Study finds improving vendor risk-management programs

Increased regulatory scrutiny and cyber-security concerns are leading many companies to become more sophisticated in their approach to managing external vendor risk, according to new research by Protiviti and the Shared Assessments Program.

There was little difference between the results of the previous 2014 and 2015 surveys, but this year companies in all the industries covered have made strides toward having comprehensive vendor risk management programs – with financial services firms leading the way.

For example, two-thirds of all respondents (65%) now have an incident response plan for cyber-security events at vendors, while 75% of financial services organizations have such a plan. Meanwhile, the majority of organizations (61%) surveyed have tested their plans for vendor and other third-party cyber-security events.

Although this year’s results demonstrate a positive trend in vendor risk management, the research also finds that more work is needed for organizations to have fully mature programs.


TONE AT THE TOP
Respondents were asked to rate the maturity of their organization’s vendor risk approach in eight areas. These included contracts; project governance; vendor risk identification and analysis; and tools, measurement and analysis.

The reports states that companies with high levels of board engagement in vendor cyber-security on average score significantly higher across these components.

‘This study documents in detail what many have believed to be true – that for organizations in which boards have high engagement in and knowledge of critical cyber-security risk issues, vendor risk management maturity levels are noticeably higher,’ says Cathy Allen, CEO of The Santa Fe Group.

Although board-level engagement in cyber-security can produce more sophisticated vendor risk management programs, the survey warns that there is room for further improvement. While 39% of boards have a high-level understanding of the cyber-risks within their own company, just 26% are engaged in reducing cyber-risks in vendors that support their organizations.

Cal Slemp, managing director, security program and strategy services, at Protiviti, says: ‘We speak with many client board members who are highly engaged in their organizations' cyber-security risks, which is helping create a strong tone at the top to drive improvements in cyber-security and privacy capabilities.

‘The key now is to build strong board engagement specifically in vendor risk management because it poses just as significant a risk to companies as their own cyber-security practices.’

The report comes shortly after the release of a Deloitte study in the UK, which called for board directors and senior management to take a more proactive approach to vendor and third-party risk management.