Vendor risk management continues to confound many companies, with compliance officers feeling frustrated that the strategies and processes necessary to keep pace with third-party risks are evolving faster than their companies can manage.
That’s one take-away from a survey of nearly 500 risk, audit, IT, and compliance executives conducted by consulting firms Protiviti and the Santa Fe Group, where respondents gave their vendor risk management programs an overall mediocre score of 2.8 on a 5.0 scale.
The findings indicate that more improvements are needed in how companies manage their third-party risks. Amid a much more stringent regulatory landscape and a spike in cyber-attacks that target third-party vendors, “average isn’t good enough; we need to make strides forward,” says Rocco Grillo, a managing director at Protiviti.
Respondents to the survey were benchmarked against the “Vendor Risk Management Maturity Model,” developed by the Shared Assessment Program, a group of financial institutions, Big 4 accounting firms, and third-party risk management executives in the brokerage, healthcare, insurance, retail, and telecommunications industries.
“These are not results that have been scored by an external party,” says Gary Roboff, senior adviser to both the Shared Assessments Program and the Santa Fe Group. Rather, he says, they reflect the individual judgments of the respondents about their own firms.
The survey showed overall scores for companies (on a 1 to 5 scale) in eight categories of vendor risk management:
Policies, standards, and procedures: 2.9
Program governance: 2.8
Monitoring and review: 2.8
Vendor risk identification and analysis: 2.7
Communication and information sharing: 2.5
Tools, measurement, and analysis: 2.4
Skills and expertise: 2.3
In other words, nobody feels particularly thrilled with any part of his or her vendor risk management program. In all eight categories, however, the financial services industry—particularly financial institutions in the $10 billion to $20 billion asset range—showed much higher levels of maturity in their vendor risk management programs than other industries. “There is no surprise there,” Grillo says. “Financial services are heavily regulated.”
“It is important to influence your vendor community to actively participate in Information Sharing and Analysis Centers to continually detect and share information about cyber-threats.”
Brenda Ward, Director of Global Information Security, Aetna
What was surprising, Grillo says, is how other heavily regulated industries, such as insurance and healthcare, continue to lag far behind. That’s not to say that these industries don’t take vendor risk management seriously, he says, but “we had anticipated the results from those two industries to be a little stronger.”
As cyber-attacks continue to proliferate, that is helping to drive vendor risk management higher up the agenda for boards of directors. “It’s risen to a level of consciousness that didn’t exist until relatively recently,” Roboff says. “For financial services companies, this is old news,” he says, whereas with other industries, “it’s probably hit the board a little harder.”
At a recent Compliance Week executive roundtable held in New York in March, compliance officers aired similar concerns. During that roundtable, several participants said the threat of data breaches at third parties is so acute that they often use data security as the first test to assess the risks posed by a vendor—if the vendor can’t pass that test, the argument goes, don’t even bother with all the other risks; just drop the vendor.
The same due diligence that companies apply to their own incident response plans also should apply to their third parties, Grillo says. For example, third parties should be able to demonstrate how they protect that data, maintain a mature incidence response plan, test that plan, and be contractually obligated to report any breaches back to the company, he says.
“It is important to influence your vendor community to actively participate in Information Sharing and Analysis Centers to continually detect and share information about cyber-threats,” Brenda Ward, director of global information security for Aetna, said in the report. “The more information organizations share, the more resilient all of our IT security programs will be.”
One of the most important measures of proper vendor risk management related to data security is knowing who has your data in the first place. “You may think your data is with one company. In reality, it may be at two or three that you didn’t even know existed,” Roboff says.
Conduct due diligence in a “consistent, transparent, repeatable manner,” Grillo advises. Don’t let one vendor slide under the radar, while being harder on another. “It really needs to come down to the risk—the sensitivity of the data they may have,” he says.
The survey also found a lack of maturity in how companies perform vendor risk assessments, showing an overall score of 2.7 out of 18 sub-categories in this area.
For example, respondents gave the highest overall score (a 3.0) in the sub-category of “review[ing] vendor requirements with business, IT, legal, and purchasing departments.” They also gave an average score of 2.8 in the sub-categories of “consistently follow[ing] our process to collect and update vendor information,” as well as “determin[ing] vendor assessments to be performed based on risk, tiering, and resources available.”
The Protiviti and The Santa Fe Group’s report shows that companies have the highest level of vendor risk management program maturity under the category “policies, standards, and procedures.” Broken down below are the components of that category, and their respective overall scores:
We have established standards for vendor selection and due diligence (3.1);
We have identified key positions involved in the contract management process (3.1);
We have created a vendor selection process (3.1);
We have identified key stakeholders involved in each contract process (3.0);
We have created a process for managing contracts (3.0);
We have defined a vendor risk management policy (3.0);
We research and review all applicable regulatory updates and/or industry standards (3.0); to ensure the overall program is meeting guidelines applicable to our organization
We have obtained senior management approval of policy and risk tiers (3.0);
We have defined a vendor risk classification structure (2.9);
We have identified existing company policies that may affect the contracting process (2.8);
We have defined vendor risk tier assignments (2.8);
We have defined risk categories for each classification in our vendor classification structure (2.7); and
We have established criteria and a process for vendor exit strategies (2.6).
Source: Protiviti and The Santa Fe Group.
On the other hand, respondents gave an overall score of 2.5 in the subcategory of establishing a “vendor remediation plan or an exit strategy that’s validated by management and the vendor” and a 2.4 in the sub-category of consolidating vendor assessments.
“Managing vendor inventory and evaluating internal compliance with vendor onboarding assessment and off-boarding are two areas that require significant attention,” the report stated. Compliance officers at Compliance Week executive roundtable similarly acknowledged the difficulty in overcoming these hurdles. One participant, for example, said his company is overcoming this challenge through automation, by housing contracts for the company’s vendors in a global database.
One way to rank your vendors based on the level of risk each poses can be determined by the type of activities they’re providing for the company, Roboff says. If those activities are critical to the company, you need to make sure that the company is performing exactly the same “security hygiene” processes and procedures that the company performs internally, he says.
Companies also should have a framework in place to establish how they’ll share results with their board and management. “How you communicate, what you communicate, and how often you communicate—those are critically important points,” Roboff says.
“Too many responding organizations appear not to have such a framework in place or are unhappy with their existing approaches,” the report stated. Another way that companies can better assess vendor risks is to collaborate with senior management and the procurement department (assuming your company has one), the report advised.
One emerging practice at some companies is to establish a committee specifically devoted to spelling out effective vendor governance. At GE Capital, for example, the company’s compliance department helped define the scope of third-party risk for GE, and then established committees within each business unit to evaluate vendor risk and decide whether to onboard certain vendors, Luke Brussel, chief anti-corruption officer at GE Capital, said at the Compliance Week roundtable.
Despite some shortcomings in vendor risk management programs, the survey did show some overall positive developments: Companies are not only taking vendor risk management more seriously, Grillo says, they are also more aware of the risks and the controls necessary to address those risks.
They’re critiquing themselves with “a lot more rigor,” he says, “and making sure that if controls aren’t up to par, that they’re not giving themselves a pass.”