Press Release: 2016 Shared Assessments-Protiviti Benchmark Study

Press Release: 2016 Shared Assessments-Protiviti Benchmark Study

Dec 20, 2016 | Press Release, Third Party Risk, Third Party Risk Management, Vendor Risk, Vendor Risk Management, Vendor Security

blog 03

Marya Roddis, Vice President of Communications
O: 505-466-6434
C: 575-235-8228


2016 Shared Assessments-Protiviti Benchmark Study

Demonstrating the Increased Maturity of Third Party Risk Management Programs
Santa Fe, NM – December 20, 2016 – The member-driven Shared Assessments Program and Protiviti, Inc., a Shared Assessments member organization, are pleased to announce the release of the 2016 Vendor Risk Management Benchmark Study, the third annual study in this series. This year’s study shows, for the first time, positive trends in third party risk management maturity. Data from the 2014 and 2015 studies showed maturity levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny.

Vendor Risk program maturity levels have jumped in all eight risk management categories, with training levels in particular showing notably improved progress. This year’s study also examined the relationship between tone at the top and more than 140 elements of risk management process maturity.

Key Findings include:

  • A clear correlation between boards with high engagement in and understanding of emerging risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
  • While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors’ level third party risk management awareness levels are still lagging.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third party risk programs with all compliance measures in place.
  • A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.
  • Financial services firms with between $50 and $250 B in assets under management outperformed all other asset management categories and verticals, regardless of industry. Financial services firms of this size may represent an optimum organization size where there are both: (1) adequate resources to bring robust expertise and tools to programs; and (2) a scale that is still easily managed from a risk control perspective.

The 2016 study includes responses from nearly 400 C-Level, VP/Director Level and Manager Level respondents. The study basis in maturity levels is derived from the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls in the following areas:

  • Program Governance
  • Policies, Standards and Procedures
  • Contracts
  • Vendor Risk Identification and Analysis
  • Skills and Expertise
  • Communication and Information Sharing
  • Tools, Measurement and Analysis
  • Monitoring and Review

You can request the full 2016 Vendor Risk Management Benchmark Study here.


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics