Pace of Change and Resource Allocation Continue to Challenge Companies’ Vendor Risk Management, New Survey Confirms

Paul Kooney, Managing Director Security and Privacy, Protiviti
Gary Roboff, Senior Advisor, The Santa Fe Group Shared Assessments Program

Running just to stay in place – this is what it feels like today for many companies trying to match their vendor risk management (VRM) efforts to the fast-changing risk environment and pressing regulatory demands. Incremental improvements in VRM made last year have been all but wiped out by new cyber threats, and the costs of running a vendor risk management program are rising. This is the picture painted by the latest VRM survey by Protiviti and the Shared Assessments Program, a member-driven leader in third-party risk assurance.

A Standard for Vendor Risk Management

This is the fifth year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. The VRMMM is an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.

During the past year, Shared Assessments updated the VRMMM with 81 new detailed criteria, probing more extensively into critical practice components such as continuous monitoring, data management and security, privacy, fourth-party risk management, independent program review and others to reflect the expanding threat environment and global regulatory demands. All of these items are covered in this year’s survey.

The survey findings underscore the fact that any organization not advancing its VRM program is likely to fall behind quickly. Vendor risk management program stagnation has the potential to have a significant impact on an organization’s ability to achieve management goals, maintain desired security postures and, very often, fulfil regulatory mandates.

Of the 28 industry sectors polled, the technology and insurance/healthcare payer sectors have achieved the highest levels of program maturity overall; however, no sector reported more than 50% of respondents at a mature level of vendor risk management practice. The technology and insurance sectors also led in fourth-party VRM, confirming that companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

Other Key Findings From the Survey

  • Strong correlation exists between engagement at the board level and VRM program maturity: Fully 57% of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
  • When assessing board engagement levels by industry, the technology sector leads, followed by manufacturing and healthcare providers.
  • Continuous monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38% of respondents report that their organizations have mature controls in place to ensure ongoing monitoring of vendor relationships.
  • All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher than others, but a number of survey results suggest that both resource allocation and resource optimization challenges are growing.
  • All sectors report progress in assessing and managing critical vendors, a fundamental element of good third-party risk management. Forty-one percent have fully mature processes in place to identify and manage their most critical vendors, while only 7% of respondents report that they have not yet begun to identify and separately manage critical vendors. 

Join Us

Protiviti will host a free one-hour webcast on May 1 at 11:00 a.m. PDT to discuss the survey findings and share practical ways to improve vendor risk – click here to register. The complete, complementary survey report can be downloaded from the Shared Assessments site and the Protiviti site,

Add comment