The Clock is Ticking …It’s Time to Focus on Maturing Vendor Risk Management Programs

The Clock is Ticking …It’s Time to Focus on Maturing Vendor Risk Management Programs

Sep 19, 2018 | Data & Cybersecurity, Data Breach, Public Policy, Regulations, Third Party Risk Management, Tools & Templates, Vendor Risk Management Maturity Model (VRMMM)


Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take focused time during Q3/Q4 to evaluate their strategic plans; monitor the evolving risk environment; assess cyber-security threats; and identify programs to be enhanced in the coming fiscal year. Lines of business are focused on business cases for new products/services, while risk teams are working to mature governance to address new compliance obligations with limited resources.

✔ What Regulatory Landscape Changes are changing expectations?
✔ What third party risk focus areas are “hot topics?”
✔ Where does third party risk fit into those competing priorities?
✔ How can self-assessment tools be used for peer benchmarking?

And this season the 5th annual Third Party Risk Management Benchmark Survey, based on the expanded 2019 Shared Assessments Vendor Risk Management Maturity Model, is here to help put an early spotlight on additional areas of practice maturity emerging in response to a number of market changes.

Market Changes

  • New Regulations: Heightened expectations have been triggered for third party oversight and vendor management. GDPR is now enforceable, extending obligations to data processors and vendors. The OCC’s supplemental examination procedures to its “Third-Party Relationships: Risk Management Guidance” are raising expectations for risk management, due diligence and governance. Covered entities impacted by NY DFS 500, are facing the clock as the countdown to March 2019 is fast approaching. In fact, the complexity of certifying or providing assurance on third party risk program effectiveness is difficult to measure and quantify.
  • High-Profile Data Breaches: Recent events have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third party risk management and ongoing risk assessments.
  • Updated Standards: NIST standards are expanding to include risk management and privacy. External audit standards for SOC reports have been updated by the AICPA. The updated Trust Services Criteria will now contain 9 Vendor Risk Management common controls for 2019 engagements.

It’s all about taking “Trust, but Verify” to the next level with enhanced controls, validation, testing, and governance. While each new regulation or standard is focused on a particular jurisdiction or market vertical, the themes for third party risk management have more similarities than differences.

Hot Topics for Vendor Risk Management:
✔ Subcontractors/Nth Party Management
✔ Continuous Monitoring Program Activities
✔ Vendor Inventories
✔ Vendor Contract Modernization
✔ Risk Posture/Methodologies/Approvals

Adapting a vendor risk management program impacted by both internal and external drivers can feel daunting without a roadmap to help mature or expand the program components. Organizations of all sizes may need to develop business cases to get resources, either people or investments to expand third party governance programs.

Vendor Risk Management Maturity Model
The Shared Assessments Program Vendor Risk Management Maturity Model (VRMMM) was developed by its members to provide a roadmap for structuring, operating, and measuring each component of an organization’s Vendor Risk Management Program. Combining best practices, thought leadership, and hands-on vendor risk management, the Program Tool provides a framework for each element of an effective vendor risk management program. The VRMMM self-assessment enables an organization to evaluate the maturity of their current third party risk program based on a ranking of core program attributes:

VRMMM Framework

    • 1.0 Program Governance


    • 2.0 Policies, Standards & Procedures


    • 3.0 Contract Development, Adherence & Management


    • 4.0 Vendor Risk Assessment Process


    • 5.0 Skills & Expertise


    • 6.0 Communications & Information Sharing


    • 7.0 Tools, Measurements & Analysis


    8.0 Monitoring & Review

VRMMM based self-assessments enable a critical focus on third party risk management process maturity, a key input to help prioritize resource allocations in any organization’s annual vendor risk management structuring, enhancement or expansion plans.

The 2019 version of the VRMMM has been expanded to incorporate recent regulatory changes and key topics such as vendor inventories, fourth party management, continuous monitoring, risk posture, and contract modernization. The current Benchmark Survey, open from September 20th until October 16th can give you a significant head start on that self-assessment.

The Power of the 2018 Benchmarking Survey
This year’s Benchmark Study is the first to be based on NEXT year’s Vendor Risk Management Maturity Model (VRMMM), not the current 2018 iteration. The study will release in early 2019 – shortly after the 2019 VRMMM Program Tool becomes available – allowing risk managers to immediately gauge their own practice maturity against industry peers by using survey results compared to the newly expanded 2019 Vendor Risk Management Maturity Model (VRMMM).

The survey results will provide critical data for practitioners to understand where their own program may lag, and to prioritize where additional resources might be utilized most effectively.
Catherine Allen, CEO of The Santa Fe Group and Shared Assessments program stated, “The Vendor Risk Management Benchmark Study is a remarkably powerful tool that risk managers routinely use to understand the relative strengths and weaknesses of their programs. This year’s survey update drills down into continuous monitoring, privacy, data management, and a broad range of additional practices to make the insights even more valuable to third party risk professionals.”

“Paul Kooney, a Managing Director in the Security and Privacy practice at global consulting firm Protiviti, notes “Protiviti is excited to team with the Shared Assessments Program to provide one of the most comprehensive benchmark reports providing insights about the overall state of third party risk management practice maturity. Data from this year’s study will be considerably more useful, not just because of the survey’s significantly expanded scope, but because it will provide a current perspective on almost eighty new criteria added to the 2019 VRMMM.”

As always, it’s very important that your organization take the time to thoughtfully complete the Benchmark Survey. Your participation benefits the third party risk management community as a whole by enabling an accurate and updated understanding of the true state of vendor risk management practice maturity. Please join your peers and complete the 2018 questionnaire, open from September 20thth through October 16th at:[rnid_value]&study=[study_value]

Sabine Zimmer

Sabine is Vice President of Marketing and Sales for Shared Assessments. Sabine enjoys collaborating across teams to build a stronger risk management community. When she's not at work, she is outdoors in the Southwest with her family.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics