2019 Protiviti and Shared Assessments Survey Findings

Vendor Risk Management Study Confirms Companies Challenged by Pace of Change and Resource Allocation

SANTA FE, NM and MENLO PARK, CA – April 9, 2019 – Global consulting firm Protiviti and the Shared Assessments programme, the member-driven leader in third-party risk assurance, have released findings of their 2019 “Vendor Risk Management Benchmark Study: Running Harder to Stay In Place,” the fifth such extensive study of organisational risk posture assessed by industry sector and programme criteria.

“The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyberattacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programmes all the more crucial to organisational stability and continuity,” said Paul Kooney, a managing director in Protiviti’s security and privacy practice. “This year’s benchmark study analyses more than 200 detailed criteria of a comprehensive vendor risk management programme. Our survey findings underscore the fact that all risk management programmes are running harder just to stay in place, and those that aren’t rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates.”

Survey results show that vendor risk management (VRM) programmes in the technology and insurance/healthcare payer sectors have achieved the greatest levels of programme maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

Among other key survey findings:

• Strong correlation exists between engagement at the board of directors level and VRM programme maturity: 57 percent of organisations reporting high levels of board engagement also report fully functional and advanced VRM programmes.
• Assessing board engagement levels by industry, the tech sector leads, followed by manufacturing and healthcare providers.
• The tech and insurance sectors lead in fourth-party programme maturity, assessing their vendors’ vendors and full ecosystem for risk management practices.
• Continuous Monitoring, an important aspect to VRM programme maturity, lags across all sectors. Only 38 percent of respondents report that their organisations have controls in place to ensure ongoing monitoring of vendor relationships.
• All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher in overall maturity, but no sector is at an optimal level.
• All sectors report strong progress in assessing and managing critical vendors. Forty-one percent have fully mature processes in place to identify and manage their most critical vendors, while only 7 percent of respondents report that they have not yet begun to identify and separately manage critical vendors.

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programmes, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 programme elements that should form the basis of a robust, well-run VRM programme.

The 2019 survey added 81 new practice measures or criteria, in line with the 2019 VRMMM, including those focusing on continuous monitoring, the risk assessment of fourth-party vendor relationships and privacy, thus reflecting the expanding threat landscape and global regulatory compliance demands.

“This comprehensive study codifies what recent news events have shown: the threat landscape is morphing almost daily, with nation state threats, advanced cyberattacks, new forms of activism, potential liability shifts and other factors bringing new importance to vendor risk management practices and programmes,” said Shared Assessments Chairman and President Catherine A. Allen. “This benchmark study and the member-driven Shared Assessments programme’s vendor risk management tools, best practices, certifications and shared knowledge form the intelligence ecosystem for vendor risk management that’s relied upon by leading consulting organisations and risk management practitioners around the world.”

Resources Available

The 2019 “Vendor Risk Management Benchmark Study: Running Harder to Stay in Place” report is available complimentary on the Shared Assessments site and on the Protiviti site, along with an infographic of survey highlights and a podcast. A free one-hour webcast featuring Paul Kooney and Gary Roboff, senior advisor, The Santa Fe Group, Shared Assessments programme, discussing the survey findings and sharing practical ways to improve vendor risk, will be held on May 1 at 11:00 a.m. PDT. Please click here to register.

About the Shared Assessments Programme

As the only organisation that has uniquely positioned and developed standardised resources to bring efficiencies to the market for more than a decade, the Shared Assessments Programme has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. Join the dialog with peer companies and learn how you can optimise your compliance programmes while building a better understanding of what it takes to create a more risk sensitive environment in your organisation.

About The Santa Fe Group

The Santa Fe Group’s risk management experts work collaboratively with organisations worldwide to identify valuable trends, risks, and vulnerabilities, and to advise, educate, and empower organisations in the areas of cybersecurity, third party risk, emerging technologies, and programme management. The Santa Fe Group is the managing agent of the membership-based Shared Assessments Programme, which helps many of the world’s leading organisations manage and protect against third party IT security risks.