The Maturity of Vendor Risk Management
|By Rocco Grillo|
The results of Protiviti’s 2015 “Vendor Risk Management Benchmark Study,” conducted in partnership with the Shared Assessments Program, can be viewed as cause for optimism—or concern, depending on one’s view of the world.
From a “glass is half empty” perspective, it appears that third-party risk management programs may be stagnating. This year’s survey respondents rated their overall maturity in most of our vendor risk management categories to be virtually identical to levels reported in our 2014 results for the same areas.
For those who favor the “glass is half full” point of view, these changes may reflect increased knowledge among survey respondents who have gained a greater understanding of vendor risk over the past year. This could be due to a number of high-profile data breaches involving vendors as well as the release of new regulatory guidance over the past two years, including the NIST Cybersecurity Framework. In addition, while organizations are striving to make improvements, they also are more accurately assessing the maturity and capabilities of their vendor risk management programs. The prevailing mindset for this view is that organizations have a better understanding of the nature of vendor risks and what is required to avoid and mitigate these threats and, thus, are rating their vendor risk management capabilities accordingly.
Furthermore, there is greater momentum for building stronger vendor risk management programs, as these issues are increasingly becoming a part of the agenda for boards of directors, especially as it relates to loss or exposure of sensitive data through cyberattacks and other compromises. Boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately.
Regardless of one’s perspective, the 2015 survey findings are crystal clear on a crucial point: There is still a lot of vendor risk management work to be done.
The increasing frequency and disconcerting magnitude of cyberattacks (one of the most troubling vendor risks) over the past 12 months, along with a spate of recent and forthcoming regulatory actions, require vendor risk management programs to take a significant leap forward. This change, as a number of regulatory bodies insist, involves fundamental alterations to strategies, processes, organizational cultures and individual mindsets. Iterative improvements—something many organizations may view to be adequate steps—may no longer be sufficient. On this count, our most notable findings are instructive because they point to the types and magnitude of changes that are needed:
There is one final noteworthy insight that also affects how third-party risk is viewed and managed. The number and intensity of vendor risks—and cybersecurity threats, in particular—are increasing. From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66% (according to PwC research). In other words, whether you perceive the glass to be half-empty or half-full, the glass is growing at an accelerated rate.
Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed. The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.
Rocco Grillo is a managing director with Protiviti and leader of the firm’s incident response and forensics practice. Gary Roboff is a senior advisor to the Santa Fe Group and Shared Assessments Program. For more information, visit www.sharedassessments.org and www.protiviti.com.