The Shared Assessments Program and - Protiviti · conducted online by the Shared Assessments...
Transcript of The Shared Assessments Program and - Protiviti · conducted online by the Shared Assessments...
2016 Vendor Risk Management Benchmark StudyThe Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management
2017 Vendor Risk Management Benchmark StudyThe Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management
2017 Vendor Risk Management Benchmark Study protiviti.com · sharedassessments.org
Table of Contents
Executive Summary 1
Methodology 8
Board Engagement, Cybersecurity, Incident Response and De-Risking 9
Program Governance 14
Policies, Standards and Procedures 19
Contracts 24
Vendor Risk Identification and Analysis 29
Skills and Expertise 35
Communication and Information Sharing 41
Tools, Measurement and Analysis 46
Monitoring and Review 50
Demographics 56
Executive Summary
As rapidly changing risk and regulatory environments continue to challenge vendor risk
management capabilities, the results of the latest Vendor Risk Management Benchmark Study
show that:
• Organizations in all industries are making incremental progress in improving how they
manage vendor and third party risks.
• Governing boards are increasing their level of engagement with cybersecurity risks,
an important trend because board engagement continues to correlate highly with self-
reported third party risk management practice maturity.
• A majority of companies plan to de-risk (via exiting or changing) third party vendor
relationships that pose the highest risks.
This is the fourth year that the Shared Assessments Program and Protiviti have partnered
on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. Shared Assessments
is the trusted source in third party risk management and is a collaborative consortium of
leading industry professionals from financial institutions, assessment firms, technology and
GRC solution providers, insurance companies, brokerages, healthcare organizations, retail
firms, academia, and telecommunications companies — dedicated to assisting organizations
by helping them to understand, manage and monitor vendor risk effectively and efficiently.
On the surface, the maturity levels this year in the eight
different vendor risk management categories contained
in the VRMMM either held steady or increased modestly
compared to last year’s survey results. However, a closer
look reveals a more nuanced picture. Five out of eight
categories improved in average maturity on a year-over-
year basis. Numerous vendor risk activities within two
categories — Vendor Risk Identification and Analysis,
and Skills and Expertise — posted major improvements.
The board’s engagement with cybersecurity risks also
increased in a meaningful way, although the board’s
engagement with vendors’ cybersecurity risks continues
to lag behind board awareness of cybersecurity risks
inside the organization.
Many other elements of vendor risk management still
require improvement. This is the case partly because
the challenges associated with a volatile external risk
and regulatory environment may be outpacing the rate
of vendor risk management improvements occurring
inside organizations.
2017 Vendor Risk Management Benchmark Study · 1protiviti.com · sharedassessments.org
Massive and costly cyberattacks — including WannaCry,
Petya and the Equifax hack, among others — have
struck in the past 12 months, forcing organizations,
and healthcare providers in particular, to rethink
key components of their vendor risk management
approaches. New cybersecurity-related regulations,
such as the European Union’s General Data Protection
Regulation (GDPR), China’s complex Cybersecurity Law
(CSL) and the stringent New York State Department of
Financial Services (NYDFS) Cybersecurity Regulation,
also have appeared or taken effect in the past year.
Despite the significant strides organizations have
made in training and educating employees on vendor
risk management, which are evident in this year’s
survey results, many organizations may not have
access to enough vendor risk management expertise.
01Vendor risk management is improving — This year’s overall vendor risk management maturity levels show modest improvement, but compared to last year’s survey results, several categories improved more significantly, suggesting that more organizations recognize the importance of vendor risk management during a time when the external risk environment is changing quickly.
02Boards have set their sights on cybersecurity — Board-level engagement with cybersecurity risks improved significantly on a year-over-year basis. However, there continues to be an “engagement gap” in that boards remain more engaged with the organization’s internal cybersecurity risks than cybersecurity risks to the organization’s vendors. And organizations with less engaged boards report significantly lower levels of third party risk management practice maturity.
03“De-risking” vendors is on the rise — A majority of organizations expect to exit or change relationships with vendors due to heightened risk levels. Insurance companies, including healthcare payers, appear much more likely to make these de-risking moves in the coming year, with fourth party risk, cost concerns and a lack of internal expertise to evaluate vendor controls cited as the primary reasons.
Our Key Findings
2 · Protiviti · Shared Assessments
Vendor Risk Management Maturity Levels, Fully Defined
5 = Continuous improvement: The organization is striving toward operational excellence, understands what are currently best-in-class performance levels and regularly implements program changes to achieve them.
4 = Fully implemented and operational: The vendor risk management activity is fully operational and all compliance measures are in place.
3 = Fully determined and established: The organization has fully defined, approved and established the vendor risk management activity, but it is not yet fully operational. Metrics and enforcement are not yet fully in place.
2 = Determining roadmap to achieve success: There is a management-approved plan to structure the activity as part of an effort to achieve full program implementation, but the vendor risk management activity is performed on an ad hoc basis.
1 = Initial visioning: The organization is considering how to best structure this activity as part of an effort to achieve full implementation. Vendor risk management activity is performed on an ad hoc basis.
0 = Non-existent: The vendor risk management activity is not performed within the organization.
Category 2017 Index
2016 Index
2015 Index
Program Governance 3.0 3.0 2.8
Policies, Standards and Procedures 3.1 3.1 2.9
Contracts 3.1 3.1 2.9
Vendor Risk Identification and Analysis 3.1 2.9 2.7
Skills and Expertise 2.9 2.7 2.3
Communication and Information Sharing 3.0 2.9 2.5
Tools, Measurement and Analysis 2.9 2.8 2.4
Monitoring and Review 3.1 3.0 2.8
Vendor Risk Management — Overall Maturity by Area
2017 Vendor Risk Management Benchmark Study · 3protiviti.com · sharedassessments.org
Assessing Results by Respondent Role
To identify notable trends in the data, we also tabulated
our 2017, 2016 and 2015 survey results by respondent
role. Over the past three years, there is an overall trend
showing that the higher the level of respondent in the
organization, the lower the assessed score is for a vendor
risk component or category. C-level maturity scores, on
average, are unchanged from last year’s survey.
C-Level VP/Director Level Manager Level
Vendor Risk Management Category 2017 2016 2015 2017 2016 2015 2017 2016 2015
Program Governance 2.8 2.8 2.9 3.0 3.2 2.8 3.1 3.1 3.2
Policies, Standards and Procedures 2.8 2.8 2.8 3.1 3.2 2.8 3.2 3.2 3.0
Contracts 2.8 3.0 2.7 3.1 3.3 2.8 3.2 3.2 3.0
Vendor Risk Identification and Analysis 2.8 2.8 2.4 3.1 3.0 2.7 3.2 3.0 2.8
Skills and Expertise 2.6 2.5 1.9 3.0 2.8 2.1 2.9 2.7 2.5
Communication and Information Sharing 2.7 2.7 2.2 3.0 3.0 2.3 3.1 3.0 2.7
Tools, Measurement and Analysis 2.7 2.7 2.0 2.9 2.9 2.3 3.0 2.9 2.6
Monitoring and Review 2.9 3.0 2.6 3.1 3.1 2.7 3.2 3.1 2.9
Average 2.8 2.8 2.4 3.0 3.1 2.6 3.1 3.0 2.8
2017 2016 2015
C-Level 2.8 2.8 2.4
VP/Director 3.0 3.1 2.6
Manager 3.1 3.0 2.8Management
levelScore
4 · Protiviti · Shared Assessments
Assessing Results by Industry
Viewing four-year trends in the results by industry
group, there have been notable improvements in third
party risk management, most notably in the Insurance
and Healthcare Payer segment. (Note: Detailed results
for these industry groupings are provided in each vendor
risk category section in our report.)
2014 and 2017 – Percentage Change in Vendor Risk Management Maturity by Industry
50%
60%
40%
30%
20%
10%
0%
ProgramGovernance
Policies,Standards and
Procedures
Contracts Vendor RiskIdentificationand Analysis
Skills andExpertise
Communicationand Information
Sharing
Tools,Measurementand Analysis
Monitoringand Review
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Per
cen
tage
ch
ange
in m
atu
rity
leve
l
2017 Vendor Risk Management Benchmark Study · 5protiviti.com · sharedassessments.org
2014 and 2017 Category Averages – Financial Services
4.0
3.5
3.0
2.5
2.0
Mat
uri
ty L
evel
ProgramGovernance
Policies,Standards and
Procedures
Contracts Vendor RiskIdentificationand Analysis
Skills andExpertise
Communicationand Information
Sharing
Tools,Measurementand Analysis
Monitoringand Review
3.30 3.40 3.20 3.20 2.60 2.90 2.80 3.10
3.34 3.50 3.34 3.33 3.07 3.24 3.15 3.25
2014
2017
2014 and 2017 Category Averages – Insurance/Healthcare Payer
4.0
3.5
3.0
2.5
2.0
Mat
uri
ty L
evel
ProgramGovernance
Policies,Standards and
Procedures
Contracts Vendor RiskIdentificationand Analysis
Skills andExpertise
Communicationand Information
Sharing
Tools,Measurementand Analysis
Monitoringand Review
2.80 3.00 2.90 2.60 2.00 2.30 2.00 3.10
3.27 3.29 3.44 3.28 3.06 3.12 2.97 3.35
2014
2017
6 · Protiviti · Shared Assessments
2014 and 2017 Category Averages – Healthcare Provider
2014 and 2017 Category Averages – All Other Industries
4.0
3.5
3.0
2.5
2.0
Mat
uri
ty L
evel
ProgramGovernance
Policies,Standards and
Procedures
Contracts Vendor RiskIdentificationand Analysis
Skills andExpertise
Communicationand Information
Sharing
Tools,Measurementand Analysis
Monitoringand Review
2.70 2.70 2.70 2.30 2.20 2.20 2.20 2.50
2.85 2.87 3.04 2.94 2.54 2.76 2.70 3.04
2014
2017
4.0
3.5
3.0
2.5
2.0
Mat
uri
ty L
evel
ProgramGovernance
Policies,Standards and
Procedures
Contracts Vendor RiskIdentificationand Analysis
Skills andExpertise
Communicationand Information
Sharing
Tools,Measurementand Analysis
Monitoringand Review
2.80 2.80 2.90 2.50 2.10 2.40 2.20 2.80
2.83 2.91 2.96 2.91 2.75 2.94 2.80 3.04
2014
2017
2017 Vendor Risk Management Benchmark Study · 7protiviti.com · sharedassessments.org
The Vendor Risk Management Benchmark Study was
conducted online by the Shared Assessments Program
and Protiviti in the second and third quarters of 2017,
with 539 executives and managers participating in
the study. Using governance as the foundational
element, the survey was designed to comprehensively
review the components of a robust third party risk
management program.
Respondents were presented with different compo-
nents of vendor risk under eight vendor risk manage-
ment categories:
• Program Governance
• Policies, Standards and Procedures
• Contracts
• Vendor Risk Identification and Analysis
• Skills and Expertise
• Communication and Information Sharing
• Tools, Measurement and Analysis
• Monitoring and Review
For each component, respondents were asked to rate
the maturity level as that component applies to their
organization, based on the following scale:
5 = Continuous improvement
4 = Fully implemented and operational
3 = Fully determined and established
2 = Determining roadmap to achieve success
1 = Initial visioning
0 = Non-existent
The survey also included a special section on board
engagement, cybersecurity, incident response and
de-risking.
Methodology
8 · Protiviti · Shared Assessments
Board Engagement, Cybersecurity, Incident Response and De-RiskingAs we did in 2016, this year’s report includes a special
section on cybersecurity and incident response capa-
bilities of organizations. We also polled participants
about the extent to which, and the reasons why, their
organizations may be moving to exit or “de-risk” third
party relationships with the highest risk.
Significant levels of de-risking activity are occurring
across nearly all industries. A majority of companies
said they are likely to de-risk third party relationships
over the next year, with insurance and healthcare
payer organizations leading the way.
The reasons for ending or changing vendor relationships
to reduce risk are eye-opening. They include fourth
party risk assessment (which represents the primary
reason), costs (associated with assessing vendors), and
a lack of internal support and skills required to test
vendor controls sufficiently. For C-suite executives and
healthcare provider organizations, a lack of internal
resources represents the top reason for de-risking. The
apparent lack of internal expertise is disconcerting
at a time when all industries, especially healthcare
providers, face a pressing need to test and monitor the
ability of vendors’ controls to address risks, especially
those pertaining to cybersecurity.
On a positive note, the maturity levels of organizational
and third party incident-response processes show
year-over-year improvement, as does the board’s level
of engagement with regard to cybersecurity risks (both
internally and among vendors).
Key Observations
• The de-risking results rank among the most compelling find-ings in this year’s survey. A high number of companies are likely to terminate or alter relationships with some vendors over the next year due to heightened risk levels, driven at least in part by fourth party risk issues, cost concerns, and a lack of internal expertise in evaluating vendor controls.
• The board’s engagement and understanding with regard to cybersecurity risks increased significantly compared to last year’s survey results.
• However, the board’s engagement with cybersecurity risks among vendors continues to lag behind the board’s engagement with operational cybersecurity risk inside the organization. Less than 30 percent of boards are highly engaged with cybersecurity issues relating to third parties. This gap requires attention.
• Organizations with low levels of third party board engage-ment show alarmingly low maturity levels in two vendor risk management categories, in particular: Skills and Expertise; and Tools, Measurement and Analysis.
• More companies this year experienced a significant disruption from a recent cybersecurity breach compared to a year ago. Alarmingly, more than half of healthcare providers experienced a significant disruption from a cybersecurity breach in the past 24 months.
• It is encouraging to see that more organizations have an inci-dent response plan in place for addressing events that strike vendors — and that more of these plans are being tested.
2017 Vendor Risk Management Benchmark Study · 9protiviti.com · sharedassessments.org
Cybersecurity Risks — Business and Internal Operations
High engagement and level of understanding
by the board
Medium engagement and level of understanding by
the board
Low engagement and level of understanding
by the board
Program Governance 3.4 2.8 2.5
Policies, Standards and Procedures 3.4 3.0 2.5
Contracts 3.5 3.0 2.5
Vendor Risk Identification and Analysis 3.4 2.9 2.4
Skills and Expertise 3.2 2.7 2.3
Communication and Information Sharing 3.4 2.9 2.5
Tools, Measurement and Analysis 3.3 2.7 2.4
Monitoring and Review 3.5 3.0 2.6
Average 3.4 2.9 2.5
How engaged is your board of directors with cybersecurity risks relating to your business and internal operations?
2017 2016
High engagement and level of understanding by the board 42% 39%
Medium engagement and level of understanding by the board 38% 37%
Low engagement and level of understanding by the board 14% 17%
Not shown: “Don’t know” responses
10 · Protiviti · Shared Assessments
How engaged is your board of directors with cybersecurity risks relating to your vendors?
2017 2016
High engagement and level of understanding by the board 29% 26%
Medium engagement and level of understanding by the board 39% 37%
Low engagement and level of understanding by the board 25% 27%
Not shown: “Don’t know” responses
Cybersecurity Risks — Vendors
High engagement and level of understanding
by the board
Medium engagement and level of understanding by
the board
Low engagement and level of understanding
by the board
Program Governance 3.5 3.0 2.5
Policies, Standards and Procedures 3.6 3.1 2.6
Contracts 3.6 3.1 2.6
Vendor Risk Identification and Analysis 3.6 3.1 2.4
Skills and Expertise 3.5 2.9 2.2
Communication and Information Sharing 3.6 3.1 2.4
Tools, Measurement and Analysis 3.6 2.9 2.2
Monitoring and Review 3.6 3.1 2.6
Average 3.6 3.0 2.5
2017 Vendor Risk Management Benchmark Study · 11protiviti.com · sharedassessments.org
Has your organization experienced a significant disruption within the past two years resulting from a cyberattack or hacking incident?
2017 2016
Yes 18% 16%
No 77% 79%
Don’t know 5% 5%
How soon after the cyberattack or incident occurred was your organization able to address the issue sufficiently and incorporate additional security measures to prevent a similar incident in the future?
2017 2016
Within 1 month 40% 38%
Within 2 to 3 months 26% 21%
Within 3-6 months 23% 24%
Within 6 months to 1 year 5% 6%
More than a year 4% 3%
Don’t know 2% 8%
67Percentage of these organizations that are testing the incident response plan with their vendors or third parties.
Percentage of organizations with an incident response plan in place to respond to events at vendors or third parties.
Key Facts
72 65 61
12 · Protiviti · Shared Assessments
2017 2014 2017 2014
Over the next 12 months, what is the likelihood that your organization will move to exit or “de-risk” third party relationships that are determined to have the highest risk?
Extremely likely 14%
Somewhat likely 39%
Somewhat unlikely 24%
Not at all likely 13%
Don’t know 10%
Which of the following are reasons why your organization may be more inclined to exit or “de-risk” certain third party relationships? (Multiple responses permitted.)
It’s become imperative from a risk and regulatory standpoint to also assess our vendors’ subcontractors. 48%
The cost associated to assess our vendors properly is becoming too high. 29%
We lack the internal support and/or skills for the required sophisticated forensic control testing of our vendors. 24%
We will not receive sufficient internal support to “de-risk” our third party relationships. 18%
We do not have the right technologies in place to assess vendor risk properly. 15%
71 Percentage of insurance companies, including healthcare payers, that over the next 12 months are likely to de-risk or exit third party relationships that are determined to have the highest risk.
Key Facts
2017 Vendor Risk Management Benchmark Study · 13protiviti.com · sharedassessments.org
Program GovernanceOverall level of maturity: 3.02
Key Observations
• The overall level of maturity for Program Governance
held steady from 2016 to 2017. Of note, C-level
respondents evaluated the overall level of Program
Governance maturity lower this year compared to
last year’s survey results.
• Few Program Governance components demon-
strated significantly different levels of maturity
compared to last year’s results, with two exceptions:
the maturity level for the component of evaluating
key risk and performance indicators provided in
management and board reporting, which declined,
and the component of revising corporate vendor
risk policy as needed to achieve strategic objectives,
which improved.
• Adequate allocation of resources to vendor risk
management activities represents a consistent need
evident across a number of different vendor risk
components, including Program Governance.
Program Governance — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1 We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships. 3.06 3.10 -0.04
2 The organizational structure of our vendor risk management program operates independently of our business lines. 2.88 2.83 0.05
3 We have established a formal program review schedule. 3.08 NA NA
4 We articulate the goals and objectives of our organization. 3.27 3.31 -0.04
5 We align specific vendor management objectives with our strategic organizational objectives. 2.85 2.91 -0.06
6We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives.
3.14 3.09 0.05
7 We allocate sufficient resources for vendor risk management activities. 2.78 2.82 -0.04
14 · Protiviti · Shared Assessments
Vendor Risk Component 2017 2016 YOY Change
8 We communicate to our organization the requirements for risk-based vendor management. 3.07 3.07 0.00
9
We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy.
2.96 2.98 -0.02
10 We define risk monitoring practices and establish an escalation process for exception conditions. 3.06 3.12 -0.06
11 We evaluate key risk and performance indicators provided in management and board reporting. 2.95 3.10 -0.15
12 We revise corporate vendor risk policy as needed to achieve strategic objectives. 3.07 2.98 0.09
Category Averages 3.02 3.03 -0.02
Commentary
While governance marks a foundational enabler of
vendor risk management success, it also is a more
complex capability that requires more time, effort and
adjustments — many of which center on relationships
— to improve. The most elegantly designed governance
approach can fall flat once the plan is executed and
collides with resistance to change, territorial quarrels
and other real-world obstacles. Although the overall
level of maturity for Program Governance did not rise
compared to last year’s findings, it has made strides over
the longer term. Further, while the maturity level for
evaluating key risk and performance indicators provided
in management and board reporting showed a surprising
decline this year, it is encouraging that companies have
improved the ability to revise corporate vendor risk
policy as needed to achieve strategic objectives. This
progress notwithstanding, it is crucial to ensure that all
areas of vendor risk management, including Program
Governance, receive sufficient funding and resources.
2017 Vendor Risk Management Benchmark Study · 15protiviti.com · sharedassessments.org
Program Governance – Industry Results*
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
4.0
3.5
3.0
2.5
2.0
1.5
1 4 5 6 7 8 9 10 11 12 2 3
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
1 4 5 6 7 8 9 10 11 12 2 3
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
16 · Protiviti · Shared Assessments
2017
2014
Program Governance — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships.
2.90 3.68 2.89 3.53 3.33 3.80 3.42
The organizational structure of our vendor risk management program operates independently of our business lines.
2.85 3.57 2.95 3.67 3.33 3.55 3.46
We have established a formal program review schedule. 3.10 3.70 3.37 3.80 3.89 3.70 3.27
We articulate the goals and objectives of our organization. 2.95 3.86 3.26 3.80 4.00 3.60 3.42
We align specific vendor management objectives with our strategic organizational objectives.
2.75 3.32 2.68 2.87 3.89 3.10 3.31
We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives.
2.85 4.00 3.05 3.80 4.11 3.30 3.52
We allocate sufficient resources for vendor risk management activities. 2.80 3.71 2.83 3.00 2.89 3.21 3.19
We communicate to our organization the requirements for risk-based vendor management.
2.80 3.89 2.95 3.53 3.89 3.70 3.31
We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy.
2.70 3.71 2.63 3.07 3.22 3.30 2.92
2017 Vendor Risk Management Benchmark Study · 17protiviti.com · sharedassessments.org
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We define risk monitoring practices and establish an escalation process for exception conditions.
3.00 3.71 2.89 3.47 3.56 3.25 3.19
We evaluate key risk and performance indicators provided in management and board reporting.
3.05 3.75 2.84 3.33 3.44 3.40 2.92
We revise corporate vendor risk policy as needed to achieve strategic objectives. 3.25 3.85 3.00 3.33 4.00 3.37 3.42
Category Averages 2.92 3.73 2.95 3.43 3.63 3.44 3.28
The most elegantly designed governance approach can fall flat once the plan is executed and collides with resistance to change, territorial quarrels and other real-world obstacles.
18 · Protiviti · Shared Assessments
Policies, Standards and ProceduresOverall level of maturity: 3.11
Key Observations
• Although the overall maturity level of Policies,
Standards and Procedures changed minimally
compared to prior year results, several vendor risk
components in this category demonstrated signif-
icant improvement; moreover, none of the individual
components declined significantly.
• Areas that displayed the greatest increases in matu-
rity include having a defined vendor classification
structure; researching and reviewing all applicable
regulatory updates and/or industry standards to
ensure the overall program is meeting guidelines
applicable to the organization; having a defined
vendor risk management policy; and having defined
vendor risk tier assignments.
Policies, Standards and Procedures — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1 We have defined a vendor risk management policy. 3.17 3.07 0.10
2 We have defined vendor risk tier assignments. 2.98 2.89 0.09
3We research and review all applicable regulatory updates and/or industry standards to ensure the overall program is meeting guidelines applicable to our organization.
3.18 3.06 0.11
4 We have obtained senior management approval of policy and risk tiers. 3.17 3.14 0.03
5 We have established standards for vendor selection and due diligence. 3.23 3.24 -0.01
6 We have created a vendor selection process. 3.19 3.23 -0.04
7 We have defined a vendor classification structure. 3.14 3.01 0.12
8 We have defined risk categories for each classification in our vendor classification structure. 3.01 2.99 0.03
9 We have identified existing company policies that may affect the contract process. 3.08 3.04 0.04
10 We have identified key stakeholders involved in each contract process. 3.16 3.17 -0.01
11 We have created a process for managing contracts. 3.35 3.32 0.02
2017 Vendor Risk Management Benchmark Study · 19protiviti.com · sharedassessments.org
Vendor Risk Component 2017 2016 YOY Change
12 We have identified key positions involved in the contract management process. 3.25 3.26 -0.01
13 We have established the criteria for vendor exit strategies. 2.86 2.83 0.03
14 We have established a process for vendor exit strategies. 2.81 NA NA
Category Averages 3.11 3.10 0.02
Commentary
Peer inside a leading vendor risk management capability
and you will discover board-approved Policies, Standards
and Procedures that are applied consistently throughout
the enterprise and that address the complete vendor
lifecycle, from pre-selection due diligence, to ongoing
management according to the contractual terms,
to the renewal of the contract or the relationship’s
termination. The most effective Policies, Standards and
Procedures undergo regular reviews and adjustments in
response to changing risks and regulations.
Despite the lack of year-over-year improvement in
overall maturity level, only three of the 14 vendor risk
components in this category showed minimal declines
in maturity. The vendor risk components showing the
largest increases in maturity levels suggest that
vendor risk management professionals are attuned
to the current risk and regulatory environment.
For example, having a defined vendor risk management
policy, one that features a defined classification
structure and vendor risk tier assignments, is a critical
enabler of a fully implemented and operational vendor
risk management capability. Additionally, the ability
to monitor and review regulatory updates and industry
standards as a means of ensuring the overall program is
meeting all relevant guidelines has become especially
important as numerous regulatory changes — and new
compliance requirements — are introduced.
20 · Protiviti · Shared Assessments
Policies, Standards and Procedures — Industry Results*
4.0
3.5
3.0
2.5
2.0
1.51 2 4 5 6 7 8 9 10 11 12 13&14 3
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
urity
Lev
el
4.0
3.5
3.0
2.5
2.0
1.51 2 4 5 6 7 8 9 10 11 12 13&14 3
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
urity
Lev
el
2017
2014
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components are combined and some do not have results for 2014.
2017 Vendor Risk Management Benchmark Study · 21protiviti.com · sharedassessments.org
Policies, Standards and Procedures — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have defined a vendor risk management policy. 3.45 3.81 3.11 3.87 3.89 3.90 3.72
We have defined vendor risk tier assignments. 3.25 3.85 3.32 3.67 4.22 3.65 3.46
We research and review all applicable regulatory updates and/or industry standards to ensure the overall program is meeting guidelines applicable to our organization.
3.45 4.00 3.37 3.80 4.22 3.60 3.44
We have obtained senior management approval of policy and risk tiers. 3.60 4.19 3.37 3.73 4.33 3.60 3.42
We have established standards for vendor selection and due diligence. 3.45 4.11 3.05 3.87 4.11 3.95 3.42
We have created a vendor selection process. 3.15 3.96 3.29 3.07 3.67 3.45 3.38
We have defined a vendor classification structure. 3.20 3.89 3.22 3.40 4.22 3.60 3.54
We have defined risk categories for each classification in our vendor classification structure.
3.20 4.07 3.16 3.80 3.78 3.55 3.36
We have identified existing company policies that may affect the contract process.
2.95 4.04 2.89 3.13 3.44 3.70 3.15
We have identified key stakeholders involved in each contract process. 3.00 3.93 2.89 3.53 3.67 3.80 3.23
22 · Protiviti · Shared Assessments
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have created a process for managing contracts. 3.60 4.12 3.32 3.60 3.78 3.70 3.27
We have identified key positions involved in the contract management process. 3.55 4.07 3.21 3.47 3.78 3.60 3.12
We have established the criteria for vendor exit strategies. 2.80 3.63 2.84 2.87 3.44 3.15 2.85
We have established a process for vendor exit strategies. 2.45 3.52 2.68 3.13 3.56 3.25 2.96
Category Averages 3.22 3.94 3.12 3.50 3.87 3.61 3.31
The most effective Policies, Standards and Procedures undergo regular reviews and adjustments in response to changing risks and regulations.
2017 Vendor Risk Management Benchmark Study · 23protiviti.com · sharedassessments.org
Key Observations
• The Contracts vendor risk management category
again has the overall highest level of maturity in
the survey (tied with Monitoring and Review).
• However, the Contracts category’s overall maturity
level remained essentially the same as it was in last
year’s survey findings — as was the case with two
other vendor risk management categories (Program
Governance; and Policies, Standards and Procedures).
• Two individual components in this category
showed notable declines in maturity levels: having
regulatory-required standards for mandatory
contract language/provisions; and having a defined
organizational structure for vendor contract drafting,
negotiation and approval.
• One component — having a process to ensure
inclusion of contract provisions consistent with
each vendor risk classification/rating — posted a
significant improvement in maturity level.
• Insurance and healthcare payers have the best
performance in this area, continuing the strong
improvement first seen in last year’s study.
ContractsOverall level of maturity: 3.12
Vendor Risk Component 2017 2016 YOY Change
1 We have defined an organizational structure for vendor contract drafting, negotiation and approval. 3.15 3.26 -0.10
2 We have established procedures for contract exception review and approval. 3.21 3.30 -0.09
3 We have established standards for mandatory contract language/provisions. 3.25 NA NA
4 We have corporate requirements for mandatory contract language/provisions. 3.25 3.29 -0.04
5 We have a process to ensure inclusion of contract provisions terminating a vendor relationship. 3.17 3.15 0.02
6 We have a process to define the terms, if any, under which vendor outsourcing is permissible. 3.02 3.00 0.02
7 We have regulatory-required standards for mandatory contract language/provisions. 3.15 3.26 -0.11
8 We have IT/security-required standards for mandatory contract language/provisions. 3.22 3.24 -0.02
Contracts — Overall Results
24 · Protiviti · Shared Assessments
Vendor Risk Component 2017 2016 YOY Change
9 We have a procedure to review existing contracts for compliance with current contract standards. 3.16 3.16 0.00
10 We have a remediation process to correct contract deficiencies. 3.00 2.92 0.08
11 We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.). 2.99 2.92 0.08
12 We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating. 3.00 2.86 0.14
13 We have established criteria for the contract review cycle consistent with each vendor risk classification/rating. 2.94 2.96 -0.02
Category Averages 3.12 3.11 0.00
Commentary
Unlike more complex categories of vendor risk manage-
ment, such as Program Governance, Contracts represents
a category in which improvements ought to be fairly
straightforward to achieve. Contracts should be written
clearly, align with internal standards and reflect the rela-
tive risk the specific vendor poses to the organization.
Contracts also require regular reviews. Third party
risk management program administrators should
collaborate closely with their legal and risk colleagues
to ensure the contracts — including those that deviate
from standard templates — align with the company’s
current risk appetite. As cybersecurity concerns drive
companies, and regulators, to intensify their focus on
fourth party risk, it has become increasingly important
for contracts to specify the terms under which vendors
(third parties) can outsource work to their subcontrac-
tors (fourth parties). This year’s respondents indicate
that companies have achieved incremental progress
when it comes to having a process to define the terms,
if any, under which vendor outsourcing is permissible.
This is a positive trend which should stimulate addi-
tional progress in overall vendor risk management.
2017 Vendor Risk Management Benchmark Study · 25protiviti.com · sharedassessments.org
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components are combined and some do not have results for 2014.
Contracts – Industry Results*
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3&4 7 8 9 10 11 12 13 5 6
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3&4 7 8 9 10 11 12 13 5 6
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
26 · Protiviti · Shared Assessments
Contracts — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have defined an organizational structure for vendor contract drafting, negotiation and approval.
2.78 3.58 3.05 3.33 3.44 3.89 3.54
We have established procedures for contract exception review and approval. 2.89 3.65 2.84 3.71 3.11 3.79 3.27
We have established standards for mandatory contract language/provisions. 2.89 3.96 3.05 3.53 3.89 4.00 3.35
We have corporate requirements for mandatory contract language/provisions. 2.56 3.81 3.05 3.47 3.89 3.95 3.44
We have a process to ensure inclusion of contract provisions terminating a vendor relationship.
2.72 3.77 2.79 3.47 3.89 3.74 3.42
We have a process to define the terms, if any, under which vendor outsourcing is permissible.
2.44 3.35 2.42 3.13 3.56 3.74 3.31
We have regulatory-required standards for mandatory contract language/provisions. 3.00 3.96 2.95 3.20 3.56 3.89 3.35
We have IT/security-required standards for mandatory contract language/provisions. 3.06 3.69 3.26 3.33 3.44 3.89 3.54
We have a procedure to review existing contracts for compliance with current contract standards.
2.94 3.72 2.74 3.20 3.22 3.79 3.46
2017 Vendor Risk Management Benchmark Study · 27protiviti.com · sharedassessments.org
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have a remediation process to correct contract deficiencies. 2.56 3.65 2.61 2.80 3.22 3.68 3.27
We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.).
2.38 3.62 2.61 3.13 3.33 3.42 3.00
We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating.
2.72 3.62 3.21 3.40 3.67 3.32 3.08
We have established criteria for the contract review cycle consistent with each vendor risk classification/rating.
2.83 3.73 2.84 3.13 3.33 3.45 2.92
Category Averages 2.75 3.70 2.88 3.30 3.50 3.74 3.30
Contracts should be written clearly, align with internal standards and reflect the relative risk the specific vendor poses to the organization.
28 · Protiviti · Shared Assessments
Vendor Risk Identification and AnalysisOverall level of maturity: 3.06
Key Observations
• Vendor Risk Identification and Analysis is one of
two categories (along with Skills and Expertise)
that demonstrated the greatest gains in maturity
level in this year’s survey.
• Three components of this category also displayed the
most dramatic year-over-year improvements in the
entire survey: supporting information gathering in
vendor reviews, executing a formal vendor assess-
ment process, and formally documenting assessment
roles and responsibilities. Clearly, companies are
succeeding in their efforts to improve how they iden-
tify and analyze vendor risk.
• Relatively few individual risk components in this
category score below a maturity level of 3.0. The
vendor risk component with the lowest maturity
level in this category — having a process in place
to determine if a vendor utilizes subcontractors
whenever a vendor contract does not include
vendor outsourcing requirements — represents
a clear call to action, given the critical need to
understand and monitor fourth party (the vendor’s
vendors) risks.
Vendor Risk Identification and Analysis — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1 We have reviewed the defined business requirements for outsourcing. 2.94 2.78 0.16
2 We conduct a risk assessment for outsourcing the business function. 3.01 2.87 0.14
3 We consistently follow our process to collect and update vendor information. 3.20 3.12 0.07
4 We maintain a database of current vendor information. 3.34 3.26 0.08
5 We execute vendor risk tiering processes. 3.05 2.92 0.13
6 We determine vendor assessments to be performed based on risk, tiering and resources available. 3.05 2.90 0.16
7 We support information gathering in vendor reviews. 3.20 2.87 0.33
8 We review vendor requirements with our Business, IT, Legal and Purchasing colleagues. 3.27 3.18 0.09
9 We execute scheduling and coordinate assessment activities with vendors. 3.12 3.01 0.12
2017 Vendor Risk Management Benchmark Study · 29protiviti.com · sharedassessments.org
Vendor Risk Component 2017 2016 YOY Change
10 We execute a formal vendor assessment process. 3.31 3.02 0.29
11 We formally document assessment roles and responsibilities. 3.20 2.94 0.26
12 We have a formal process for conducting onsite assessments. 2.90 2.72 0.18
13 We assess compliance with vendor contracts. 3.13 3.06 0.07
14 We assess compliance with business continuity contract terms. 3.02 2.96 0.06
15 We assess compliance with outsourcing requirement contract terms. 2.99 2.80 0.19
16We have a process in place to determine if a vendor utilizes subcontractors whenever a vendor contract does not include vendor outsourcing requirements.
2.85 2.80 0.05
17 We identify findings and formulate recommendations. 3.14 2.95 0.19
18 We develop vendor assessment reports. 3.03 2.89 0.14
19We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor.
2.93 2.78 0.14
20 We establish/revise tiering of our vendors. 2.97 2.83 0.14
21 We perform remediation plan follow-up discussions with the vendor. 2.99 2.93 0.06
22 We have established a process to manage the situation where known vendor issues are not remediated. 3.00 NA NA
23 We consolidate the results of vendor assessments. 3.03 2.82 0.21
24 We calculate and distribute vendor assessment metrics. 2.89 2.79 0.10
25 We discuss results of vendor assessments and metrics with management. 3.03 2.94 0.09
Category Averages 3.06 2.92 0.14
30 · Protiviti · Shared Assessments
Commentary
If Vendor Risk Identification and Analysis is the engine
of a vendor risk management program, it is firing
away with greater efficiency and power. Not only did
this category post the greatest improvement in overall
maturity level, but every single vendor risk component
within the category improved compared to last year.
This is particularly good news given that Vendor Risk
Identification and Analysis activities can be resource-
intensive and subject to performance declines if funding
is inadequate. While resource concerns crop up in other
areas, as noted throughout our report, companies appear
to be applying sufficient resources to strengthen Vendor
Risk Identification and Analysis processes.
Looking ahead, it would be prudent for vendor risk
management leaders to focus on one increasingly
important vendor risk management component —
having a process in place to determine if a vendor
utilizes subcontractors whenever a vendor contract
does not include vendor outsourcing requirements.
This area is comparatively less mature than all other
individual vendor risk components in this category.
While resource concerns crop up in other areas, companies appear to be applying sufficient resources to strengthen Vendor Risk Identification and Analysis processes.
2017 Vendor Risk Management Benchmark Study · 31protiviti.com · sharedassessments.org
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
Vendor Risk Identification and Analysis – Industry Results*
4.0
3.5
3.0
2.5
2.0
1.5
1 32 54 86 139 17 19 21 24 7 11 14 2218 20 23 25 10 12 1615
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
1 32 54 86 139 17 19 21 24 7 11 14 2218 20 23 25 10 12 1615
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
32 · Protiviti · Shared Assessments
Vendor Risk Identification and Analysis — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have reviewed the defined business requirements for outsourcing. 2.72 3.28 2.84 2.43 3.00 3.00 3.27
We conduct a risk assessment for outsourcing the business function. 3.06 3.56 2.94 2.86 3.44 3.35 3.35
We consistently follow our process to collect and update vendor information. 3.00 3.88 3.17 3.79 4.11 3.65 3.48
We maintain a database of current vendor information. 3.22 3.80 3.42 3.50 4.00 3.55 3.23
We execute vendor risk tiering processes. 3.33 3.84 3.53 3.71 3.89 3.60 3.50
We determine vendor assessments to be performed based on risk, tiering and resources available.
3.06 4.08 3.26 3.57 4.00 3.55 3.54
We support information gathering in vendor reviews. 3.11 3.96 3.53 3.71 4.00 3.70 3.42
We review vendor requirements with our Business, IT, Legal and Purchasing colleagues.
3.00 4.00 3.21 3.64 3.56 3.75 3.62
We execute scheduling and coordinate assessment activities with vendors. 2.89 3.76 3.37 3.21 3.56 3.65 3.35
We execute a formal vendor assessment process. 3.06 4.12 3.47 4.07 3.67 3.80 3.35
We formally document assessment roles and responsibilities. 2.78 3.88 3.44 3.79 3.78 3.75 3.42
We have a formal process for conducting onsite assessments. 2.06 3.20 3.11 3.00 2.67 3.35 3.42
We assess compliance with vendor contracts. 2.78 3.68 3.21 3.00 3.11 3.55 3.54
2017 Vendor Risk Management Benchmark Study · 33protiviti.com · sharedassessments.org
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We assess compliance with business continuity contract terms. 3.00 3.52 2.71 3.43 3.11 3.35 3.50
We assess compliance with outsourcing requirement contract terms. 2.56 3.40 2.68 3.21 3.00 3.25 3.31
We have a process in place to determine if a vendor utilizes subcontractors whenever a vendor contract does not include vendor outsourcing requirements.
2.56 3.48 2.74 3.14 3.33 3.15 3.12
We identify findings and formulate recommendations. 3.11 3.64 3.16 3.57 3.56 3.60 3.54
We develop vendor assessment reports. 2.94 3.84 3.16 3.43 2.89 3.60 3.38
We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor.
2.56 3.60 2.63 3.14 3.11 3.40 3.00
We establish/revise tiering of our vendors. 2.72 3.64 3.11 3.57 3.22 3.35 3.35
We perform remediation plan follow-up discussions with the vendor. 2.56 3.80 2.32 3.07 3.22 3.40 3.31
We have established a process to manage the situation where known vendor issues are not remediated.
2.72 3.68 2.42 3.00 3.78 3.25 3.27
We consolidate the results of vendor assessments. 2.83 3.64 2.89 3.57 3.67 3.35 3.46
We calculate and distribute vendor assessment metrics. 2.56 3.48 2.79 3.14 3.22 3.35 3.44
We discuss results of vendor assessments and metrics with management. 2.72 3.48 2.89 3.29 3.33 3.50 3.58
Category Averages 2.84 3.69 3.04 3.35 3.45 3.47 3.39
34 · Protiviti · Shared Assessments
Skills and ExpertiseOverall level of maturity: 2.86
Key Observations
• Although the Skills and Expertise category continues
to have the lowest level of vendor risk management
maturity in our benchmarking study, it has recently
shown good improvement. In the past two years,
the overall maturity level of this category has
increased more than any other category.
• Four components of the Skills and Expertise
category showed the largest year-over-year
improvements in the entire survey: annually
measuring employee understanding of vendor
risk management accountabilities and reporting
results to management; providing training for
assigned vendor risk management resources to
maintain appropriate certifications; routinely
measuring or benchmarking the organization’s
vendor risk management budget with management
reporting to demonstrate return on investment
(ROI); and implementing metrics and reporting for
compliance to required training and awareness of
vendor risk policies. Companies are succeeding
in their efforts to improve how they identify and
analyze vendor risk.
• Three new Skills and Expertise vendor risk
components were evaluated this year: defining
accountability for vendor risk within the organiza-
tion chart and identified support staff for vendor
risk management; the establishment of a process
for vendor risk management; and the allocation
of a specific vendor risk management budget for
industry memberships and training/education.
Skills and Expertise — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1 We have established a process for vendor risk management. 3.17 NA NA
2 We have assigned vendor risk management accountability to an individual in our organization. 3.16 3.03 0.13
3We have defined accountability for vendor risk within the organization chart and identified support staff for vendor risk management.
3.08 NA NA
4 Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions. 3.14 3.07 0.07
5 We provide training for assigned vendor risk management resources to maintain appropriate certifications. 2.98 2.67 0.31
6 We have sufficient staff to manage vendor risk management activities effectively. 2.80 2.79 0.00
7 We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives. 2.73 2.63 0.10
2017 Vendor Risk Management Benchmark Study · 35protiviti.com · sharedassessments.org
Vendor Risk Component 2017 2016 YOY Change
8 We have sufficient qualified staff to meet all vendor risk management objectives. 2.80 2.68 0.12
9 We have formalized governance programs so that staffing levels can be reduced due to optimization. 2.71 2.46 0.25
10 We have defined and communicated vendor risk management policies to our key stakeholders. 3.04 2.90 0.13
11 We periodically communicate our vendor risk management policies and procedures to all personnel. 2.92 2.68 0.25
12At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role.
2.85 2.67 0.18
13We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program.
2.90 2.68 0.22
14On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management.
2.65 2.35 0.31
15 We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies. 2.78 2.50 0.28
16 We have sufficient funding for vendor management training and awareness. 2.72 NA NA
17 We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects. 2.74 2.65 0.09
18 We have allocated a specific vendor risk management budget for industry memberships and training/education. 2.68 NA NA
19 We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI. 2.63 2.32 0.31
20We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced.
2.67 2.45 0.23
Category Averages 2.86 2.66 0.19
36 · Protiviti · Shared Assessments
Commentary
The level of assessed Skills and Expertise maturity
continues its upward trajectory. This is positive news
considering that Skills and Expertise vendor risk com-
ponents consistently have been among the lowest-rated
since the survey’s inception. All of the individual vendor
risk components within the category that appeared in last
year’s survey have increased in maturity levels — many
of them sizeable increases. Furthermore, four of the
survey’s largest maturity level improvements occurred
in the Skills and Expertise category.
Yet more improvement is warranted: Skills and
Expertise remains one of the two least mature
components of vendor risk management. Three
vendor risk components in the category — routinely
measuring or benchmarking the organization’s
vendor risk management budget with management
reporting to demonstrate ROI, annually measuring
employee understanding of vendor risk management
accountabilities and reporting results to management,
and integrating vendor risk management functions and
tools sufficiently into business lines so that overall costs
and budget for dedicated risk management budgets are
reduced — received the lowest maturity level scores in
the entire survey. The good news, again, is that these
three areas are improving markedly. This year’s results
indicate that companies are making significant strides
in training and developing the talent they currently
have at a time when competition for skilled third party
risk management resources remains intense.
This year’s results indicate that companies are making significant strides in training and developing the talent they currently have at a time when competition for skilled third party risk management resources remains intense.
2017 Vendor Risk Management Benchmark Study · 37protiviti.com · sharedassessments.org
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
Skills and Expertise – Industry Results*
4.0
3.5
3.0
2.5
2.0
1.5
2 54 76 108 1211 13 15 17 20 3 1914 18 1 169
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
2 54 76 108 1211 13 15 17 20 3 1914 18 1 169
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
38 · Protiviti · Shared Assessments
Skills and Expertise — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have established a process for vendor risk management. 2.88 3.67 3.21 4.00 3.78 3.75 3.58
We have assigned vendor risk management accountability to an individual in our organization.
3.12 3.88 3.11 3.57 3.89 3.70 3.62
We have defined accountability for vendor risk within the organization chart and identified support staff for vendor risk management.
3.18 3.71 2.84 3.64 3.78 3.55 3.38
Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions.
2.82 3.63 3.26 3.14 3.44 3.65 3.50
We provide training for assigned vendor risk management resources to maintain appropriate certifications.
2.65 3.63 2.63 3.31 3.33 3.35 3.38
We have sufficient staff to manage vendor risk management activities effectively. 2.59 3.71 2.53 2.86 2.67 3.20 3.00
We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives.
2.53 3.46 2.53 2.86 2.78 2.65 3.27
We have sufficient qualified staff to meet all vendor risk management objectives. 2.65 3.71 2.58 2.71 2.78 2.85 3.12
We have formalized governance programs so that staffing levels can be reduced due to optimization.
2.59 3.33 2.32 3.07 2.33 2.65 3.19
We have defined and communicated vendor risk management policies to our key stakeholders.
3.18 3.96 2.84 3.50 3.67 3.65 3.58
We periodically communicate our vendor risk management policies and procedures to all personnel.
2.76 3.42 2.89 3.29 3.44 3.40 3.42
2017 Vendor Risk Management Benchmark Study · 39protiviti.com · sharedassessments.org
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role.
2.59 3.58 2.68 3.14 2.78 3.15 3.42
We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program.
2.65 3.67 2.47 3.21 3.44 3.50 3.46
On an annual basis, we measure employ-ee understanding of vendor risk manage-ment accountabilities and report results to management.
1.94 3.42 2.39 2.93 2.00 2.50 3.19
We have implemented metrics and report-ing for compliance to required training and awareness of our vendor risk policies.
2.24 3.29 2.63 2.93 2.00 2.70 3.46
We have sufficient funding for vendor management training and awareness. 2.53 3.46 2.37 2.71 2.22 2.70 3.15
We have allocated budget for vendor risk management functions, including basic trav-el, subscriptions, training and small projects.
2.24 3.63 2.21 3.00 2.22 3.20 2.88
We have allocated a specific vendor risk management budget for industry memberships and training/education.
2.41 3.33 2.79 2.43 2.33 3.00 3.23
We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI.
2.12 2.96 2.21 2.43 2.33 2.45 3.19
We have integrated vendor risk manage-ment functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced.
2.12 3.50 2.11 2.79 2.33 2.85 3.04
Category Averages 2.59 3.55 2.63 3.08 2.88 3.12 3.30
40 · Protiviti · Shared Assessments
Communication and Information SharingOverall level of maturity: 3.03
Key Observations
• The overall maturity level of the Communication and
Information Sharing category has increased markedly
during the past two years.
• Having a process in place to periodically communicate
results of vendor assessments is among the handful of
vendor risk components in the survey that showed the
largest year-over-year improvements.
• There are two new Communication and Information
Sharing components in this year’s study: having
policies in place to define roles and responsibilities
over workflow tasks (which scored a maturity level
of 3.10), and having a process in place to periodically
communicate results of vendor assessments (3.04).
Communication and Information Sharing — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts).
3.00 2.83 0.17
2 We have a process in place to communicate policies and standards. 3.20 3.15 0.05
3 We have in place an ongoing education program for vendor management policies, procedures and updates. 2.90 2.59 0.31
4 We have clearly defined roles and responsibilities in the areas that manage sourcing, procurement, contracts. 3.15 3.11 0.04
5We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.).
2.95 2.77 0.18
6We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding.
2.94 2.79 0.15
7 We have a process in place to manage vendor inventory. 2.93 2.86 0.06
8 We have a process in place to report status of vendor assessments. 3.02 2.83 0.19
9 We have a process in place to evaluate compliance with vendor management processes and procedures. 3.00 2.83 0.16
10 We have a process in place to periodically evaluate vendor service delivery. 2.99 2.89 0.10
2017 Vendor Risk Management Benchmark Study · 41protiviti.com · sharedassessments.org
Vendor Risk Component 2017 2016 YOY Change
11 We have a process in place to track and communicate incidents. 3.17 3.11 0.06
12 We have a process in place to escalate and communicate incidents and issues. 3.18 3.13 0.04
13 We have policies in place to define roles and responsibilities over workflow tasks. 3.10 NA NA
14 We have a process in place to periodically communicate results of vendor assessments. 3.04 NA NA
15 We have a process in place to provide board and executive management response to vendor assessment results. 2.90 2.87 0.03
Category Averages 3.03 2.91 0.12
Commentary
The Communication and Information Sharing aspect
of vendor risk management has improved dramatically
since 2015. Although the overall maturity level for
this category exceeds 3.0 for the first time since
the survey began, there were several individual
risk components that continued to receive maturity
level scores below this level. This need for further
information-sharing improvements is evident in the
small but consistent differences between how C-level
executives score maturity levels across all categories
(lower) compared with maturity level scores in the
same categories from staff below the C-suite (higher).
While communications concerning third party
risk management are always important, effective
information sharing throughout the company and
with the board becomes even more essential when the
external risk environment is particularly volatile. As
companies continue to refine their improvements of
vendor risk components in this category, they should
consider focusing on activities with lower maturity
levels, such as ongoing education programs for vendor
management policies, procedures and updates;
and processes for providing board and executive
management response to vendor assessment results.
42 · Protiviti · Shared Assessments
Communication and Information Sharing — Industry Results*
4.0
3.5
3.0
2.5
2.0
1.51 3 5 6 7 8 9 10 11 12 15 2 4 13 14
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
urity
Lev
el
4.0
3.5
3.0
2.5
2.0
1.5
1 3 5 6 7 8 9 10 11 12 15 2 4 13 14
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
2017 Vendor Risk Management Benchmark Study · 43protiviti.com · sharedassessments.org
Communication and Information Sharing — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts).
2.50 3.71 2.63 3.71 3.44 3.58 3.15
We have a process in place to communicate policies and standards. 3.31 4.00 2.89 3.64 3.56 3.58 3.62
We have in place an ongoing education program for vendor management policies, procedures and updates.
2.25 3.71 2.63 3.29 3.11 3.26 3.42
We have clearly defined roles and respon-sibilities in the areas that manage sourcing, procurement, contracts.
2.56 3.71 3.00 3.29 3.22 3.79 3.23
We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environ-ment, operations, etc.).
2.31 3.46 2.47 3.07 3.22 3.37 3.23
We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding.
2.25 3.78 2.53 3.57 2.89 3.37 3.50
We have a process in place to manage vendor inventory. 2.44 3.71 2.68 3.57 3.33 3.32 3.12
We have a process in place to report status of vendor assessments. 2.75 3.96 2.68 3.71 3.56 3.68 3.15
We have a process in place to evaluate compliance with vendor management processes and procedures.
2.25 3.75 2.58 3.64 3.56 3.53 3.19
44 · Protiviti · Shared Assessments
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have a process in place to periodically evaluate vendor service delivery. 2.20 3.63 2.42 2.93 3.33 3.42 2.96
We have a process in place to track and communicate incidents. 2.69 3.79 2.95 3.50 3.56 3.47 3.15
We have a process in place to escalate and communicate incidents and issues. 2.50 3.83 2.84 3.21 3.67 3.37 3.15
We have policies in place to define roles and responsibilities over workflow tasks. 2.44 4.00 2.74 3.64 3.56 3.63 3.19
We have a process in place to period-ically communicate results of vendor assessments.
2.56 3.96 3.16 3.36 3.56 3.42 3.15
We have a process in place to provide board and executive management response to vendor assessment results.
2.44 3.58 3.11 3.07 3.56 3.42 3.19
Category Averages 2.50 3.77 2.75 3.41 3.41 3.48 3.23
While communications concerning third party risk management are always important, effective information sharing throughout the company and with the board becomes even more essential when the external risk environment is particularly volatile.
2017 Vendor Risk Management Benchmark Study · 45protiviti.com · sharedassessments.org
Tools, Measurement and AnalysisOverall level of maturity: 2.91
Key Observations
• Scores in this category improved modestly
compared to last year’s survey results.
• The two vendor risk components in this area that
displayed the largest improvements — monitoring
variances between scheduled reviews and actual
reviews performed, and reporting risk scoring
results to relevant stakeholders — are essential to
measurement and analysis as well as to the overall
vendor risk management program.
• Two vendor risk management components in
this category showed minor declines in maturity
levels: establishing relevant financial measures
and benchmarks, and determining the financial
viability of key vendors.
Vendor Risk Component 2017 2016 YOY Change
1 We establish vendor review schedules for all vendor assessments (onsite, remote, etc.). 2.89 2.82 0.07
2 We assign resources to accomplish reviews as scheduled. 2.95 2.87 0.08
3 We capture and report on vendor review costs, budget to actual, etc. 2.79 2.69 0.10
4 We monitor variances between scheduled reviews and actual reviews performed. 2.84 2.59 0.25
5 We provide periodic reporting on review monitoring. 2.91 2.76 0.15
6 We process information obtained during the vendor selection or review process into a risk scoring tool. 2.85 NA NA
7 We process information according to an established risk scoring methodology. 2.91 NA NA
8 We report risk scoring results to relevant stakeholders. 2.93 2.71 0.22
9 We engage finance and procurement partners. 3.03 3.03 0.00
10 We establish relevant financial measures and benchmarks. 2.88 2.91 -0.03
11 We determine the financial viability of key vendors. 3.04 3.10 -0.06
12 We report financial results from our vendors to relevant stakeholders. 2.86 2.83 0.03
Category Averages 2.91 2.83 0.08
Tools, Measurement and Analysis — Overall Results
46 · Protiviti · Shared Assessments
Commentary
As is the case in several other categories, the overall
maturity level for Tools, Measurement and Analysis
has increased significantly during the past three
years. Although the most recent increase was less
dramatic compared to last year’s survey results, two
crucial vendor risk management components showed
substantial improvement. Companies made significant
strides in monitoring variances between scheduled
reviews and actual reviews performed, and in reporting
risk scoring results to relevant stakeholders.
The overall maturity level for Tools, Measurement and Analysis has increased significantly during the past three years.
2017 Vendor Risk Management Benchmark Study · 47protiviti.com · sharedassessments.org
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
Tools, Measurement and Analysis — Industry Results*
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3 4 5 6 8 9 10 11 12 7
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3 4 5 6 8 9 10 11 12 7
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
48 · Protiviti · Shared Assessments
Tools, Measurement and Analysis — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We establish vendor review schedules for all vendor assessments (onsite, remote, etc.). 2.47 3.46 2.89 3.64 3.78 3.63 3.31
We assign resources to accomplish reviews as scheduled. 2.35 3.50 2.68 3.64 3.78 3.74 3.50
We capture and report on vendor review costs, budget to actual, etc. 2.24 3.50 2.11 2.21 2.00 2.89 3.04
We monitor variances between scheduled reviews and actual reviews performed. 2.24 3.38 2.53 2.93 2.67 3.53 3.27
We provide periodic reporting on review monitoring. 2.53 3.58 2.68 3.29 3.33 3.26 3.38
We process information obtained during the vendor selection or review process into a risk scoring tool.
2.82 3.67 2.05 3.50 3.33 3.32 3.27
We process information according to an established risk scoring methodology. 2.76 3.71 2.83 3.21 3.33 3.32 3.35
We report risk scoring results to rele-vant stakeholders. 2.65 3.63 3.00 3.64 3.67 3.32 3.38
We engage finance and procurement partners. 2.59 3.63 2.79 3.50 3.33 3.79 3.38
We establish relevant financial measures and benchmarks. 2.35 3.46 2.42 2.86 3.22 3.16 2.96
We determine the financial viability of key vendors. 2.71 3.67 3.11 3.71 3.78 3.42 3.12
We report financial results from our vendors to relevant stakeholders. 2.59 3.50 2.50 3.07 3.89 3.32 3.27
Category Averages 2.52 3.56 2.63 3.27 3.34 3.39 3.27
2017 Vendor Risk Management Benchmark Study · 49protiviti.com · sharedassessments.org
Monitoring and ReviewOverall level of maturity: 3.12
Key Observations
• Monitoring and Review activities continued the steady
improvement they have made in previous years.
• Notable improvements were made regarding business
continuity management and responding to, esca-
lating and informing key stakeholders of relevant
data security, breaches or other similar incidents.
These are crucial Monitoring and Review activities
during a period of heightened cybersecurity risk.
• Having a process in place to periodically require SLA
reporting showed one of the largest increases in
maturity level of any of the vendor risk components in
the entire survey. In addition to strengthening vendor
risk management capabilities, companies are striving
to optimize the returns they generate from their
vendor investments.
• Another Monitoring and Review improvement —
having a process in place to monitor industry and
market trends that may negatively impact vendors
— represents a foundational element of a real-time
monitoring capability.
Monitoring and Review — Overall Results
Vendor Risk Component 2017 2016 YOY Change
1 We have standard contract terms in place. 3.45 3.46 -0.01
2We have a process in place to facilitate approval of final contract terms by our Legal department and an appropriate level of management.
3.39 3.46 -0.06
3We have a process in place to modify contracts and approve modifications by our Legal department and an appropriate level of management.
3.44 3.41 0.03
4 We have policies and procedures in place over the process to store, retain and make available contract terms. 3.38 3.33 0.05
5 We have a process in place to address expired or canceled contracts. 3.29 3.18 0.11
6 We have a process in place to periodically require SLA reporting. 3.02 2.74 0.29
7 We have a process in place to track and analyze customer complaints. 3.19 3.09 0.09
8 We have a process in place to periodically conduct customer satisfaction surveys. 3.06 2.94 0.13
50 · Protiviti · Shared Assessments
Vendor Risk Component 2017 2016 YOY Change
9We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breaches or other similar incidents.
3.25 3.11 0.14
10 We have a process in place to monitor industry and market trends that may negatively impact our vendors. 2.97 2.83 0.14
11 We have a process in place to respond to and inform our key stakeholders of regulatory requirements and trends. 3.12 2.99 0.13
12 We have a process in place to regularly assess providers’ financial conditions. 3.02 2.93 0.09
13 We have a process in place to review applicable audit reports periodically. 3.13 3.12 0.00
14We have a process in place to test our vendors’ business continuity and disaster recovery measures periodically, and review the test results.
2.93 2.74 0.18
15 We have a process in place to determine if additional control validation is necessary. 2.93 2.81 0.12
16 We have a process in place to periodically conduct vendor onsite visits and testing. 2.90 2.83 0.07
17 We obtain independent assurance or third party testing of key vendors. 2.89 2.82 0.07
18 We have a process in place to determine if an onsite assessment is necessary. 2.84 2.82 0.01
Category Averages 3.12 3.03 0.09
2017 Vendor Risk Management Benchmark Study · 51protiviti.com · sharedassessments.org
Commentary
Monitoring and Review capabilities have taken on new-
found importance as cybersecurity breaches increas-
ingly strike more organizations. Companies appear to
be responding to this shift by improving relevant facets
of their Monitoring and Review activities. Two of these
activities — communicating with key stakeholders, in-
cluding vendors, regarding data security and breaches;
and testing vendors’ business continuity management
and disaster recovery measures — showed significant
improvements compared to last year’s survey results.
Monitoring and Review activities also extend beyond
risk management into relationship management and
optimization. Having a process in place to periodically
require SLA reporting shows one of the largest in-
creases in maturity levels of any component in the
entire survey this year. This shows that companies are
working to maximize the returns on their investments
in third party services. One other Monitoring and
Review result relates to an emerging capability that we
expect more organizations to implement. Companies
improved the process they have in place to monitor
industry and market trends that may negatively
impact vendors. This capability is frequently a facet
of real-time monitoring, and this growth in maturity
indicates that more organizations are becoming aware
that impacts to vendor risk do not occur at predefined
intervals but instead may materialize at any time.
Monitoring and Review capabilities have taken on newfound importance as cybersecurity breaches increasingly strike more organizations.
52 · Protiviti · Shared Assessments
*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.
Monitoring and Review — Industry Results*
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3 4 5 6 7 8 9 10 11 1413 1716 1512 18
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
4.0
3.5
3.0
2.5
2.0
1.5
1 2 3 4 5 6 7 8 9 10 11 1413 1716 1512 18
Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries
Vendor Risk Component
Mat
uri
ty L
evel
2017
2014
2017 Vendor Risk Management Benchmark Study · 53protiviti.com · sharedassessments.org
Monitoring and Review — Focus on the Financial Services Industry
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have standard contract terms in place. 2.59 3.67 3.43 3.00 3.44 3.84 3.88
We have a process in place to facilitate approval of final contract terms by our Legal department and an appropriate level of management.
2.82 4.00 3.50 3.11 3.22 3.95 3.88
We have a process in place to modify contracts and approve modifications by our Legal department and an appropriate level of management.
2.82 4.04 3.50 3.21 3.67 3.84 3.92
We have policies and procedures in place over the process to store, retain and make available contract terms.
2.82 4.08 3.64 3.00 3.78 3.84 3.81
We have a process in place to address expired or canceled contracts. 2.65 3.92 3.43 2.74 3.67 3.79 3.35
We have a process in place to periodically require SLA reporting. 2.18 3.67 3.29 2.21 2.78 3.26 3.35
We have a process in place to track and analyze customer complaints. 3.19 3.92 3.57 2.37 3.44 3.26 3.15
We have a process in place to periodically conduct customer satisfaction surveys. 2.65 3.67 2.57 2.53 2.33 3.00 3.31
We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breaches or other similar incidents.
3.19 3.96 3.21 2.79 3.78 3.74 3.31
We have a process in place to monitor industry and market trends that may negatively impact our vendors.
2.35 3.58 2.93 2.47 2.78 3.32 3.19
54 · Protiviti · Shared Assessments
Assets Under Management
< $1B $1B to $5B
$5B to $10B
$10B to
$25B
$25B to
$50B
$50B to
$250B>
$250B
We have a process in place to respond to and inform our key stakeholders of regulatory requirements and trends.
2.76 4.08 3.57 2.68 3.33 3.53 3.27
We have a process in place to regularly assess providers’ financial conditions. 2.88 3.96 3.64 2.44 3.89 3.26 3.62
We have a process in place to review applicable audit reports periodically. 3.06 3.79 3.71 2.95 3.56 3.56 3.50
We have a process in place to test our vendors’ business continuity and disaster recovery measures periodically, and review the test results.
2.18 3.33 3.29 2.37 3.33 3.37 3.40
We have a process in place to determine if additional control validation is necessary. 2.63 3.58 3.36 2.16 3.11 3.47 3.12
We have a process in place to periodically conduct vendor onsite visits and testing. 2.12 3.42 3.21 2.11 2.67 3.21 3.40
We obtain independent assurance or third party testing of key vendors. 2.47 3.71 3.00 2.74 3.22 3.16 3.12
We have a process in place to determine if an onsite assessment is necessary. 2.24 3.42 3.07 2.16 2.89 3.21 3.04
Category Averages 2.64 3.77 3.33 2.61 3.27 3.48 3.42
2017 Vendor Risk Management Benchmark Study · 55protiviti.com · sharedassessments.org
Demographics
Position
Chief Financial Officer 7%
Chief Risk Officer 3%
Chief Technology Officer 2%
Chief Information Officer 4%
Chief Information Security Officer 3%
Chief Security Officer 1%
Chief Audit Executive 3%
IT VP/Director 15%
Internal Audit VP/Director 1%
IT Audit VP/Director 1%
Finance Director 5%
IT Manager 19%
Finance Manager 8%
Internal Audit Manager 2%
IT Audit Manager 1%
Operational Risk Management 8%
Procurement/Purchasing/Supply Chain 7%
Other 10%
56 · Protiviti · Shared Assessments
Industry
Financial Services – Banking 20%
Technology (Software/High-Tech/Electronics) 12%
Manufacturing (other than Technology) 8%
Insurance 6%
Professional Services 6%
Financial Services – Asset Management 5%
Healthcare Provider 5%
Government 4%
Retail 4%
Financial Services – Other 3%
Consumer Packaged Goods 2%
Higher Education 2%
Financial Services – Broker-Dealer 2%
Pharmaceuticals and Life Sciences 2%
Transportation and Logistics 2%
Media and Communications 1%
Not-for-Profit 1%
Agriculture, Forestry, Fishing 1%
Automotive 1%
Construction 1%
Healthcare Payer 1%
2017 Vendor Risk Management Benchmark Study · 57protiviti.com · sharedassessments.org
Hospitality, Leisure and Travel 1%
Power and Utilities 1%
Biotechnology, Life Sciences and Pharmaceuticals 1%
Oil and Gas 1%
Wholesale/Distribution 1%
Chemicals 1%
Distribution 1%
Other 4%
Size of Organization (outside of Financial Services) – by gross annual revenue in U.S. dollars
Greater than $20 billion 19%
$10 billion to $19.99 billion 9%
$5 billion to $9.99 billion 10%
$1 billion to $4.99 billion 28%
$500 million to $999.99 million 10%
$100 million to $499.99 million 8%
Less than $100 million 16%
58 · Protiviti · Shared Assessments
Financial Services Industry – Size of Organization (by assets under management)
Greater than $250 billion 17%
$50 billion to $250 billion 16%
$25 billion to $50 billion 6%
$10 billion to $25 billion 11%
$5 billion to $10 billion 16%
$1 billion to $5 billion 18%
Less than $1 billion 16%
Type of Organization
Public 51%
Private 37%
Not-for-Profit 6%
Government 5%
Other 1%
2017 Vendor Risk Management Benchmark Study · 59protiviti.com · sharedassessments.org
60 · Protiviti · Shared Assessments
ABOUT SHARED ASSESSMENTS
The Shared Assessments Program is the trusted source in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: The Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments for cybersecurity, IT, privacy, data security, and business resiliency controls. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can — and should — be a good citizen. Corporations should be built on a foundation to provide greater good to society. We help organizations determine core values, make meaningful connections, facilitate collaboration and affect change. For more information on Shared Assessments, please visit www.sharedassessments.org.
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
© 2017 The Santa Fe Group, Shared Assessments Program. All rights reserved. © 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-1117-101103
www.sharedassessments.org www.protiviti.com