An increasing number of companies across nearly all industries expect to exit or change relationships with third-party vendors due to heightened risk levels.
That was one key finding to come from the fourth annual “Vendor Risk Management Benchmark Study” conducted by consulting firms Protiviti and the Santa Fe Group. In this year’s benchmark report, 53 percent of 539 compliance, risk, audit, and IT executives surveyed said that their companies are plan to “de-risk” (by either exiting or changing) their third-party vendor relationships that pose the highest risk.
The primary reason respondents offered was that it has “become imperative from a risk and regulatory standpoint to also assess or our vendors’ subcontractors.” Put another way, it’s becoming increasingly difficult for companies get their arms around fourth parties—their vendors’ vendors. “Often, we find that companies don’t even know that their vendor has outsourced part of the work that it’s doing on its behalf,” Gary Roboff, a senior adviser to the Santa Fe Group, said in a podcast discussing the results.
Other primary reasons cited for exiting or changing third-party vendor relationships included cost concerns associated with assessing vendors (29 percent), and a lack of internal support and skills for the sophisticated forensic control testing required of vendors (24 percent).
A wave of new cyber-security-related regulations—such as the EU’s General Data Protection Regulation, China’s complex Cyber Security Law, and the New York Department of Financial Services Cybersecurity Requirements—are creating additional pressure from a regulatory and compliance standpoint.
“Even though companies have made strides in their vendor risk management practices as evident in this year’s survey results, many organizations may not have access to enough vendor risk management expertise to mitigate their risks,” said Cal Slemp, a managing director with Protiviti, leading its security and privacy solutions consulting business globally.
“Often, we find that companies don’t even know that their vendor has outsourced part of the work that it’s doing on its behalf.”
Gary Roboff, Senior Advisor, Santa Fe Group
Respondents to the survey were benchmarked against the “Vendor Risk Management Maturity Model,” developed by the Shared Assessment Program, comprised of a group of financial institutions, Big 4 accounting firms, and third-party risk management executives in the brokerage, healthcare, insurance, retail, and telecommunications industries.
“When it comes to pressing issues—ranging from cyber-security to regulatory compliance and much more—one of the major concerns for organizations today is vendor risk,” said Kevin Donahue, a senior director with Protiviti. “They can manage these risks very well within their own organizations, but may have a lot of trouble figuring out how to manage them with their vendors.”
Respondents to the benchmark report were asked to rate their company’s maturity level (on a 0 to 5 scale) under each of the following eight categories of vendor risk management, and under roughly 130 controls within these categories:
Policies, standards, and procedures;
Monitoring and review;
Vendor risk identification and analysis;
Communication and information sharing;
Tools, measurement, and analysis; and
Skills and expertise.
One positive finding to come from the report: Five out of the eight vendor risk management categories showed improvements in average maturity on a year-over-year basis. “The first few years, in 2014 and 2015, we didn’t see a lot of progress,” says Roboff. “We began to see more forward movement in 2016, and that movement continued in 2017.”
Two categories, in particular—vendor risk identification and analysis, and skills and expertise—demonstrated the greatest gains in maturity level overall. Concerning vendor risk identification and analysis, for example, the three subcategories to show the biggest year-over-year improvements were supporting information-gathering in vendor reviews; executing a formal vendor assessment process; and formally documenting assessment roles and responsibilities.
The sub-category with the lowest maturity level in this category was “having a process in place to determine if a vendor utilizes sub-contractors whenever a vendor contract does not include vendor outsourcing requirements.” This finding “represents a clear call to action, given the critical need to understand and monitor fourth-party (the vendor’s vendors’) risk,” the report stated.
With an overall maturity score of 2.6, the “skills and expertise” category continued to show the lowest level of vendor risk maturity, and yet its maturity level has improved more than any other category over the past two years, the report stated.
In this specific category, four components show the largest year-over-year improvements in the entire benchmark report:
Annually measuring employee understand of vendor risk management accountabilities and reporting results to management;
Providing training for assigned vendor risk management resources to maintain appropriate certifications;
Routinely measuring or benchmarking the organization’s vendor risk management budget with management report to demonstrate return on investment; and
Implementing metrics and reporting for compliance to required training and aware of vendor risk policies.
But more improvements are needed, particularly given that three vendor risk components in this category received the lowest maturity level scores in the entire survey, the report noted. These categories were routinely measuring or benchmarking the organization’s vendor risk management budget with management report to demonstrate return on investment; annually measuring employee understand of vendor risk management accountabilities and reporting results to management; and integrating vendor risk management functions and tools sufficiently into business lines so that overall costs and budget for dedicated risk management budgets are reduced.
Another finding from the Protiviti report is that recent cyber-attacks—such as Equifax and WannaCry—appear to have heightened board-level engagement around cyber-security risks. Board engagement concerning vendors’ cyber-security risk continues to lag, however, as compared to board engagement concerning cyber-security risks within a company.
“Boards remain more engaged in their own companies’ internal cyber-security risks than the cybersecurity risks of the organizations’ vendors, which can have negative repercussions if even one of those vendors has a severe data breach,” Slemp said.
Taking the findings of this benchmark report into consideration, a company “should undertake an arms-length evaluation of its third-party risk management program’s effectiveness,” Roboff said. As low as the pace of program maturity is “suggests that organizations can benefit from expert advice about how to prioritize program improvements,” he said. “The right kind of advice can help people prioritize the improvements they want to make to their program, so that they can arrive at a performance level that is best for that organization.”