The results of the latest Vendor Risk Management Benchmark Study
indicate that organizations in all industries are increasing their focus on managing vendor and third party risks. In addition, levels of maturity in different vendor risk management components have noticeably improved.
This is a significant change over prior years. In 2015, respondents rated their overall maturity across the eight vendor risk management categories to be virtually identical to those reported in 2014. In financial services, the improvement seen this year could be motivated in part by significantly increasing regulatory scrutiny, especially in areas related to cybersecurity. This is the third year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program.
Our key findings this year:
- Vendor risk management is garnering more attention and maturity levels are on the rise. Compared to last year’s survey, this year’s results show significant improvement in vendor risk management capabilities, suggesting this has become more of a “front burner” issue for organizations. As a result, the maturity gap between financial services and organizations in other verticals is shrinking.
- Many boards have a high level of engagement regarding cybersecurity risks to the business, but less so for vendors. There is a noticeable difference in the “high” engagement levels among board members with regard to cybersecurity risks to the business compared with those risks to the organization’s vendors.
- Board engagement in cybersecurity risk is a key differentiator. For organizations in which boards have high engagement levels in cybersecurity risks, vendor risk management maturity levels are noticeably higher.
- Metrics matter more. Maturity levels have jumped significantly in a number of vendor risk components that relate to vendor assessments and performance metrics, including calculating and distributing vendor assessment metrics and implementing metrics and reporting for compliance to required training and awareness of vendor risk policies.
- Despite higher maturity levels in most vendor risk components, there remain numerous areas for improvement. While more areas are reported to be at or near the “fully defined and established” level, few are close to the “Fully implemented and operational” or “Continuous improvement – benchmarking, moving to best practices” levels.