Increasing pressures in the risk and regulatory environments continue to pose severe challenges to vendor risk management (VRM) programs, often offsetting incremental program improvements, according to the latest Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti.
Overall, we’ve found that the relative maturity level of VRM programs has not changed over the past 12 months despite increased regulatory scrutiny; growing cyber threats at a global, national and state level; and a riskier business environment. At the same time, our findings also point to a number of effective and cost-efficient approaches to get off this treadmill and achieve more substantial VRM progress.
The results of the study indicate that:
- There is a strong correlation between high levels of board engagement with VRM issues and VRM capabilities that are firing on all cylinders to reach and sustain superior levels of program maturity.
- To varying degrees across all industries, VRM programs are barely able to keep up with the fast pace of change in the external environment.
- Four in 10 organizations have fully mature VRM programs, but just under a third have only ad hoc or no significant VRM processes.
- More organizations are moving away from, or “de-risking,” their high-risk vendor relationships.
- Resource constraints in the face of higher risk management costs represent one of the largest VRM challenges for organizations.