As rapidly changing risk and regulatory environments continue to challenge vendor risk management capabilities, organizations in all industries are making progress in improving how they manage vendor and third-party risks. Protiviti’s 2017 Vendor Risk Management Benchmark Survey
, which looks at organizations’ maturity of vendor risk management, is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program.
The study, now in its fourth year, found that a majority of companies plan to de-risk third-party vendor relationships that pose high risks and that the level of the board’s engagement in information security correlates with vendor risk management maturity:
- Vendor risk management is improving - This year's overall vendor risk management maturity levels show modest improvement, but compared to last year's survey results, several categories improved more significantly, suggesting that more organizations recognize the importance of vendor risk management during a time when the external risk environment is changing quickly.
- Boards have set their sights on cybersecurity - Board-level engagement with cybersecurity risks improved significantly on a year-over-year basis. However, there continues to be an "engagement gap" in that boards remain more engaged with the organization's internal cybersecurity risks than cybersecurity risks to the organization's vendors. And organizations with less engaged boards report significantly lower levels of third-party risk management practice maturity.
- "De-risking" vendors is on the rise - A majority of organizations expect to exit or change relationships with vendors due to heightened risk levels. Insurance companies, including healthcare payers, appear much more likely to make these de-risking moves in the coming year, with fourth-party risk, cost concerns and a lack of internal expertise to evaluate vendor controls cited as the primary reasons.