Marya Roddis, Vice President of Communications
Vendor Risk program maturity levels have jumped in all eight risk management categories, with training levels in particular showing notably improved progress. This year’s study also examined the relationship between tone at the top and more than 140 elements of risk management process maturity.
Key Findings include:
- A clear correlation between boards with high engagement in and understanding of emerging risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
- While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors’ level third party risk management awareness levels are still lagging.
- Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third party risk programs with all compliance measures in place.
- A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.
- Financial services firms with between $50 and $250 B in assets under management outperformed all other asset management categories and verticals, regardless of industry. Financial services firms of this size may represent an optimum organization size where there are both: (1) adequate resources to bring robust expertise and tools to programs; and (2) a scale that is still easily managed from a risk control perspective.
The 2016 study includes responses from nearly 400 C-Level, VP/Director Level and Manager Level respondents. The study basis in maturity levels is derived from the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls in the following areas:
- Program Governance
- Policies, Standards and Procedures
- Vendor Risk Identification and Analysis
- Skills and Expertise
- Communication and Information Sharing
- Tools, Measurement and Analysis
- Monitoring and Review
You can request the full 2016 Vendor Risk Management Benchmark Study here.