Many companies need to beef up vendor risk management programs: U.S. study

Companies may be underperforming in their efforts to ensure robust vendor risk management programs and stringent oversight are in place when outsourcing critical services to third parties, suggests a new study out of the United States.

With cyber attacks and data security threats looming at insecure access points, third-party risk programs across industries lack maturity and are putting data at risk, suggests the 2015 Vendor Risk Management Benchmark Study, released Wednesday by consulting firms Protiviti and Shared Assessments.

In its second year, the study cites the need for companies to enhance resources and adopt new strategies to improve risk management programs – something that is necessary to keep pace with the latest risks and challenges, notes a joint statement from Protiviti and Shared Assessments. Information from 468 C-suite executives, and risk management and audit professionals was examined.

“The increasing frequency and magnitude of cyber security breaches, along with recent and forthcoming regulatory actions, make it imperative that vendor risk management programs make a significant leap forward,” argues Rocco Grillo, a managing director and global leader for incident response and forensic investigations at Protiviti. “This change requires fundamental alterations to strategies, processes and organizational culture,” Grillo says in the statement.

“The study clearly indicates, across industries and leadership roles, that much work needs to be done,” adds Gary S. Roboff, senior advisor with Shared Assessments.

“The number and intensity of vendor risks – and cyber security threats, in particular – are increasing,” the report notes. From 2009 to 2014, the number of cyber security incidents increased at an average annual rate of 66%.

Related 
Cyber attacks and data loss key concerns for supply chain relationships

“The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyber attacks and other security incidents are very likely to continue increasing,” the report adds.

The study examined information from almost 470 respondents, who rated their organizations using the Vendor Risk Management Maturity Model (VRMMM), a benchmarking tool from the Shared Assessments Program that measures program quality and maturity.

Respondents were asked to rate the maturity level of each component within eight categories of vendor risk management as it applies to their organizations. The rating scale was from 1 to 5: 5 = continuous improvement – benchmarking, moving to best practices; 4 = fully implemented and operational; 3 = fully defined and established; 2 = determine roadmap to achieve goals; 1 = initial visioning; and 0 = do not perform

In all components, ratings either stayed the same or decreased in 2015 compared with 2014. More specifically, the results were as follows:

• program governance – 2.8, down from 2.9;

• policies, standards, procedures – 2.9, unchanged from 2014;

• contracts – 2.9, down from 3.0;

• vendor risk identification and analysis – 2.7, unchanged from 2014;

• skills and expertise – 2.3, unchanged from 2014;

• communication and information sharing – 2.5, down from 2.6;

• tools, measurement and analysis – 2.4, unchanged from 2014; and

• monitoring and review – 2.8, down from 2.9.

Still, Protiviti and Shared Assessments suggest the seemingly stagnating vendor risk management capabilities in organizations do not necessarily mean progress has note been made.

Increased incidents, greater oversight of IT security risk programs in general, and increased regulatory focus on third-party risks “means that organizations are now more aware of their own program’s strengths and weaknesses, particularly at the C-suite and board level,” notes the joint statement. As well, respondents “may be setting a higher bar for what they deem to be mature levels of vendor risk management,” the firms add.

Other survey findings include the following:

• the overall maturity rating for program governance at 2.8 (below the “fully defined and established” maturity level) should serve as a wake-up call that deeper changes are needed that reach into organizational culture and individual behaviour;

• policies, standards and procedures and contract management – fundamental building blocks that can lay the groundwork for a more mature vendor risk management capability – criteria are the most advanced components of current vendor risk management programs; and

• vendor risk management programs within financial services organizations are relatively more mature compared to companies in insurance, healthcare and other industries, which continue to lag financial institutions in fortifying their vendor risk management capabilities, considering the sensitivity of their data.

“Many organizations are not prepared to manage their own incidents and cyber attacks – let alone plan for third-party incidents and attacks,” Grillo notes in the report. “The same due diligence that organizations apply to their own incident response plans must be applied in this critical area of managing sensitive date outsourced to third parties, including demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan, and providing strong contractual service level agreements to report compromises back to the organization,” he emphasizes.

“The good news is that there is greater demand for building more robust vendor risk management programs,” Grillo reports. “This issue is more frequently a part of the agenda for Boards of Directors, who are regularly seeking assurance from management that the appropriate steps are being taken to combat vendor risk.”

Roboff would agree. “Organizations are asking for more resources and effective, efficient strategies to manage third-party risks, and this research tells us that the C-suite is aware of the need for continued vendor risk management improvement,” he says.