Survey Finds Improvements in Organizations’ Vendor Risk Management Programs, But Still ‘A Long Way to Go,’ According to New Study from Protiviti and Shared Assessments

Press Release

Findings suggest increased regulatory scrutiny is contributing to program growth and maturity

SANTA FE, N.M. and MENLO PARK, CA, December 20, 2016 – Companies may have reached a positive turning point when it comes to managing their vendor risks, according to the annual Vendor Risk Management Benchmark Study, released today by the Shared Assessments Program, a collaborative consortium, and Protiviti, a global consulting firm. The study found that organizations across all industries, and in particular financial services, are increasing their focus on managing vendor and third-party risks. The maturity levels associated with different vendor risk management program areas have improved noticeably, yet awareness levels and compliance measures aren’t where they need to be.

To download a complimentary copy of the study, please visit or

In its third year, the Vendor Risk Management Benchmark Study examined information from nearly 400 C-suite executives, risk management and audit professionals, who rated their public and private organizations using the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic benchmarking tool for evaluating the quality and maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The surveyed organizations represent a mix of industries with the largest contingent in financial services.

Key survey findings for 2016 include:

  • A clear correlation between boards with high engagement in and understanding of cybersecurity risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
  • While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors’ level, third-party risk management awareness levels are still lagging.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third-party risk programs with all recommended compliance measures in place.
  • A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.

“This study documents in detail what many have believed to be true – that for organizations in which boards have high engagement in and knowledge of critical cybersecurity risk issues, vendor risk management maturity levels are noticeably higher,” said Cathy Allen, CEO, The Santa Fe Group.

The positive momentum portrayed in the 2016 survey is a significant change from the findings of prior years. In 2015, respondents rated their overall maturity across the eight vendor risk management categories to be virtually identical to those reported in 2014. In financial services, the improvement seen in 2016 could be motivated, in part, by significantly increasing regulatory scrutiny, especially in areas related to cybersecurity.

In particular, one key event that may have influenced and increased focus is the June 2015 publishing of the Cyber Security Assessment Tool (CAT) by the Federal Financial Institutions Examination Council (FFIEC). Regulators are also more actively referring to FFIEC’s Information Technology Examination Handbook to closely examine the cybersecurity and third-party risk management proficiencies of financial institutions.

“We speak with many client board members who are highly engaged in their organizations’ cybersecurity risks, which is helping create a strong tone at the top to drive improvements in cybersecurity and privacy capabilities,” said Cal Slemp, managing director, security program and strategy services, Protiviti. "The key now is to build strong board engagement specifically in vendor risk management because it poses just as significant a risk to companies as their own cybersecurity practices.”

Cyber Security Incident Response Findings

​This year’s updates to the report include a new section on organizations’ cybersecurity and incident response capabilities. The addition reflects the increasing regulatory focus on boards’ risk management responsibilities. Key findings from this section include:

  • Sixty-five percent of all organizations have an incident response plan for events at vendors or third parties.
  • Financial services organizations are more likely to have an incident response plan in place – 75 percent currently have established plans.
  • Sixty-one percent of organizations test their plans for vendor or third-party events.

“This year’s survey shows improvement in incident reporting and focus on policy and standards related to communications. That said, on balance, the ‘Communications and Information Sharing’ category of the survey lags others at a time when internal two-way communications (top down and bottom up) and external information sharing are more important than ever,” said Shared Assessments member Linnea Solem, Chief Privacy Officer, vice president, risk and compliance, Deluxe Corporation.

Resources Available to Learn More

A complimentary copy of the 2016 Vendor Risk Management Benchmark Study and an infographic of survey highlights are available at

The VRMMM is a holistic tool for evaluating maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls.

The focus of the VRMMM is to provide third-party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices. Click here: to learn more and obtain a free copy.

About the Shared Assessments Program

​The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the third-party risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third-party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for cybersecurity, IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (, a strategic consulting company based in Santa Fe, New Mexico. On the web at

About Protiviti Inc.

Protiviti ( is a global consulting firm that delivers deep expertise, objective insights, a tailored approach, and unparalleled collaboration to help leaders confidently face the future. Protiviti and its independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, governance, risk and internal audit through its network of more than 85 offices in over 25 countries.

Named to the 2021 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Ready to work with us?

Kathy Keller
Kathy Keller