Executive summary: 2014 Vendor Risk Management Benchmark Study

508 views
335 views

Published on

For the full report visit: www.protiviti.com/vendor-risk

For most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. Thisis changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively.The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. The study revealed some interesting trends:
• Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies
• Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set
• Notable areas for improvement include program governance,and policies, standards and procedures

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
508
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Executive summary: 2014 Vendor Risk Management Benchmark Study

  1. 1. 2014 Vendor Risk Management Benchmark Study Executive Summary
  2. 2. 12014 Vendor Risk Management Benchmark Study Introduction/Executive Summary As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, as seen in recent news, as well as in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities. The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council’s data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NIST’s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment. Despite this, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. The VRMMM sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program’s maturity against development goals. The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. Vendor Risk Management – Overall Maturity by Area Category Maturity Level Program Governance 2.9 Policies, Standards, Procedures 2.9 Contracts 3.0 Vendor Risk Identification and Analysis 2.7 Skills and Expertise 2.3 Communication and Information Sharing 2.6 Tools, Measurement and Analysis 2.4 Monitoring and Review 2.9 ““ You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third-party vendor that’s connected to you. This creates a bridge directly into your organization.” Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee Member
  3. 3. 2 2014 Vendor Risk Management Benchmark Study The study revealed some interesting trends: • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies – This is not a surprise given the highly regulated nature of the financial services industry. • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set – This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations. • Notable areas for improvement include program governance, and policies, standards and procedures – While there is no standard, “one size fits all” approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management. ““ If you’re outsourcing to or relying on a third party, you can’t just shut the door and say it’s someone else’s problem. You can outsource the function but you ultimately own the risk. If a third party doesn’t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address.” Brad Keller, Senior Vice President Program Director, The Santa Fe Group (which manages the Shared Assessments Program)
  4. 4. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. www.protiviti.com © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. www.sharedassessments.org PRO-0514-101063

×