The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

Pace of Change and Resource Allocation Continue to Challenge Companies’ Vendor Risk Management, New Survey Confirms

Demystifying digital transformation in finance - Explore the key to success in digital finance transformation
Larger Font
2 minutes to read

Running just to stay in place – this is what it feels like today for many companies trying to match their vendor risk management (VRM) efforts to the fast-changing risk environment and pressing regulatory demands. Incremental improvements in VRM made last year have been all but wiped out by new cyber threats, and the costs of running a vendor risk management program are rising. This is the picture painted by the latest VRM survey by Protiviti and the Shared Assessments Program, a member-driven leader in third-party risk assurance.

A Standard for Vendor Risk Management

This is the fifth year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. The VRMMM is an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.

During the past year, Shared Assessments updated the VRMMM with 81 new detailed criteria, probing more extensively into critical practice components such as continuous monitoring, data management and security, privacy, fourth-party risk management, independent program review and others to reflect the expanding threat environment and global regulatory demands. All of these items are covered in this year’s survey.

The survey findings underscore the fact that any organization not advancing its VRM program is likely to fall behind quickly. Vendor risk management program stagnation has the potential to have a significant impact on an organization’s ability to achieve management goals, maintain desired security postures and, very often, fulfil regulatory mandates.

Of the 28 industry sectors polled, the technology and insurance/healthcare payer sectors have achieved the highest levels of program maturity overall; however, no sector reported more than 50% of respondents at a mature level of vendor risk management practice. The technology and insurance sectors also led in fourth-party VRM, confirming that companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

Other Key Findings From the Survey

  • Strong correlation exists between engagement at the board level and VRM program maturity: Fully 57% of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
  • When assessing board engagement levels by industry, the technology sector leads, followed by manufacturing and healthcare providers.
  • Continuous monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38% of respondents report that their organizations have mature controls in place to ensure ongoing monitoring of vendor relationships.
  • All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher than others, but a number of survey results suggest that both resource allocation and resource optimization challenges are growing.
  • All sectors report progress in assessing and managing critical vendors, a fundamental element of good third-party risk management. Forty-one percent have fully mature processes in place to identify and manage their most critical vendors, while only 7% of respondents report that they have not yet begun to identify and separately manage critical vendors. 

Watch

Protiviti hosted a free one-hour webcast on May 1 at 11:00 a.m. PDT to discuss the survey findings and share practical ways to improve vendor risk – click here to watch on-demand.

Read additional posts on The Protiviti View related to VRM.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Paul Kooney

By Paul Kooney

Verified Expert at Protiviti

EXPERTISE

Gary Roboff

By Gary Roboff

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search