Shared Assessments-Protiviti benchmark is flat; board-level engagement correlates with program maturity
Friday, May 10, 2019
By Ted Knutson
For all their attention to, and observable improvements in, vendor risk management, companies are struggling to address mounting cost, regulatory and governance challenges, according to the 2019 Vendor Risk Management Benchmark Study by the Shared Assessments Program and Protiviti.
“To varying degrees across all industries, [VRM] programs are barely able to keep up with the fast pace of change in the external environment,” says the report, which expresses the situation plainly in its title: “Running Hard to Stay in Place.”
An evaluation based on the Shared Assessments-developed Vendor Risk Management Maturity Model places the overall level of program maturity at about 3.0 on a scale of 0 (non-existent) to 5 (continuous improvement). That was virtually unchanged from last year “despite increased regulatory scrutiny; growing cyber threats at a global, national and state level; and a riskier business environment.”
Averaged across all survey criteria, outperforming sectors included insurance/healthcare payer at 3.34, technology at 3.28 and financial services at 3.09. However, in no sector were more than 50% of respondents at a level considered mature.
The survey encompassed 554 risk practitioner and C‐suite respondents in a wide range of industries.
When Boards Lead
The analysis found a strong correlation between effective board-of-directors engagement and high maturity ratings. Conversely, “lower board engagement is often a characteristic of underperforming” VRM programs.
The proportion of “highly engaged” boards has climbed in the last three readings from 26% to 29% to the current 32%, the report said. It added that “a lack of board engagement does not necessarily doom a program. Organizations without VRM‐engaged boards can build highly mature vendor risk management programs; doing so just takes more work.”
“Four in 10 organizations have fully mature VRM programs,” the study observed, “but just under a third have only ad hoc or no significant VRM processes.”
It described as “staggering” that 20% of organizations with a low level of board engagement and understanding also indicate that their VRM programs are non-existent.
Cyber and IoT Exposure
Rising cybersecurity risks were reflected in the finding that there was a 67% increase in respondents reporting significant disruptions from cyber attack or hacking incidents.
“Untrained general (non‐IT) staff represents the greatest cybersecurity danger organizational leaders identify, higher than unsophisticated hackers, cyber criminals and social engineers.” the report said.
Compounding the need for board involvement is the Internet of Things (IoT). The third annual Ponemon Institute study on third‐party IoT risk found significant increases in data breaches due to unsecured Internet-connected devices and a lack of centralized risk‐management accountability and board engagement.
“This study proves it's no longer a matter of if but when, and board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” Catherine Allen, founder and CEO of the Santa Fe Group, managing agent of the Shared Assessments program, said when releasing the Ponemon results on May 7. “The study shows that there's a gap between proactive and reactive risk management. The time to address this issue is now and not later.”
The VRM benchmark survey indicated that many are taking steps to de‐risk: 55% said they are extremely or somewhat likely to move or exit risky vendor relationships this year, two points higher than a year ago. “This inclination likely represents an improved ability to identify risky vendor relationships as well as a resource constraint in terms of lacking the expertise, technology and funding needed to mitigate these risks in lieu of exiting the relationship together,” the report said.
“The threat landscape is evolving daily, and new risk vectors - from nation-state bad actors, data thefts and high‐impact cyber attacks to business model viability and regulatory non-compliance - are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity,” Paul Kooney, a managing director in Protiviti's security and privacy practice, said when the VRM report was unveiled on April 9.
“This year's benchmark study analyzes more than 200 detailed criteria of a comprehensive vendor risk management program,” he added. “Our survey findings underscore the fact that all risk management programs are running harder just to stay in place, and those that aren't rapidly advancing are falling behind. This has major potential impact on management goals, security postures and, very often, on regulatory mandates.”
The results reinforce the fact that “the threat landscape is morphing almost daily, with nation-state threats, advanced cyber attacks, new forms of activism, potential liability shifts and other factors bringing new importance to vendor risk management practices and programs,” said Santa Fe Group's Catherine Allen, who is Shared Assessments chairman and president. “This benchmark study and the member-driven Shared Assessments Program's vendor risk management tools, best practices, certifications and shared knowledge form the intelligence ecosystem for vendor risk management that's relied upon by leading consulting organizations and risk management practitioners around the world.”