2017 Vendor Risk Management Survey

Download

The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

As rapidly changing risk and regulatory environments continue to challenge vendor risk management capabilities, the results of the survey show that:

Organizations in all industries are making progress in improving how they manage vendor and third party risks
The level of the board’s engagement in information security correlates with vendor risk management maturity
A majority of companies plan to de-risk third party vendor relationships that pose high risks

The research, which looks at organizations’ maturity of vendor risk management, is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program.

The study, now in its fourth year, also found that 71 percent of insurance companies, including healthcare payers, said they will change their high-risk relationships over the next 12 months, with nearly half of all respondents (48 percent) saying it has become imperative from a risk and regulatory standpoint to assess vendors’ contractors.

Protiviti hosted a webinar on November 30, 2017 to discuss the results of the survey and offer insights into what organizations can do to raise their vendor risk management maturity levels.

Access Webinar Recording

Key Findings:

Vendor risk management is improving - This year's overall vendor risk management maturity levels show modest improvement, but compared to last year's survey results, several categories improved more significantly, suggesting that more organizations recognize the importance of vendor risk management during a time when the external risk environment is changing quickly.
Boards have set their sights on cybersecurity - Board-level engagement with cybersecurity risks improved significantly on a year-over-year basis. However, there continues to be an "engagement gap" in that boards remain more engaged with the organization's internal cybersecurity risks than cybersecurity risks to the organization's vendors. And organizations with less engaged boards report significantly lower levels of third party risk management practice maturity.
"De-risking" vendors is on the rise - A majority of organizations expect to exit or change relationships with vendors due to heightened risk levels. Insurance companies, including healthcare payers, appear much more likely to make these de-risking moves in the coming year, with fourth party risk, cost concerns and a lack of internal expertise to evaluate vendor controls cited as the primary reasons.