Board involvement is a key indicator of vendor risk management maturity
- Published: Wednesday, 10 April 2019 08:01
Protiviti and the Shared Assessments Program have released findings of their 2019 ‘Vendor Risk Management Benchmark Study: Running Harder to Stay In Place’ report, an extensive study of organizational risk posture assessed by industry sector and program criteria.
"The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyber attacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity," said Paul Kooney, a managing director in Protiviti's security and privacy practice. "This year's benchmark study analyzes more than 200 detailed criteria of a comprehensive vendor risk management program. Our survey findings underscore the fact that all risk management programs are running harder just to stay in place, and those that aren't rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates."
Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors' full ecosystem, including subcontractor relationships.
Other key survey findings included:
- A strong correlation exists between engagement at the board of directors level and VRM program maturity: 57 percent of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
- Assessing board engagement levels by industry, the tech sector leads, followed by manufacturing and healthcare providers.
- The tech and insurance sectors lead in fourth-party program maturity, assessing their vendors' vendors and full ecosystem for risk management practices.
- Continuous monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38 percent of respondents report that their organizations have controls in place to ensure ongoing monitoring of vendor relationships.
- All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher in overall maturity, but no sector is at an optimal level.
- All sectors report strong progress in assessing and managing critical vendors. 41 percent have fully mature processes in place to identify and manage their most critical vendors, while only 7 percent of respondents report that they have not yet begun to identify and separately manage critical vendors.
The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cyber security, IT, privacy, data security and business resiliency controls.