Running Hard to Stay in Place


by Peter Kelley, Owner, Kelley Group Two

The fifth annual extensive study on third party risk, “Running Hard to Stay in Place,” released by Shared Assessments and Protiviti, is broken down by industry sectors and program maturity criteria. This year’s study has some very interesting findings:

  • Awareness of third party risks by organization’s Board of Directors is a strong indicator of vendor risk management (VRM) program maturity: 57 percent of organizations reporting high levels of board engagement also reported mature and advanced vendor risk management programs.
  • The tech sector leads in board engagement, followed by the manufacturing and healthcare sectors.
  • There were no sectors in which more than 50 percent of respondents reported mature vendor risk management programs. Four in ten organizations had fully mature VRM programs, but almost a third had ad hoc or no program in place.
  • Every sector reports progress over the last year in identifying, assessing and managing their critical third party vendors, with 41 percent reporting mature processes in place. Only 7 percent of respondents have not begun identifying and separately managing critical vendors.
  • Sixty-seven percent more organizations reported serious disruption from a cyber-attack or hacking incident vs. the previous year. The percentage of organizations fixing such issues within one month dropped by 17 percent.
    • Last year, only 28 percent of respondents reported that such fixes took three months to a year.
    • This year, 37 percent of respondents reported that fixing such issues required three months to a year.
  • More than not (55 percent), organizations are extremely or somewhat likely to move away from high risk relationships.

Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

“While point in time assessments are still extremely valuable, the ever changing threat landscape requires a rapid capability to understand your vendor eco-system risks,” said Bob Maley, Chief Security Officer, NormShield CyberSecurity, and member of the Shared Assessments Steering Committee. “The right continuous monitoring capability, tightly integrated into your vendor risk management program, provides valuable information that will allow you to focus on those triggers that indicate there may be trouble ahead.”

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.

“A company’s reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyber attack,” said Scott Laliberte, Managing Director, Global Leader, Security and Privacy Practice, Protiviti. “As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and especially among vendors.”

The 2019 survey added 81 new practice measures or criteria, in line with the 2019 VRMMM, including those focusing on continuous monitoring, the risk assessment of fourth-party vendor relationships and privacy, thus reflecting the expanding threat landscape and global regulatory compliance demands.

“Keeping pace with regulatory change has become an essential third party risk management skill as even regulations outside of financial services have become more prescriptive: GDPR and the California Consumer Privacy Act (CPPA) are two recent examples,” said Gary Roboff, Senior Advisor, The Shared Assessments Program. “Organizations that anticipate new regulations can eliminate last minute compliance issues and enjoy more thoughtful business system integration.”

The 2019 “Vendor Risk Management Benchmark Study: Running Hard to Stay in Place” report is available complimentary on the Shared Assessments site and on the Protiviti site, along with an infographic of survey highlights (see below) and a podcast. A free one-hour webcast featuring Paul Kooney and Gary Roboff, senior advisor, The Santa Fe Group, Shared Assessments Program, discussing the survey findings and sharing practical ways to improve vendor risk, will be held on May 1 at 11:00 a.m. PDT. Please click here to register.