executive summary: 2014 vendor risk management benchmark study
DESCRIPTION
For the full report visit: www.protiviti.com/vendor-risk For most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. Thisis changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively.The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. The study revealed some interesting trends: • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set • Notable areas for improvement include program governance,and policies, standards and proceduresTRANSCRIPT
-
2014 Vendor Risk Management Benchmark Study
Executive Summary
-
12014 Vendor Risk Management Benchmark Study
IntroductIon/ExEcutIvE Summary
As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, as seen in recent news, as well as in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities.
The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Councils data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NISTs Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment.
Despite this, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. The VRMMM sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its programs maturity against development goals.
The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model.
Vendor Risk Management Overall Maturity by Area
category maturity Level
Program Governance 2.9
Policies, Standards, Procedures 2.9
contracts 3.0
vendor risk Identification and analysis 2.7
Skills and Expertise 2.3
communication and Information Sharing 2.6
tools, measurement and analysis 2.4
monitoring and review 2.9
YOu CAN HAVe All THe SeCuRITY IN THe wORlD INSIDe YOuR COMPANYS FOuR wAllS, BuT All
IT TAkeS IS A COMPROMISe AT ONe THIRD-PARTY VeNDOR THATS CONNeCTeD TO YOu.
THIS CReATeS A BRIDGe DIReCTlY INTO YOuR ORGANIzATION.
Rocco GRillo, PRotiViti ManaGinG DiRectoR anD ShaReD aSSeSSMentS PRoGRaM SteeRinG coMMittee MeMbeR
-
2 2014 Vendor Risk Management Benchmark Study
The study revealed some interesting trends:
Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies This is not a surprise given the highly regulated nature of the financial services industry.
organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations.
notable areas for improvement include program governance, and policies, standards and procedures while there is no standard, one size fits all approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management.
IF YOuRe OuTSOuRCING TO OR RelYING ON A THIRD PARTY, YOu CANT juST SHuT THe DOOR
AND SAY ITS SOMeONe elSeS PROBleM. YOu CAN OuTSOuRCe THe FuNCTION BuT YOu
ulTIMATelY OwN THe RISk. IF A THIRD PARTY DOeSNT HAVe THe SAMe CONTROlS IN PlACe
OR THe leVel OF CONTROlS YOu NeeD FROM A RISk MANAGeMeNT STANDPOINT, YOu HAVe A
SeRIOuS RISk TO ADDReSS.
bRaD KelleR, SenioR Vice PReSiDent & PRoGRaM DiRectoR, the Santa Fe GRouP (which ManaGeS the ShaReD aSSeSSMentS PRoGRaM)
-
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
www.protiviti.com 2014 Protiviti Inc. An equal Opportunity employer M/F/D/V.
www.sharedassessments.org
PRO-0514-101063