No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

With Rising Regulatory Pressures, Risk Programs are Running Hard to Stay in Place

Findings from the 2019 Vendor Risk Management Benchmark Study

by Gary Roboff and Paul Kooney
May 22, 2019
in Featured, Risk
graph contrasting increase with decrease

Santa Fe Group’s Gary Roboff and Protiviti’s Paul Kooney discuss today’s increasingly fraught risk environment. Among the findings from a recent study: There’s a growing need for robust third-party risk management and greater board engagement.

Increasing risk and regulatory pressure pose severe challenges to vendor risk management programs and largely offset gains in program effectiveness and efficiency, according to the just-released 2019 Vendor Risk Management Benchmark Study. From The Shared Assessments Program and Protiviti, this fifth-year Benchmarking Study is based on the Shared Assessments Vendor Risk Management Maturity Model (VRMMM), the industry standard reference in determining third-party risk management (TPRM) practice maturity.

The 2019 VRMMM recognizes eight broad categories of performance and incorporates 211 detailed practice criteria, an increase of 81 criteria over the prior edition of the VRMMM. These additional criteria enable exploration of a range of important focus areas, including continuous monitoring, cybersecurity, fourth-party risk management, privacy, resource allocation and optimization and more. The 2019 study by Shared Assessments and Protiviti was conducted during the third quarter of 2018 and is aligned with the updated 2019 VRMMM.

Only four in 10 participating organizations in the 2019 study suggested their vendor risk management programs operate at an acceptable level of maturity. Furthermore, almost one-third have either no TPRM programs or field programs with only ad hoc practices. Maturity scores in the eight VRMMM practice categories were stagnant this year.

Among the highlights of this year’s study:

  • The relationship between board engagement and third-party risk management practice maturity was confirmed using a second approach to data analysis. There is no doubt about the importance of tone of leadership, risk culture and management focus on risk issues.
  • TPRM costs are increasing, and many organizations lack the skills required to effectively utilize the resources they have.
  • More organizations are moving away from high-risk vendors, but the reasons are changing. Difficulty managing fourth-party relationships is still the most important factor (down 7 percent from last year), likely because continuous monitoring techniques have made tracking fourth parties easier. Expense-related concerns were more important, with all four cost-related measures showing increases over the last 12 months.

Board Engagement and Practice Maturity

The 2019 Vendor Risk Management Benchmark Study examined the relationship between board engagement and practice maturity in two ways:

First, the study examined the average maturity of each of the eight VRMMM categories (Governance, Contracts, etc.) and sorted responses by board engagement (see Table 1). This year, 32 percent of organizations indicated that their board was highly engaged and understood cybersecurity issues related to third parties (up from 29 percent last year). This measure represents a “best case” scenario, based on the premise that if a board is not engaged with cybersecurity concerns at third parties, it is unlikely that those boards are focusing on other aspects of third-party risk.

As in past surveys, maturity scores for programs reporting high levels of board engagement are the highest in the survey. This year, overall maturity measured 3.5, where 4.0 is considered fully mature. By contrast, organizations where boards were minimally engaged reported average maturity scores of 2.3, only reporting ad hoc TPRM practices.

Table 1: VRMMM Category Practice Maturity Scores and Board Engagement

In a new analysis, the study also calculated the maturity level of TPRM programs within groups, sorted by the degree of board engagement (Table 2). Of organizations with highly engaged boards, 57 percent reported their programs were either fully functional or advanced, while only 22 percent reported having only ad hoc or no TPRM processes in place. On the other hand, 51 percent of organizations with low levels of board engagement reported either no third-party risk management processes or, at best, ad hoc practices, and only 25 percent reported fully functional or advanced programs. Board engagement clearly facilitates the efforts of practitioners.

Table 2: A Macro Perspective on Vendor Risk Management Program Maturity

Increasing Cost Pressures

Again this year, the study explored whether organizations plan to move away from higher-risk vendors (de-risking) during the next 24 months. The percentage of organizations reporting they were either very likely or somewhat likely to do so increased from 53 percent to 55 percent. More than ever, higher vendor risk management costs are a major factor driving the increase in de-risking:

  • The percentage of organizations reporting that they did not have the right technologies in place to assess vendor risk properly rose from 15 percent to 24 percent.
  • The percentage of organizations saying that the cost of vendor assessments is too high rose from 29 percent to 33 percent.
  • The percentage of organizations saying they lacked the internal support and/or skills for the required sophisticated forensic control testing of their vendors rose from 24 percent to 27 percent.

To examine the adequacy of resources available to outsourcers for the purposes of third-party risk management, the 2019 study used seven detailed criteria from the Vendor Risk Management Maturity Model. Additionally, to understand the ability of those outsourcers to optimize their existing resources, five criteria were applied. Robust tone at the top and the strong risk management culture that goes with it typically impacts risk-related resource management over time. For example, when grading their resource adequacy on a scale of 0 to 5, organizations with high levels of board engagement in and understanding of cyber risks related to vendors scored 3.5, while firms with low engagement scored 2.3.

The same pattern emerged when examining resource optimization relationships (see Table 3). From several perspectives, it is clear that board engagement is a strong predictor of third-party risk management practice maturity.

Organizations where the C-suite and board are engaged in and understand the full range of third-party-related risks are likely to have strong working relationships among board risk committees, C-suite executives and risk management professionals. Despite positive progress, the latest Vendor Risk Management Benchmark Study suggests that fewer than one-third of organizations today have boards performing at that high level of understanding and engagement.

Table 3: Two Important Resource Optimization Measures

Communicating Effectively with the Board and C-Suite

Organizations are regularly challenged with better engaging the C-suite and board to improve awareness of third-party risks. This year’s survey reinforces how successful communication accomplishes key high-level goals:

  • Organizations emphasize the importance of third-party risk awareness by showing how third-party risks influence the ability of organizations to achieve their most important strategic goals; and
  • They communicate by using language and metrics that are effective in reinforcing that importance based on the specific characteristics of their organization.

No matter how sophisticated an organization’s metrics, without an ability to tie those indicators to the achievement of specific organizational goals, suboptimal results remain likely.

Recommendations

Where adequate funding is lacking, or where a program is stalled entirely or merely has elements that need improvement, a two-stage attack can be effective.

First, enroll independent expertise to help benchmark the organization’s risk management performance. Within the organization, internal auditors are a good place to start. If a program is not part of an existing enterprise risk management structure, getting closer to enterprise risk people and processes is useful.

Second, make the case to executive management and the board by communicating why closing third-party risk management performance gaps is so important to achieving corporate goals.

Benchmark statistics are essential and can be useful as part of strong communication with the board and C-suite. But metrics alone are not enough. By directly linking third-party risk metrics to specific organizational priorities (and by repeatedly reinforcing those linkages), risk professionals can make the importance of strong vendor risk management programs self-evident.


Tags: Board of DirectorsThird Party Risk Management
Previous Post

What Issues Should a Company Consider When Hiring a Corporate Monitor?

Next Post

SolveXia: CFO Thought Leader Survey 2019

Gary Roboff and Paul Kooney

Gary Roboff and Paul Kooney

Gary Roboff is a Senior Advisor to The Santa Fe Group — which manages of the Shared Assessments Program, the trusted, collaborative source for third-party risk management — where he focuses on payments, risk management, mobile financial services and information management. Gary has four decades of experience in financial services planning and management, including 25 years at JPMorgan Chase, where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third-party risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.
Paul Kooney is a Managing Director in Protiviti’s Information Security practice. In his over 20 years in the information technology and information security fields, Paul has managed and delivered security services for organizations in the financial, health care, manufacturing, retail, entertainment, energy, transportation and other industries to assess information security needs and implement solutions.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

ProcessUnity Unify Third Party Risk and Cybersecurity Whitepaper-f

Unify Third Party Risk & Cybersecurity for Sustainable Resiliency

by Corporate Compliance Insights
March 14, 2023

Align risk reduction efforts by bringing together third-party and cybersecurity functions White Paper Unify Third-Party Risk & Cybersecurity for Sustainable...

risk cliff

Gartner: 84% of Enterprise Risk Management Teams Have Overlooked a Third-Party Issue

by Staff and Wire Reports
February 21, 2023

A staggering eight in 10 executive risk committee members say their organizations have experienced operations disruptions due to a third-party...

thread needle

Regulatory Clarity Is Coming, But Companies Still Need to Thread the Needle on ESG

by Dean Alms
February 15, 2023

A handful of ESG-related regulations are in the works or go into effect in 2023 targeting global supply chains. Despite...

Next Post
SolveXia: CFO Thought Leader Survey 2019

SolveXia: CFO Thought Leader Survey 2019

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT