The Shared Assessments Program and Protiviti, Inc., a Shared Assessments member organization, have completed the 2016 Vendor Risk Management Benchmark Study, the third annual study in this series. This year’s study shows, for the first time, that companies appear to have reached a positive turning point with regard to managing third party risks. Data from the 2014 and 2015 studies showed program Maturity Levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny. This year, maturity levels have jumped in all eight vendor risk management categories, with training levels in particular showing notably improved progress. This year’s study also examined the relationship between tone at the top and more than 140 components of risk management process maturity.
The 2016 study includes responses from nearly 400 C-Level, VP/Director Level and Manager Level respondents. The study basis in maturity levels is derived from the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – – a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls in the following areas: Program Governance; Policies, Standards and Procedures; Contracts; Vendor Risk Identification and Analysis; Skills and Expertise; Communication and Information Sharing; Tools, Measurement and Analysis; and Monitoring and Review.
“This year’s survey shows improvement in incident reporting and focus on policy and standards related to communications. That said, on balance, the Communications and Information Sharing category lags others at a time when internal two-way internal communications (top-down and bottom-up) and external information sharing are more important than ever,” noted Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation – a Shared Assessments Member organization.
The study will soon be available. Here are a few of the Key Findings:
- Third party risk management is gaining more attention and program maturity levels are rising, showing significant improvements in vendor risk management capabilities that demonstrates a shrinking gap between financial services, which has shown higher levels in prior years, and organizations in other verticals.
- This year’s study shows, for the first time, positive trends in third party risk management maturity. Data from the 2014 and 2015 studies showed maturity levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny.
- Boards are showing a higher level of engagement with cybersecurity risks in their own organizations (39%), but fall far lower in risk management engagement for third parties (26%).
The study showed a clear correlation between boards with high engagement in and understanding of emerging risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
- Vendor risk program maturity levels have jumped in all eight risk management categories, with training levels in particular showing notably improved progress. Maturity levels have jumped on a number of components that relate to vendor assessments and performance metrics.
- Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go for organizations to routinely have fully operational third party risk programs with all compliance measures in place.
The narrowing of the maturity gap between financial services and all other verticals is most likely a function of increased regulatory pressure in sectors that include insurance and health care. Interestingly, financial services firms with between $50 and $250 B in assets under management outperformed all other asset management categories and verticals, regardless of industry. Financial services firms of this size may represent an optimum organization size where there are both: (1) adequate resources to bring robust expertise and tools to programs; and (2) a scale that is still easily managed from a risk control perspective.
Regulators have increasingly stressed the role of the board in establishing, funding and evaluating vendor risk program effectiveness, with good reason. Board engagement is a key differentiator for program maturity. Cathy Allen, CEO of The Santa Fe Group, the managing company for the Shared Assessments Program, stated that “Risk managers at all levels, including the C-Suite and Board of Directors, understand that the maturity of our risk management programs has a profound effect on our organizations. This study documents in detail what many have believed to be true – that for organizations in which boards have high engagement in and knowledge of critical issues, vendor risk management and maturity levels are noticeably higher.”
For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.