Survey Finds Improvements In Organisations’ Vendor Risk Management Programs, But Still ‘A Long Way To Go,’ According To New Study From Protiviti And Shared Assessments

2514 0

Findings suggest increased regulatory scrutiny is contributing to program growth and maturity

 London, U.K. Companies may have reached a positive turning point when it comes to managing their vendor risks, according to the annual Vendor Risk Management Benchmark Study, released today by the Shared Assessments Program, a collaborative consortium, and Protiviti, a global consulting firm. The study found that organisations across all industries, and in particular financial services, are increasing their focus on managing vendor and third-party risks. The maturity levels associated with different vendor risk management program areas have improved noticeably, yet awareness levels and compliance measures aren’t where they need to be.

To download a complimentary copy of the study, please visit www.protiviti.com/vendor-risk or www.sharedassessments.org/benchmarking2016.

In its third year, the Vendor Risk Management Benchmark Study examined information from nearly 400 C-suite executives, risk management and audit professionals, who rated their public and private organisations using the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic benchmarking tool for evaluating the quality and maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The surveyed organisations represent a mix of industries with the largest contingent in financial services.

Key survey findings for 2016 include:

  • A clear correlation between boards with high engagement in and understanding of cybersecurity risks and organisations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organisations with high and low board engagement.
  • While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organisation, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organisations. Even at the board of directors’ level, third-party risk management awareness levels are still lagging.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Studyshows there is still a long way to go until organisations routinely have fully operational third-party risk programs with all recommended compliance measures in place.
  • A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.

“This study documents in detail what many have believed to be true – that for organisations in which boards have high engagement in and knowledge of critical cybersecurity risk issues, vendor risk management maturity levels are noticeably higher,” said Cathy Allen, CEO, The Santa Fe Group.

The positive momentum portrayed in the 2016 survey is a significant change from the findings of prior years. In 2015, respondents rated their overall maturity across the eight vendor risk management categories to be virtually identical to those reported in 2014. In financial services, the improvement seen in 2016 could be motivated, in part, by significantly increasing regulatory scrutiny, especially in areas related to cybersecurity.

In particular, one key event that may have influenced and increased focus is the June 2015 publishing of the Cyber Security Assessment Tool (CAT) by the Federal Financial Institutions Examination Council (FFIEC). Regulators are also more actively referring to FFIEC’s Information Technology Examination Handbook to closely examine the cybersecurity and third-party risk management proficiencies of financial institutions.

“We speak with many client board members who are highly engaged in their organisations’ cybersecurity risks, which is helping create a strong tone at the top to drive improvements in cybersecurity and privacy capabilities,” said Cal Slemp, managing director, security program and strategy services, Protiviti. “The key now is to build strong board engagement specifically in vendor risk management because it poses just as significant a risk to companies as their own cybersecurity practices.”

 Cyber Security Incident Response Findings

This year’s updates to the report include a new section on organisations’ cybersecurity and incident response capabilities. The addition reflects the increasing regulatory focus on boards’ risk management responsibilities. Key findings from this section include:

  • Sixty-five percent of all organisations have an incident response plan for events at vendors or third parties.
  • Financial services organisations are more likely to have an incident response plan in place – 75 percent currently have established plans.
  • Sixty-one percent of organisations test their plans for vendor or third-party events.

“This year’s survey shows improvement in incident reporting and focus on policy and standards related to communications. That said, on balance, the ‘Communications and Information Sharing’ category of the survey lags others at a time when internal two-way communications (top down and bottom up) and external information sharing are more important than ever,” said Shared Assessments member Linnea Solem, Chief Privacy Officer, vice president, risk and compliance, Deluxe Corporation.

 Resources Available to Learn More

A complimentary copy of the 2016 Vendor Risk Management Benchmark Study and an infographic of survey highlights are available at www.protiviti.com/vendor-risk.

The VRMMM is a holistic tool for evaluating maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The focus of the VRMMM is to provide third-party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices. Click here:https://sharedassessments.org/products/2017-vendor-risk-management-maturity-model-vrmmm/ to learn more and obtain a free copy.

About Shared Assessments Program
shared-assessments-logoThe Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the third-party risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third-party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organisations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organisations and their service providers the rigorous controls needed for cybersecurity, IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic consulting company based in Santa Fe, New Mexico.
About Protiviti
protivitiProtiviti  is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

In this article