RUNNING HARD TO STAY IN PLACE
A company’s reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyber attack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organisation and especially among vendors.
— Scott Laliberte, Managing Director, Global Leader, Security and Privacy Practice, Protiviti.
Increasing pressures in the risk and regulatory environments continue to pose severe challenges to vendor risk management (VRM) programs, often offsetting incremental program improvements over the past 12 months, according to this latest Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti.
THE RESULTS OF OUR STUDY INDICATE THAT:
- There is a strong correlation between high levels of board engagement with VRM issues and vendor risk management capabilities that are firing on all cylinders to reach and sustain superior levels of program maturity.
- To varying degrees across all industries, vendor risk management programs are barely able to keep up with the fast pace of change in the external environment.
- Four in 10 organisations have fully mature VRM programs, but just under a third have only ad hoc or no significant VRM processes.
- Resource constraints in the face of higher risk management costs represent one of the largest VRM challenges for organisations.
This marks the fifth year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. During the past year, Shared Assessments updated the VRMMM with 81 new detailed criteria probing more extensively into critical practice components such as continuous monitoring, data management and security, privacy, fourth party risk management, independent program review, and others. All of these items are covered in this year’s survey.
Shared Assessments is the trusted source in third party risk assurance and is a collaborative consortium of leading industry professionals from financial institutions, assessment firms, technology and GRC solution providers, insurance companies, brokerages, healthcare organisations, retail firms, academia, and telecommunications companies — dedicated to assisting organisations by helping them to understand, manage and monitor vendor risk effectively and efficiently.