Vendor Risk Management Study Confirms Companies Challenged by Pace of Change and Resource Allocation
SANTA FE, NM and MENLO PARK, CA – April 9, 2019 – Global consulting firm Protiviti and the Shared Assessments Program, the member-driven leader in third-party risk assurance, have released findings of their 2019 “Vendor Risk Management Benchmark Study: Running Harder to Stay In Place,” the fifth such extensive study of organizational risk posture assessed by industry sector and program criteria.
“The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyberattacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity,” said Paul Kooney, a managing director in Protiviti’s security and privacy practice. “This year’s benchmark study analyzes more than 200 detailed criteria of a comprehensive vendor risk management program. Our survey findings underscore the fact that all risk management programs are running harder just to stay in place, and those that aren’t rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates.”
Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.
Among other key survey findings:
- Strong correlation exists between engagement at the board of directors level and VRM program maturity: 57 percent of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
- Assessing board engagement levels by industry, the tech sector leads, followed by manufacturing and healthcare providers.
- The tech and insurance sectors lead in fourth-party program maturity, assessing their vendors’ vendors and full ecosystem for risk management practices.
- Continuous Monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38 percent of respondents report that their organizations have controls in place to ensure ongoing monitoring of vendor relationships.
- All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher in overall maturity, but no sector is at an optimal level.
- All sectors report strong progress in assessing and managing critical vendors. Forty-one percent have fully mature processes in place to identify and manage their most critical vendors, while only 7 percent of respondents report that they have not yet begun to identify and separately manage critical vendors.
The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.
The 2019 survey added 81 new practice measures or criteria, in line with the 2019 VRMMM, including those focusing on continuous monitoring, the risk assessment of fourth-party vendor relationships and privacy, thus reflecting the expanding threat landscape and global regulatory compliance demands.
“This comprehensive study codifies what recent news events have shown: the threat landscape is morphing almost daily, with nation state threats, advanced cyberattacks, new forms of activism, potential liability shifts and other factors bringing new importance to vendor risk management practices and programs,” said Shared Assessments Chairman and President Catherine A. Allen. “This benchmark study and the member-driven Shared Assessments Program’s vendor risk management tools, best practices, certifications and shared knowledge form the intelligence ecosystem for vendor risk management that’s relied upon by leading consulting organizations and risk management practitioners around the world.”
The 2019 “Vendor Risk Management Benchmark Study: Running Harder to Stay in Place” report is available complimentary on the Shared Assessments site and on the Protiviti site, along with an infographic of survey highlights and a podcast. A free one-hour webcast featuring Paul Kooney and Gary Roboff, senior advisor, The Santa Fe Group, Shared Assessments Program, discussing the survey findings and sharing practical ways to improve vendor risk, will be held on May 1 at 11:00 a.m. PDT. Please click here to register.
About the Shared Assessments Program
As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, the Shared Assessments Program has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. Join the dialog with peer companies and learn how you can optimize your compliance programs while building a better understanding of what it takes to create a more risk sensitive environment in your organization.
About The Santa Fe Group
The Santa Fe Group’s risk management experts work collaboratively with organizations worldwide to identify valuable trends, risks, and vulnerabilities, and to advise, educate, and empower organizations in the areas of cybersecurity, third party risk, emerging technologies, and program management. The Santa Fe Group is the managing agent of the membership-based Shared Assessments Program, which helps many of the world’s leading organizations manage and protect against third party IT security risks.