Protiviti has released the results of the 2017 Vendor Risk Management Benchmark study. View the full results and more at protiviti.com/vendor-risk.
Thanks, Kevin. This is the fourth annual vendor benchmark study that we’ve performed in coordination with Shared Assessments. The Vendor Risk Management Maturity Model, which was created over five years ago by a special-interest group within Shared Assessments, helps develop a framework for organizations to benchmark themselves against for vendor risk management. At that point in time, there was no other tool out there to help facilitate this, and we leveraged experience from multiple Shared Assessments members in order to develop this framework. The framework leverages a capability maturity model rating from 0 to 5 to help organizations benchmark themselves on that level of maturity we have developed, specifically around vendor risk management. It has eight high-level categories, with approximately 130 controls within those categories. The survey was executed within the last month, and we had over 540 respondents to the survey itself.
Yes, that’s exactly right, Kevin. The first few years, 2014, 2015, we didn’t see a lot of progress. We began to see more forward movement in 2016, and that movement continued in 2017. The way that I would describe the progress, it’s really been incremental on our five-point scale. This year, we only had two categories that were not at least at the 3 level, which indicates that performance is moderately good and getting better. I think that that really represents real progress. If you look under the covers, you’ll see that there are some individual categories of firms that have really done well. A particular interest, I think, is the insurance and healthcare payer segment, where we’ve seen very, very positive improvement.
One other thing to mention, this year, as in the past, is that we’ve seen that the responses to the survey vary as a function of who’s answering the question, so we’ve been able to sort our responses by the level of management, whether it’s C-level or vice president, director or manager level. What’s been interesting to me, in particular, is that it’s the C-level personnel that tend to be hardest on themselves. On average this year, C-level respondents rated their programs at about a 2.8, whereas a manager in the same firm might have rated it higher.
This year, we continued to ask additional questions in our survey around board of directors’ engagement with both cybersecurity risk internally and those with vendors. As we see on a year-over-year basis, board-level engagements with cybersecurity risk improves significantly. However, there continues to be what we call an engagement gap, in that boards remain more engaged with organizations’ internal cybersecurity risks and cybersecurity risks with an organization’s vendors. An organization with less engaged boards reports significantly lower levels of third-party risk management practice maturity, and that is representative in this year’s survey.