financial Advisory, and today we’re talking about managing these risks across the extended enterprise.

The “Extended Enterprise”

When we think about our organization, we have to think beyond our four walls: the extended enterprise is everything that we’re connected to in our environment.

As businesses, we are leveraging more third parties than we ever have. Our objective is to make our organizations better, cheaper, and faster at driving bottom line improvement, and we can do that by leveraging these third parties in a more consistent and cohesive fashion.

Types of extended risks

Foreign corrupt practices, laws, and regulations around the ability to conduct business globally is one of the top risks that global organizations focus on, and next on the list would be cyber or information technology risks.

There are usually a baker’s dozen of risks that organizations are focused on, and Dan mentions a few more examples. But the idea is to identify the risks that are most important to you, and create some measure to efficiently understand those risks and how they might impact your organization.

Tech to invest in

Technology is going to be a primary way that organizations really manage and monitor these risks. Robotics can automate different monitoring activities. You can use a robotics tool to identify red, yellow, and green risk areas and generate a report that an individual could look through and evaluate. Blockchain can help us much more efficiently exchange risk and control information without manually sending documents back and forth individually between organizations.

Other key risks in cyber

Over a third of cyber breaches are caused by third parties. It’s not even your organization that’s the problem. It’s a problem caused by your extended enterprise.  

Third parties must be vigilant about what’s happening in their technology environment on a real-time basis. The quicker they identify something is going wrong, the less the impact will be, and they need to be resilient enough to recover when something negative happens.

Questions to ask: Do your third parties access your networks? And do those third parties have access to critical data?

How a board of directors should get involved

It really begins with the board asking management: “Who are our third parties?”

Many times, it isn’t easy to answer right away. Once management crunches the numbers, you may be surprised: a health and life science company that Dan worked with publicly disclosed on a panel that they have over a million third party relationships.

Follow it up with, “What risks do those third parties present to us?” Go by the 80-20 rule and focus on the third parties that have the largest potential impact.

If we provide some cohesion, we can truly drive value, understand risks better, and have an ecosystem that performs like a symphony to drive better results.


Dan Kinsella

Resetting the Front Line of Defense

Enterprise Risk Management