Santa Fe Group’s Gary Roboff and Protiviti’s Paul Kooney discuss today’s increasingly fraught risk environment. Among the findings from a recent study: There’s a growing need for robust third-party risk management and greater board engagement.
Increasing risk and regulatory pressure pose severe challenges to vendor risk management programs and largely offset gains in program effectiveness and efficiency, according to the just-released 2019 Vendor Risk Management Benchmark Study. From The Shared Assessments Program and Protiviti, this fifth-year Benchmarking Study is based on the Shared Assessments Vendor Risk Management Maturity Model (VRMMM), the industry standard reference in determining third-party risk management (TPRM) practice maturity.
The 2019 VRMMM recognizes eight broad categories of performance and incorporates 211 detailed practice criteria, an increase of 81 criteria over the prior edition of the VRMMM. These additional criteria enable exploration of a range of important focus areas, including continuous monitoring, cybersecurity, fourth-party risk management, privacy, resource allocation and optimization and more. The 2019 study by Shared Assessments and Protiviti was conducted during the third quarter of 2018 and is aligned with the updated 2019 VRMMM.
Only four in 10 participating organizations in the 2019 study suggested their vendor risk management programs operate at an acceptable level of maturity. Furthermore, almost one-third have either no TPRM programs or field programs with only ad hoc practices. Maturity scores in the eight VRMMM practice categories were stagnant this year.
Among the highlights of this year’s study:
- The relationship between board engagement and third-party risk management practice maturity was confirmed using a second approach to data analysis. There is no doubt about the importance of tone of leadership, risk culture and management focus on risk issues.
- TPRM costs are increasing, and many organizations lack the skills required to effectively utilize the resources they have.
- More organizations are moving away from high-risk vendors, but the reasons are changing. Difficulty managing fourth-party relationships is still the most important factor (down 7 percent from last year), likely because continuous monitoring techniques have made tracking fourth parties easier. Expense-related concerns were more important, with all four cost-related measures showing increases over the last 12 months.
Board Engagement and Practice Maturity
The 2019 Vendor Risk Management Benchmark Study examined the relationship between board engagement and practice maturity in two ways:
First, the study examined the average maturity of each of the eight VRMMM categories (Governance, Contracts, etc.) and sorted responses by board engagement (see Table 1). This year, 32 percent of organizations indicated that their board was highly engaged and understood cybersecurity issues related to third parties (up from 29 percent last year). This measure represents a “best case” scenario, based on the premise that if a board is not engaged with cybersecurity concerns at third parties, it is unlikely that those boards are focusing on other aspects of third-party risk.
As in past surveys, maturity scores for programs reporting high levels of board engagement are the highest in the survey. This year, overall maturity measured 3.5, where 4.0 is considered fully mature. By contrast, organizations where boards were minimally engaged reported average maturity scores of 2.3, only reporting ad hoc TPRM practices.
Table 1: VRMMM Category Practice Maturity Scores and Board Engagement
In a new analysis, the study also calculated the maturity level of TPRM programs within groups, sorted by the degree of board engagement (Table 2). Of organizations with highly engaged boards, 57 percent reported their programs were either fully functional or advanced, while only 22 percent reported having only ad hoc or no TPRM processes in place. On the other hand, 51 percent of organizations with low levels of board engagement reported either no third-party risk management processes or, at best, ad hoc practices, and only 25 percent reported fully functional or advanced programs. Board engagement clearly facilitates the efforts of practitioners.
Table 2: A Macro Perspective on Vendor Risk Management Program Maturity
Increasing Cost Pressures
Again this year, the study explored whether organizations plan to move away from higher-risk vendors (de-risking) during the next 24 months. The percentage of organizations reporting they were either very likely or somewhat likely to do so increased from 53 percent to 55 percent. More than ever, higher vendor risk management costs are a major factor driving the increase in de-risking:
- The percentage of organizations reporting that they did not have the right technologies in place to assess vendor risk properly rose from 15 percent to 24 percent.
- The percentage of organizations saying that the cost of vendor assessments is too high rose from 29 percent to 33 percent.
- The percentage of organizations saying they lacked the internal support and/or skills for the required sophisticated forensic control testing of their vendors rose from 24 percent to 27 percent.
To examine the adequacy of resources available to outsourcers for the purposes of third-party risk management, the 2019 study used seven detailed criteria from the Vendor Risk Management Maturity Model. Additionally, to understand the ability of those outsourcers to optimize their existing resources, five criteria were applied. Robust tone at the top and the strong risk management culture that goes with it typically impacts risk-related resource management over time. For example, when grading their resource adequacy on a scale of 0 to 5, organizations with high levels of board engagement in and understanding of cyber risks related to vendors scored 3.5, while firms with low engagement scored 2.3.
The same pattern emerged when examining resource optimization relationships (see Table 3). From several perspectives, it is clear that board engagement is a strong predictor of third-party risk management practice maturity.
Organizations where the C-suite and board are engaged in and understand the full range of third-party-related risks are likely to have strong working relationships among board risk committees, C-suite executives and risk management professionals. Despite positive progress, the latest Vendor Risk Management Benchmark Study suggests that fewer than one-third of organizations today have boards performing at that high level of understanding and engagement.
Table 3: Two Important Resource Optimization Measures
Communicating Effectively with the Board and C-Suite
Organizations are regularly challenged with better engaging the C-suite and board to improve awareness of third-party risks. This year’s survey reinforces how successful communication accomplishes key high-level goals:
- Organizations emphasize the importance of third-party risk awareness by showing how third-party risks influence the ability of organizations to achieve their most important strategic goals; and
- They communicate by using language and metrics that are effective in reinforcing that importance based on the specific characteristics of their organization.
No matter how sophisticated an organization’s metrics, without an ability to tie those indicators to the achievement of specific organizational goals, suboptimal results remain likely.
Where adequate funding is lacking, or where a program is stalled entirely or merely has elements that need improvement, a two-stage attack can be effective.
First, enroll independent expertise to help benchmark the organization’s risk management performance. Within the organization, internal auditors are a good place to start. If a program is not part of an existing enterprise risk management structure, getting closer to enterprise risk people and processes is useful.
Second, make the case to executive management and the board by communicating why closing third-party risk management performance gaps is so important to achieving corporate goals.
Benchmark statistics are essential and can be useful as part of strong communication with the board and C-suite. But metrics alone are not enough. By directly linking third-party risk metrics to specific organizational priorities (and by repeatedly reinforcing those linkages), risk professionals can make the importance of strong vendor risk management programs self-evident.