As the volume of outsourced products and services has surged in recent years, so have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, and in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities.
The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council’s data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NIST’s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment.
For most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively.
The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. The study revealed some interesting trends that we will detail in this report: Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies; Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set; Notable areas for improvement include program governance, and policies, standards and procedures.