Four years into a regulatory push to improve vendor risk management, organizations across industries are getting smarter about who they work with and how they are working with them. The rate of improvement, however, may not be fast enough to keep up with the accelerating challenges of the external risk and regulatory environment, according to the 2017 Vendor Risk Management Benchmark Study from Protiviti and the Shared Assessments Program.
Maturity levels in the eight different vendor risk management categories (program governance; policies, standards and procedures; contracts; vendor risk identification and analysis; skills and expertise; communication and information sharing; tools, measurement and analysis; and monitoring and review) either held steady or increased modestly compared to last year’s survey. Board engagement with cybersecurity risks also increased in a meaningful way, although much of that engagement focused on internal, rather than third-party risks. (See infographic.)
Organizations are continuing to evolve on how they structure their oversight of third-party risk in their governance frameworks. There’s been a push, in the past six months to a year, to centralize third-party risk management and set an expectation that the first line of defense — the managers and operating personnel who ultimately sign the contracts and own the risks — establish appropriate risk management policies and have procedures in place to mitigate those risks.
The question is, does the first line understand what they’re signing up for when they sign some of these vendor agreements? Unfortunately the answer, often, is no. This leads to a stronger reliance on second-line personnel to understand, manage and oversee risks posed by specific vendor agreements. That’s not a sustainable vendor risk management model, and could be one of several reasons why so many organizations in our survey this year talk about “de-risking.” More than half of the survey respondents said they were somewhat likely or extremely likely to exit vendor relationships if they are perceived as too risky. In the insurance industry, including healthcare payers, 71 percent were so inclined. That’s a big number.
To a large degree, this heightened concern over third-party governance is about maintaining a company’s reputation, making sure that the company understands who it is working with, and the risks posed by those relationships. But the increased concern is also from the compliance side, as companies across industries prepare to comply with the EU’s General Data Protection Regulation (GDPR), and in the financial sector where pressure to partner with less-regulated fintech providers to take advantage of their customer-focused services has led to a growing concern about the quality of governance, privacy and data management at these third-party providers.
In the financial services industry, regulators have begun to pinpoint specific issues with organizations on how they are either not addressing vendor risk, or not addressing it up to the standards of examiners. The regulatory push is for institutions to ensure that individual vendors are going through a consistent, risk-based process across the third-party lifecycle — from planning to risk assessment and due diligence of the contract, to ongoing monitoring and, ultimately, termination of the relationship. Linkages between those steps are critical so that lessons learned out of, say, due diligence, actually have a bearing on contracts and shape the terms and conditions included to address these regulatory concerns.
De-risking, alone, is neither good nor bad. The associated benefit lies in an organization’s reasons for de-risking and how that company chooses to de-risk. One reason to bring a third-party service in-house is to obtain greater control over the customer experience, for example. A company may choose to bring customer call centers and collections back in-house for that reason.
On the other hand, eliminating vendor relationships in lieu of better governance doesn’t actually address the underlying risks and may expose organizations to even greater vulnerabilities down the road.
From an operational and compliance perspective, the three biggest challenges organizations face in risk-assessing their vendors are:
- Skill sets and competency. A significant number of the personnel in charge of vendor relationships don’t come from a risk background but are being asked to be in a risk management position, which leads to gaps and inconsistencies. This is one of the reasons a lot of organizations now want to manage vendors centrally.
- Competing priorities. Businesses often need to sign vendors quickly to capitalize on a fleeting business opportunity. Deals have been lost due to delays caused by risk management. Managing these conflicting priorities is critical.
- Vendor knowledge. The more data organizations collect on their vendors, the greater the need to understand, manage and make good decisions based on that data. There are tools, and even third-party vendor analysts, to make this process easier; however proper oversight is required.
I would recommend that companies that want to raise their vendor risk management maturity consider making these challenges their priorities to address, to help improve their program governance overall.
This is the fourth year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. You can read the entire report here.