The 2016 Vendor Risk Management Benchmark Study Released
Despite clear progress in program maturity reported in this year’s Vendor Risk Management Benchmark Study, none of the eight risk management categories approached a level of 4.0 on a 5.0-point scale, a level at which programs are fully implemented and all compliance measures are in place. Four categories scored 3.0 or higher and none exceeded 3.1. Organizations with levels of 3.0 have vendor management components that are fully defined, approved and established, but not all processes are fully operational. The study utilized the categories from the Shared Assessments Vendor Risk Management Maturity Model (VRMMM), a holistic tool used for evaluating the maturity of third party risk programs including for cybersecurity, IT, privacy, data security and business resiliency controls. The eight vendor risk categories are: Program Governance; Policies, Standards and Procedures; Contracts; Vendor Risk Identification and Analysis; Skills and Expertise; Communication and Information Sharing; Tools, Measurement and Analysis; and Monitoring and Review.
In terms of tone at the top, this study demonstrated that while many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations.
The 2017 Shared Assessments Vendor Risk Management Maturity Model (VRMMM)
The VRMMM is a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The focus of the VRMMM is to provide third party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices.
The 2017 VRMMM is free to both members and non-members.
Thank You to Shared Assessments Member Protiviti
Special thanks to Protiviti for their support of this research and their leadership and dedication to developing best practices for managing third party risk.
To obtain a copy of this report, please complete the form below. The Survey will be sent upon receipt of submission to the email address provided.