As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third party providers. This is occurring in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization that is relying on third party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities.
The list of standards and regulations with third party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council’s data security standards, Office of the Comptroller of the Currency (OCC) Third Party Risk Guidance, and NIST’s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment.
“You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third party vendor that’s connected to you. This creates a bridge directly into your organization.” Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee member
Despite this environment, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program. The VRMMM sets forth best practices for developing a comprehensive third party risk program and allows a company to evaluate its program’s maturity against development goals.
The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third party risk management benchmarking study based on this maturity model. Nearly 450 respondents, including C-suite executives, as well as IT, internal audit and IT audit vice presidents and directors, participated in our study.
“If you’re outsourcing to or relying on a third party, you can’t just shut the door and say it’s someone else’s problem. You can outsource the function but you ultimately own the risk. If a third party doesn’t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address.” Brad Keller, Senior Vice President & Program Director, The Santa Fe Group (which manages the Shared Assessments Program)
The results of our survey revealed some interesting trends:
- Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies – This is not a surprise given the highly regulated nature of the financial services industry.
- Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set – This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations.
- Notable areas for improvement include program governance, and policies, standards and procedures – while there is no standard, “one-size-fits-all” approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management.
Brad Keller is Senior Vice President & Program Director with the Santa Fe Group (which manages the Shared Assessments Program) and Rocco Grillo is a Managing Director with Protiviti, a global consulting firm, and is a Shared Assessments Program Steering Committee member. This article is adapted from the 2014 Vendor Risk Management Benchmark Study, a survey from Shared Assessments and Protiviti to assess the current state of vendor risk management in organizations, as measured against the Shared Assessments Vendor Risk Management Maturity Model. For more information, visit www.sharedassessments.org or www.protiviti.com/vendor-risk.