2019 Vendor Risk Management Survey
New Research: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management
This is the fifth year that the Shared Assessments Program and Protiviti have partnered in researching the maturity of Vendor Risk Management (VRM) programs. The research, which looks at organizations’ maturity of vendor risk management, provides helpful benchmarks to evaluate third party risk management programs against a comprehensive set of best practices.
Our research shows that increasing pressures in the risk and regulatory environments continue to pose severe challenges to third VRM programs. In addition, Despite increased regulatory scrutiny at a global, national and state level, growing cyber threats and a riskier business environment, the overall maturity level of VRM programs has neither increased or decreased over the past 12 months. At the same time, our findings also point to a number of effective and cost-efficient approaches to get off this treadmill and achieve more substantial VRM progress.
Our key 2019 report findings include:
- The overall maturity of vendor risk management programs is virtually unchanged in the face of an increasingly challenging external risk and regulatory environment.
- Cyberattack disruptions are increasing, and it is taking organizations longer to fix the underlying issues.
- More organizations are moving away from high-risk third-party relationships.
- High levels of board engagement correlate with best-in-class VRM maturity.
"A company's reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyber attack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and especially among vendors."
- Scott Laliberte, Managing Director - Security and Privacy Practice Global Leader, Protiviti
Listen to our on-demand webinar where we discuss the survey results and provide insights into what organizations are doing to protect themselves from third party vendor risk.
- There is a strong correlation between high levels of board engagement with VRM issues and vendor risk management capabilities that are firing on all cylinders to reach and sustain superior levels of program maturity.
- To varying degrees across all industries, VRM programs are barely able to keep up with the fast pace of change in the external environment.
- About 40% of survey respondents have fully mature VRM programs, but just under a third have only ad hoc or no significant third-party risk management processes.
- Resource constraints in the face of higher risk management costs represent one of the largest VRM challenges for organizations.