I want to share with you a just-released report on the results of a study on vendor risk management practices in which Protiviti partnered with the Shared Assessments Program – a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. Our report reveals some particularly interesting findings regarding how well organizations are managing their vendor risk. Bottom line: There is significant room for improvement in many organizations.
As the volume of outsourced and offshored products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. Data breaches at vendors handling a company’s data and information are costly; they can even carry a higher cost than in-house breaches.
Importantly, the number of incidents is rising – in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization in any industry that is relying on third-party vendors to manage operations and processes. These at-risk vendors include not just data management, IT and security providers, but also facilities management along with any vendor that may have access to your network, data or facilities.
Thus, vendor risk management is a big deal, raising the bar on the importance of a company knowing who its third parties are, how each of them interacts with the company’s customers, what activities each performs on behalf of the company, and what company data they access and process. Unfortunately, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model by the Shared Assessments Program.
The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. Our study reveals some interesting trends:
- Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies and industries.
- Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the overall financial services set.
- Notable areas for improvement include program governance, and policies, standards and procedures.
To learn more, please visit www.protiviti.com/vendor-risk. And as always, I invite you to share your comments and feedback here.