Podcast: 2017 Vendor Risk Management

powerfulinsights2017vrmbenchmarkstudy.mp3

Protiviti has released the results of the 2017 Vendor Risk Management Benchmark study. View the full results and more at protiviti.com/vendor-risk.

Transcript

Kevin

When it comes to pressing issues for organizations ranging from cybersecurity to regulatory compliance and much more, one of the major concerns for organizations today is vendor risk. They can manage these issues very well within their own organizations, but they may have a lot of trouble figuring out how to manage them with their vendors.

This is Kevin Donahue, senior director with Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re going to be talking quite a bit about vendor risk — specifically, some of the key findings from the 2017 Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti. I’m joined today by Gary Roboff and Paul Kooney, who are going to be talking about some of the key findings from this survey. Gary is a senior adviser with the Santa Fe Group and the Shared Assessments Program, while Paul is a director with Protiviti’s Technology Consulting practice with a special focus on the security and privacy segment.

Gary, it’s great to speak with you today.

Gary

Great to be here.

Kevin

Paul, great to speak with you as well. Let me toss you the first question. Can you give our audience first a brief rundown of the study and how we conduct it and how it was put together?

Paul

Thanks, Kevin. This is the fourth annual vendor benchmark study that we’ve performed in coordination with Shared Assessments. The Vendor Risk Management Maturity Model, which was created over five years ago by a special-interest group within Shared Assessments, helps develop a framework for organizations to benchmark themselves against for vendor risk management. At that point in time, there was no other tool out there to help facilitate this, and we leveraged experience from multiple Shared Assessments members in order to develop this framework. The framework leverages a capability maturity model rating from 0 to 5 to help organizations benchmark themselves on that level of maturity we have developed, specifically around vendor risk management. It has eight high-level categories, with approximately 130 controls within those categories. The survey was executed within the last month, and we had over 540 respondents to the survey itself.

Kevin

Thanks, Paul. I should say that this study, which we’ve conducted together over the past few years, has continued to generate great interest. Let me chime in now that our audience can find our report on the results at Sharedassessments.org and Protiviti.com/vendor-risk. Gary, let me have you start walking us through some of the results and, specifically, our first key finding, which is that we see vendor risk management improving, especially as we go back a few years in our study.

Gary

Yes, that’s exactly right, Kevin. The first few years, 2014, 2015, we didn’t see a lot of progress. We began to see more forward movement in 2016, and that movement continued in 2017. The way that I would describe the progress, it’s really been incremental on our five-point scale. This year, we only had two categories that were not at least at the 3 level, which indicates that performance is moderately good and getting better. I think that that really represents real progress. If you look under the covers, you’ll see that there are some individual categories of firms that have really done well. A particular interest, I think, is the insurance and healthcare payer segment, where we’ve seen very, very positive improvement.

One other thing to mention, this year, as in the past, is that we’ve seen that the responses to the survey vary as a function of who’s answering the question, so we’ve been able to sort our responses by the level of management, whether it’s C-level or vice president, director or manager level. What’s been interesting to me, in particular, is that it’s the C-level personnel that tend to be hardest on themselves. On average this year, C-level respondents rated their programs at about a 2.8, whereas a manager in the same firm might have rated it higher.

Kevin

Thanks, Gary. And you’re right — we undoubtedly have some very interesting deltas in the results. We looked at some of the different responding groups. Paul, let me ask you to cover some of the key findings we have around cybersecurity and specifically as it ties to board engagement and the level of vendor risk management maturity.

Paul

This year, we continued to ask additional questions in our survey around board of directors’ engagement with both cybersecurity risk internally and those with vendors. As we see on a year-over-year basis, board-level engagements with cybersecurity risk improves significantly. However, there continues to be what we call an engagement gap, in that boards remain more engaged with organizations’ internal cybersecurity risks and cybersecurity risks with an organization’s vendors. An organization with less engaged boards reports significantly lower levels of third-party risk management practice maturity, and that is representative in this year’s survey.

Kevin

Thanks, Paul. Back to you, Gary, and I want to have you talk a little bit about one of the more interesting findings we have this year that touches on a new area, which is the so-called de-risking of vendors. What did we learn in this space?

Gary

Thanks, Kevin. That’s absolutely right. It was a very interesting response to an important question. We asked companies and organizations generally whether they were likely to move or exit third-party relationships that they thought had the highest levels of risk. To my surprise, we actually had 53 percent say that they were either extremely likely or somewhat likely to do that. It’s much higher than I thought.

If we then look at some of the individual component responses from the survey data, we see some of the reasons why that was the case. One of the things that really stands out as a headline to me is the impact of the inability of people to really get their arms around fourth parties — that is, our vendors’ vendors. It’s become an imperative from a regulatory perspective to sort of get your arms around when your vendor has outsourced some of the work that it was doing for you. That creates additional risks, and often, we find that companies don’t even know that their vendor has outsourced part of the work that it’s doing on your behalf, so that was a major reason why people wanted to de-risk. About 48 percent actually said that was a factor.

A couple of other factors were the high cost associated with really doing a good job as lasting vendors. Almost a third said that that was an issue. Then, another issue was simply not having the internal support and skills necessary to do the kind of sophisticated forensic-control testing that’s really required to properly assess vendors.

Kevin

In our time left, I want to cover one more question with each of you; again, we have not even scratched the surfaces of the wealth of data we have available in this report. I wanted to ask about a call to action in this space. Gary, I’ll have you respond to this first. As an organization looks at some of these results and looks at or considers its own vendor risk management standing or capabilities, what would you say is a call to action for them to get started in figuring out what to do?

Gary

I think the most important thing, Kevin, is for a firm to undertake an arm’s-length evaluation of its third-party risk management program’s effectiveness. I say that because since 2014, over the past three years, we’ve seen a relatively modest incremental improvement. And as the pace of practice maturity is as low as it is, it really suggests that organizations can benefit from expert advice about how to prioritize program improvements. We see that new risks are evolving all the time.

IoT is a good example of where the hurdle that we have to face in order to do a good job is not a static hurdle. It gets steeper every year, and therefore, the need to really ask, “How far away from whatever level of performance I want to achieve am I?” that’s a very important question. The right kind of advice could help people prioritize the improvements that they wanted to make to their program so they can arrive at a performance level that’s best for that organization.

Kevin

Paul, from your perspective as a consultant, are you seeing an appetite for such assessments in the market?

Paul

We are. We performed a number of them for many of our clients, some older clients and some not-new clients, whereas we went in to assess the organization leveraging the Vendor Risk Management Maturity Model and our benchmark data. That allowed the organization to understand where they lie in the maturity scale against their peers and potentially understand where they have gaps within the organization that they need to focus their budget and efforts on and ask for further areas from the board that they would lend support — an executive-management support in order to make those within the programs.

Kevin

There is undoubtedly a high level of interest in the market among the C-suite and boards when it comes to vendor risk, and I’m sure we’ll be hearing more about that and their interest in this type of information in weeks and months to come. To Gary and Paul, I want to thank you very much for joining me today to discuss some of the key findings from our study. I want to remind our audience that they can download a free copy of the 2017 Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti at Sharedassessments.org or Protiviti.com/vendor-risk.

CATEGORY TOPIC:

Board Matters | Risk Management & Regulatory Compliance

SUBSCRIBE TO PODCASTS: