Now Available: 2019 Vendor Risk Management Report

“My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”

-Lewis Carol, Alice in Wonderland


As they assess today’s complex  risk and regulatory environments, third party risk management (TPRM) practitioners may feel has if they’ve tumbled through the looking glass. Given the constantly changing and sometimes strange world of third party risk, most organizations must work diligently just to sustain the current performance and sophistication of their TPRM programs.

That’s one of a number of key insights from the 2019 Vendor Risk Management Benchmark Study, which is based on survey research and analyses jointly conducted by Protiviti and The Shared Assessment Program. The report’s findings indicate that:

  • The correlation between high levels of board engagement and programs with fully mature  TPRM practices is very high. That relationship has been demonstrated using a second set of metrics in this year’s report;
  • Most vendor risk management programs in all industries face difficulties keeping up with the pace of change in the external environment; and
  • Resource constraints in the face of higher risk management costs represent a pervasive challenge.

This marks the fifth year that the Shared Assessments Program and Protiviti have collaborated on this research, which is based on the Shared Assessment Program’s proprietary Vendor Risk Management Maturity Model (VRMMM). For 2019 the program updated the VRMM with numerous enhancements, including the addition of 81 new detailed criteria. These additions made it possible for us to develop benchmarking capabilities in eleven new focus areas, including aspects of continuous monitoring, fourth party risk management, resource availability and optimization, privacy, virtual assessments, geolocation risks and more.


In addition to the three findings I mentioned above, our 2019 report also reveals that:

  • Cyberattack disruptions are increasing, and it is taking organizations longer to fix the issues that led to a successful strike. Approximately 67 percent more of respondents to this year’s survey reported that their organizations experienced a significant disruption from a cyberattack or hacking incident compared to respondents who reported similar disruptions in our previous survey. What’s more, the percentage of organizations that fixed the issues that led to a successful cyberattack within one month declined by 17 percent from last year’s findings to this year’s results. Last year, only 28 percent of respondents reported that these fixes took from three months to one year to identify complete; this year, 37 percent of respondents reported that fixing the issues that lead to a significant cyberattack required three months to one year.
  • More organizations are likely to move away from high-risk third-party relationships. Fifty-five percent of respondents report that their organizations are extremely likely or somewhat likely to move or exit risky vendor relationships, a 2 percent increase compared to last year’s survey. This tendency is likely driven by increasing TPRM resource constraints including the inability of some outsourcers to effectively utilize continuous monitoring capabilities to better gauge and control fourth party related risks in their programs.


The report, which is available at no cost, is packed with information and insights related to all areas of vendor risk management. Reading through the results will help TPRM leaders and their teams get a firmer grasp of how their program compares to others in the same industry. Together with  the Vendor Risk Management Maturity Model, on which the benchmark survey is based , the Benchmark Study is the perfect tool to determine and steer TPRM  programs toward a custom maturity level that’s appropriate for every organization irrespective of the industry in which it operates.