Vendor risk management programs are running harder just to stay in place

Increasing pressures in the risk and regulatory environments continue to pose severe challenges to third-party vendor risk management (VRM) programs, a recent survey by Protiviti and the Shared Assessments Program has shown.

But despite increased regulatory scrutiny at a global, national and state level, growing cyber threats and a riskier business environment, the overall maturity level of VRM programs has neither increased or decreased over the past 12 months.

Survey findings

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls.

Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.

Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk.

VRM programs challenges

The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

Among other key survey findings:

  • Strong correlation exists between engagement at the board of directors level and VRM program maturity: 57 percent of organizations reporting high levels of board engagement also report fully functional and advanced VRM programs.
  • Assessing board engagement levels by industry, the tech sector leads, followed by manufacturing and healthcare providers.
  • The tech and insurance sectors lead in fourth-party program maturity, assessing their vendors’ vendors and full ecosystem for risk management practices.
  • Continuous Monitoring, an important aspect to VRM program maturity, lags across all sectors. Only 38 percent of respondents report that their organizations have controls in place to ensure ongoing monitoring of vendor relationships.
  • All sectors cite resource allocation as a substantial challenge. The technology sector ranks slightly higher in overall maturity, but no sector is at an optimal level.
  • All sectors report strong progress in assessing and managing critical vendors. Forty-one percent have fully mature processes in place to identify and manage their most critical vendors, while only 7 percent of respondents report that they have not yet begun to identify and separately manage critical vendors.
  • Resource constraints in the face of higher risk management costs represent one of the largest VRM challenges for organizations.
  • More organizations are moving away from high-risk vendor relationships.

VRM programs challenges

“The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyberattacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity,” said Paul Kooney, a managing director in Protiviti’s security and privacy practice.

“This year’s benchmark study analyzes more than 200 detailed criteria of a comprehensive vendor risk management program. Our survey findings underscore the fact that all risk management programs are running harder just to stay in place, and those that aren’t rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates.”