Press Release: Many Companies’ Vendor Risk Management Programs Still Need Improvement, According to New Study from Protiviti and Shared Assessments

Editor Contacts:

For Protiviti:
Kathy Keller
(650) 234-6252

For Shared Assessments Program:
Sarah Perry, The Santa Fe Group, 602-441-1769, or
Lisa MacKenzie, MacKenzie Marketing Group
(503) 705-3508, or
Kelly Stremel,


Many Companies’ Vendor Risk Management Programs Still Need Improvement,
According to New Study from Protiviti and Shared Assessments

‘2015 Vendor Risk Management Benchmark Study’ shows third-party risk programs across industries lack maturity, putting data at risk; resources and new strategies are recommended

SANTA FE, N.M. and MENLO PARK, Calif. – July 8, 2015 – With cyber-attacks and data security threats looming at insecure access points, the increased scrutiny of regulators and the focused attention of boards of directors, the outsourcing of critical services to third parties requires a robust vendor risk management program and stringent oversight – now more than ever. Yet the results of a new study suggest that many companies may be underperforming in these areas. Organizations must make improvements to their risk management programs in order to keep pace with the latest risks and challenges, according to the 2015 Vendor Risk Management Benchmark Study, released today by the Shared Assessments Program and Protiviti, a global consulting firm. To download a complimentary copy of the study, please visit or

In its second year, the Vendor Risk Management Benchmark Study examined information from more than 450 C-suite executives, risk management and audit professionals, who rated their organizations using the Vendor Risk Management Maturity Model (VRMMM), a benchmarking tool from the Shared Assessments Program that measures the quality and maturity of existing vendor risk management programs.

Survey respondents were presented with eight categories of vendor risk management. For each component within the eight categories, respondents were asked to rate its maturity level as it applies to their organization on a maturity scale of 1 (lowest) to 5 (highest):

(click to enlarge image)

Initially, vendor risk management capabilities in organizations appear to be stagnating. Scores in half of the categories did not change from year to year, and the slight declines (-0.1) in the four other categories are not significant variations.

However, these flat results do not necessarily mean that no progress has been made with regard to third-party vendor risk management. During the one-year period in between the 2014 and 2015 surveys, there was an epidemic of cybersecurity breaches, the February 2014 release of the NIST Cybersecurity Framework, and more oversight of IT security risk programs in general by both boards of directors and regulators. This increased regulatory focus on third-party risks means that organizations are now more aware of their own program’s strengths and weaknesses, particularly at the C-suite and board level. With greater clarity about what is required to minimize and mitigate cybersecurity risks, many respondents likely rated their capabilities lower even in the face of process improvements in their firms, and may also be setting a higher bar for what they deem to be mature levels of vendor risk management.

“The increasing frequency and magnitude of cybersecurity breaches, along with recent and forthcoming regulatory actions, make it imperative that vendor risk management programs make a significant leap forward. This change requires fundamental alterations to strategies, processes and organizational culture,” said Rocco Grillo, a managing director with Protiviti and the firm’s global leader for incident response and forensic investigations. “The good news is that there is greater demand for building more robust vendor risk management programs. This issue is more frequently a part of the agenda for boards of directors, who are regularly seeking assurance from management that the appropriate steps are being taken to combat vendor risk.”

Other Key Findings from the Survey

  • Vendor risk management programs require more substantive advances. The overall maturity rating for program governance in this year’s survey (2.7 on a 5-point scale –
    below the “fully defined and established” maturity level) should serve as a wake-up call that deeper changes are needed that reach into organizational culture and individual behavior, especially for financial institutions that are striving to satisfy the U.S. “Getting to Strong” regulatory mantra.
  • Vendor risk management programs within financial services organizations are relatively more mature compared to companies in insurance, healthcare and other industries. The 2015 survey results indicate that financial services firms continue to rank ahead of other industries with regard to their vendor risk management programs most notably in Program Governance, Vendor Risk Identification and Analysis, and Communication and Information Sharing. Financial Services organizations score on average more than a point higher in these categories. Perhaps most notable is the finding that the insurance and healthcare industries continue to lag behind financial institutions in fortifying their vendor risk management capabilities, considering the sensitivity of their data.
  • Policies, standards and procedures and contract management and criteria represent the most advanced components of current vendor risk management programs. These areas are ranked highest in terms of overall maturity among the eight program areas assessed in the survey. These two program characteristics are fundamental building blocks that can lay the groundwork for a more mature vendor risk management capability.

“The study clearly indicates, across industries and leadership roles, that much work needs to be done,” said Gary S. Roboff, senior advisor with Shared Assessments. “Organizations are asking for more resources and effective, efficient strategies to manage third party risks, and this research tells us that the C-suite is aware of the need for continued vendor risk management improvement.”

Resources Available to Learn More
Protiviti will host a complimentary webinar on July 28, 2015 at 11:00 a.m. PDT, led by Grillo and Roboff and joined by a Fortune 500 financial services company guest speaker, to discuss the results of the survey and offer insights into what organizations can do to raise their vendor risk management maturity levels. To register, please click here. Additionally, Grillo and Roboff have recorded a podcast about the survey findings and their implications for businesses.

To access a complimentary copy of the 2015 Vendor Risk Management Benchmark Study, please visit: or The sites also host an infographic, a short video of the survey’s highlights and a benchmarking tool to compare the user’s results to the survey respondents’ results.

About the Shared Assessments Program
The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (, a strategic consulting company based in Santa Fe, New Mexico. On the web at

About Protiviti
Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Named to the 2015 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.


Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Editor’s note: infographic of survey highlights available in PDF or JPEG formats. Photos available upon request.