The latest enterprise risk management news from around the world

Vendor risk management is improving: benchmarking study

Details
Published: Wednesday, 21 December 2016 09:07

Companies may have reached a positive turning point when it comes to managing their vendor risks, according to the annual Vendor Risk Management Benchmark Study, published by the Shared Assessments Program and Protiviti. The study found that organizations across all industries, and, in particular, financial services, are increasing their focus on managing vendor and third-party risks. The maturity levels associated with different vendor risk management program areas have improved noticeably.

In its third year, the Vendor Risk Management Benchmark Study examined information from nearly 400 C-suite executives, risk management and audit professionals, who rated their public and private organizations using the Shared Assessments Program's Vendor Risk Management Maturity Model (VRMMM) – a holistic benchmarking tool for evaluating the quality and maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The surveyed organizations represent a mix of industries, with the largest contingent in financial services.

Key survey findings for 2016 include:

  • A clear correlation between boards with high engagement in and understanding of cybersecurity risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
  • While many boards (39 percent) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26 percent) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors' level, third-party risk management awareness levels are still lagging.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third-party risk programs with all recommended compliance measures in place.
  • A narrowing of the maturity gap between financial services and all other verticals can be seen, which is probably a result of increased regulatory pressure in sectors that include insurance and health care.
Download a copy of the study (PDF).


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Root Cause Analysis
The Business Continuity Business Case

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.