Fintech Perspective: Balancing Speed to Market With Sound Risk Management



Christopher Monk, Managing Director
Business Performance Improvement


Tyrone Canaday, Managing Director
Technology Consulting


As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

2016 Vendor Risk Management Benchmark Study Results Released

infographic-2016-vendor-risk-management-benchmark-studyProtiviti and the Shared Assessments Program recently released the results of our jointly conducted 2016 Vendor Risk Management Benchmark Study.

This is the third year that Shared Assessments and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. At right, you’ll find our infographic, and below is our podcast featuring Gary Roboff, senior advisor to Santa Fe Group and Shared Assessments Program, and Cal Slemp, managing director for Protiviti and leader of the firm’s Security Program and Strategy Services practice, discussing the key findings.

Learn more and find our full report at and

More Resources Are Required to Master Third-Party Risks

Rocco Grillo - Protiviti NY 2014 (hi res) (2)By Rocco Grillo
Managing Director, IT Risk




As corporate boards, auditors and regulators increase their scrutiny of vulnerabilities associated with third-parties, vendor risk management (VRM) – and particularly the danger of lost or compromised data through third-party service providers – remains cause for concern at most organizations. This is what Protiviti’s most recent VRM benchmarking survey revealed. The survey, conducted in partnership with the Shared Assessments Program, collected feedback from directors and senior management at more than 450 organizations across a broad spectrum of industries. The overarching conclusion: A lack of perceived improvement, year-over-year.

In 2014, Protiviti began working with the Shared Assessments Program, a consortium of financial institutions, Big Four accounting firms and third-party risk management leaders in insurance, brokerage, healthcare, retail and telecommunications, to gauge internal perception of third-party risk management, using Shared Assessments’ proprietary VRM maturity model. The model is a COSO-like framework with 126 detailed components grouped into eight high-level criteria, and is designed to assess an organization’s ability to recognize and remediate third-party vendor risks on a scale of 0 to 5, with 5 being a fully evolved state of continuous improvement.

In our 2015 survey report, we grouped responses according to the respondent’s level of responsibility: chief executive, vice president and manager. For 2015, average responses by category ranged from 2.4 at the C-level to 2.8 for managers. In 2014, the range was 2.3 to 2.8. The average response for vice presidents fell in the middle of this range. Clearly, not a lot of change here.

There are many ways these results could be interpreted. Personally, I’d like to believe the flat results are due to progress, offset by increased expectation. In other words: Vendor risk management practices are improving, but not enough to affect perception in the face of increasing scrutiny and rising expectations. I prefer this “glass half full” approach; you may think differently. In either case, the points below, drawn from the survey, hold true:

  • VRM programs require more substantive advances – Regulatory agencies, most notably the U.S. Office of the Comptroller of the Currency, have asserted that “average” risk management no longer suffices. Organizations must enact the mind shifts, organizational culture and behavioral changes required to meet and exceed rising expectations.
  • Cybersecurity threats are a prominent challenge – High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. Strengthening cybersecurity is a top priority, and third-party data security is critical to this effort.
  • Financial services organizations are leading the way – The financial services industry was the first to establish a Coordinating Council for Critical Infrastructure Protection in response to federal pressure in 1998. VRM practices in this sector remain significantly ahead of those in other data-vulnerable industries, including healthcare and insurance.
  • The number and intensity of vendor risks, and cybersecurity threats in particular, is increasing – From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66 percent.

Regardless of how you interpret the results of our 2015 survey, the message is clear: VRM remediation efforts to date have, at best, kept pace with increasing threats and scrutiny. Organizations need to accelerate their efforts and increase the quantity and quality of resources devoted to this critical governance issue.

I recommend taking a look at the study and related video and podcast here. A VRM self-assessment tool is also available at the link.