The vendor risk management programs that organizations have in place are not only not improving, but could actually be stagnating, according to a new study from Protiviti, a global consulting firm, in partnership with the Shared Assessments Program, a collaborative consortium of financial institutions, Big Four accounting firms and third-party risk management leaders.
The “Vendor Risk Management Benchmark Study,” which is based on Vendor Risk Management Maturity Model developed by the Shared Assessments Program, tabulated the responses of more than 460 executives and managers from a variety of industries. When they responded to an online survey given in the fourth quarter of 2014 and first quarter of 2015, these managers and executives were asked to rank their organization’s maturity level in a number of areas related to third-party risk management, including program governance, contracts, and monitoring and review.
The study, in its second year, showed that the overall ratings either stayed the same or dropped slightly in eight different categories, the same ones used in 2014.
A scale of 1 (lowest) to 5 (highest) was used for the ratings, but no category received a benchmark higher than 2.9 overall. In fact, the categories of contracts as well as policies, standards and procedures had the highest rating of 2.9.
Rocco Grillo, a managing director with Protiviti and the firm’s global leader for incident responses and forensic investigations, says the results could be interpreted as a half-glass- empty or half-glass-full type of situation.
“It may just mean that companies have a better understanding of [third-party risk management] and are taking a harder look at the controls in place,” he says. “To that end, there is optimism that companies are taking a stronger look at how they’re approaching this and with more rigor as to what a mature program should look like.”
Financial Services Industry Ranks at the Top
The data was broken down by industry, which showed the financial industry having somewhat more mature management in place compared with other industries, including health care. “We were surprised to see that [health care] hadn’t fared as well as what we anticipated,” Grillo acknowledges.
“Financial services has been the leader in terms of more mature programs and so forth, but a lot of this stems from being heavily regulated.” he says, adding that the financial services industry is regulated through agencies such as the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC).
Also contributing to the higher maturity ratings in the financial industry is better access to resources, including both staffing and funding, particularly as compared to health care.
The lowest ranking in the study was in the skills and expertise category, which had a 2.3 rating, the same as in 2014. Grillo says that this is an important area since policies, standards and procedures can be ineffective without the right people to carry them out.
“You have to have someone to execute, to be knowledgeable, and to go out and enforce [regulations] on the providers that are providing services to your companies,” he says. “Just because you have a program in place doesn’t mean you have a mature program. Just because you have someone doing vendor-risk management doesn’t mean you have a repeatable process.”
Grillo points out that the same due diligence that is applied in-house needs to be applied to third-party vendors. If not, a compromise that occurs through a third-party vendor becomes much harder to manage than one that occurs in-house.
“You can have all the security in the world within your organization, but the minute you outsource to a third party, they become a drawbridge into your organization,” he warns.
