The latest enterprise risk management news from around the world

Board involvement is a key indicator of vendor risk management maturity

Protiviti and the Shared Assessments Program have released findings of their 2019 ‘Vendor Risk Management Benchmark Study: Running Harder to Stay In Place’ report, an extensive study of organizational risk posture assessed by industry sector and program criteria.

"The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyber attacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity," said Paul Kooney, a managing director in Protiviti's security and privacy practice. "This year's benchmark study analyzes more than 200 detailed criteria of a comprehensive vendor risk management program. Our survey findings underscore the fact that all risk management programs are running harder just to stay in place, and those that aren't rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates."

Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors' full ecosystem, including subcontractor relationships.

Other key survey findings included:

  • A strong correlation exists between engagement at the board of directors level and VRM program maturity: 57 percent of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
  • Assessing board engagement levels by industry, the tech sector leads, followed by manufacturing and healthcare providers.
  • The tech and insurance sectors lead in fourth-party program maturity, assessing their vendors' vendors and full ecosystem for risk management practices.
  • Continuous monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38 percent of respondents report that their organizations have controls in place to ensure ongoing monitoring of vendor relationships.
  • All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher in overall maturity, but no sector is at an optimal level.
  • All sectors report strong progress in assessing and managing critical vendors. 41 percent have fully mature processes in place to identify and manage their most critical vendors, while only 7 percent of respondents report that they have not yet begun to identify and separately manage critical vendors.

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cyber security, IT, privacy, data security and business resiliency controls.

More details.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.