The Shared Assessments Program and - Protiviti · conducted online by the Shared Assessments...

2016 Vendor Risk Management Benchmark StudyThe Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

2017 Vendor Risk Management Benchmark StudyThe Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

2017 Vendor Risk Management Benchmark Study protiviti.com · sharedassessments.org

Table of Contents

Executive Summary 1

Methodology 8

Board Engagement, Cybersecurity, Incident Response and De-Risking 9

Program Governance 14

Policies, Standards and Procedures 19

Contracts 24

Vendor Risk Identification and Analysis 29

Skills and Expertise 35

Communication and Information Sharing 41

Tools, Measurement and Analysis 46

Monitoring and Review 50

Demographics 56

http://www.protiviti.com

http://sharedassessments.org

Executive Summary

As rapidly changing risk and regulatory environments continue to challenge vendor risk

management capabilities, the results of the latest Vendor Risk Management Benchmark Study

show that:

• Organizations in all industries are making incremental progress in improving how they

manage vendor and third party risks.

• Governing boards are increasing their level of engagement with cybersecurity risks,

an important trend because board engagement continues to correlate highly with self-

reported third party risk management practice maturity.

• A majority of companies plan to de-risk (via exiting or changing) third party vendor

relationships that pose the highest risks.

This is the fourth year that the Shared Assessments Program and Protiviti have partnered

on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. Shared Assessments

is the trusted source in third party risk management and is a collaborative consortium of

leading industry professionals from financial institutions, assessment firms, technology and

GRC solution providers, insurance companies, brokerages, healthcare organizations, retail

firms, academia, and telecommunications companies — dedicated to assisting organizations

by helping them to understand, manage and monitor vendor risk effectively and efficiently.

On the surface, the maturity levels this year in the eight

different vendor risk management categories contained

in the VRMMM either held steady or increased modestly

compared to last year’s survey results. However, a closer

look reveals a more nuanced picture. Five out of eight

categories improved in average maturity on a year-over-

year basis. Numerous vendor risk activities within two

categories — Vendor Risk Identification and Analysis,

and Skills and Expertise — posted major improvements.

The board’s engagement with cybersecurity risks also

increased in a meaningful way, although the board’s

engagement with vendors’ cybersecurity risks continues

to lag behind board awareness of cybersecurity risks

inside the organization.

Many other elements of vendor risk management still

require improvement. This is the case partly because

the challenges associated with a volatile external risk

and regulatory environment may be outpacing the rate

of vendor risk management improvements occurring

inside organizations.

2017 Vendor Risk Management Benchmark Study · 1protiviti.com · sharedassessments.org



Massive and costly cyberattacks — including WannaCry,

Petya and the Equifax hack, among others — have

struck in the past 12 months, forcing organizations,

and healthcare providers in particular, to rethink

key components of their vendor risk management

approaches. New cybersecurity-related regulations,

such as the European Union’s General Data Protection

Regulation (GDPR), China’s complex Cybersecurity Law

(CSL) and the stringent New York State Department of

Financial Services (NYDFS) Cybersecurity Regulation,

also have appeared or taken effect in the past year.

Despite the significant strides organizations have

made in training and educating employees on vendor

risk management, which are evident in this year’s

survey results, many organizations may not have

access to enough vendor risk management expertise.

01Vendor risk management is improving — This year’s overall vendor risk management maturity levels show modest improvement, but compared to last year’s survey results, several categories improved more significantly, suggesting that more organizations recognize the importance of vendor risk management during a time when the external risk environment is changing quickly.

02Boards have set their sights on cybersecurity — Board-level engagement with cybersecurity risks improved significantly on a year-over-year basis. However, there continues to be an “engagement gap” in that boards remain more engaged with the organization’s internal cybersecurity risks than cybersecurity risks to the organization’s vendors. And organizations with less engaged boards report significantly lower levels of third party risk management practice maturity.

03“De-risking” vendors is on the rise — A majority of organizations expect to exit or change relationships with vendors due to heightened risk levels. Insurance companies, including healthcare payers, appear much more likely to make these de-risking moves in the coming year, with fourth party risk, cost concerns and a lack of internal expertise to evaluate vendor controls cited as the primary reasons.

Our Key Findings

2 · Protiviti · Shared Assessments

Vendor Risk Management Maturity Levels, Fully Defined

5 = Continuous improvement: The organization is striving toward operational excellence, understands what are currently best-in-class performance levels and regularly implements program changes to achieve them.

4 = Fully implemented and operational: The vendor risk management activity is fully operational and all compliance measures are in place.

3 = Fully determined and established: The organization has fully defined, approved and established the vendor risk management activity, but it is not yet fully operational. Metrics and enforcement are not yet fully in place.

2 = Determining roadmap to achieve success: There is a management-approved plan to structure the activity as part of an effort to achieve full program implementation, but the vendor risk management activity is performed on an ad hoc basis.

1 = Initial visioning: The organization is considering how to best structure this activity as part of an effort to achieve full implementation. Vendor risk management activity is performed on an ad hoc basis.

0 = Non-existent: The vendor risk management activity is not performed within the organization.

Category 2017 Index

2016 Index

2015 Index

Program Governance 3.0 3.0 2.8

Policies, Standards and Procedures 3.1 3.1 2.9

Contracts 3.1 3.1 2.9

Vendor Risk Identification and Analysis 3.1 2.9 2.7

Skills and Expertise 2.9 2.7 2.3

Communication and Information Sharing 3.0 2.9 2.5

Tools, Measurement and Analysis 2.9 2.8 2.4

Monitoring and Review 3.1 3.0 2.8

Vendor Risk Management — Overall Maturity by Area




Assessing Results by Respondent Role

To identify notable trends in the data, we also tabulated

our 2017, 2016 and 2015 survey results by respondent

role. Over the past three years, there is an overall trend

showing that the higher the level of respondent in the

organization, the lower the assessed score is for a vendor

risk component or category. C-level maturity scores, on

average, are unchanged from last year’s survey.

C-Level VP/Director Level Manager Level

Vendor Risk Management Category 2017 2016 2015 2017 2016 2015 2017 2016 2015

Program Governance 2.8 2.8 2.9 3.0 3.2 2.8 3.1 3.1 3.2

Policies, Standards and Procedures 2.8 2.8 2.8 3.1 3.2 2.8 3.2 3.2 3.0

Contracts 2.8 3.0 2.7 3.1 3.3 2.8 3.2 3.2 3.0

Vendor Risk Identification and Analysis 2.8 2.8 2.4 3.1 3.0 2.7 3.2 3.0 2.8

Skills and Expertise 2.6 2.5 1.9 3.0 2.8 2.1 2.9 2.7 2.5

Communication and Information Sharing 2.7 2.7 2.2 3.0 3.0 2.3 3.1 3.0 2.7

Tools, Measurement and Analysis 2.7 2.7 2.0 2.9 2.9 2.3 3.0 2.9 2.6

Monitoring and Review 2.9 3.0 2.6 3.1 3.1 2.7 3.2 3.1 2.9

Average 2.8 2.8 2.4 3.0 3.1 2.6 3.1 3.0 2.8

2017 2016 2015

C-Level 2.8 2.8 2.4

VP/Director 3.0 3.1 2.6

Manager 3.1 3.0 2.8Management

levelScore


Assessing Results by Industry

Viewing four-year trends in the results by industry

group, there have been notable improvements in third

party risk management, most notably in the Insurance

and Healthcare Payer segment. (Note: Detailed results

for these industry groupings are provided in each vendor

risk category section in our report.)

2014 and 2017 – Percentage Change in Vendor Risk Management Maturity by Industry

50%

60%

40%

30%

20%

10%

0%

ProgramGovernance

Policies,Standards and

Procedures

Contracts Vendor RiskIdentificationand Analysis

Skills andExpertise

Communicationand Information

Sharing

Tools,Measurementand Analysis

Monitoringand Review

Financial Services Insurance/Healthcare Payer Healthcare Provider All other industries

Per

cen

tage

ch

ange

in m

atu

rity

leve

l




2014 and 2017 Category Averages – Financial Services

4.0

3.5

3.0

2.5

2.0

Mat

uri

ty L

evel

ProgramGovernance


Procedures


Skills andExpertise


Sharing



3.30 3.40 3.20 3.20 2.60 2.90 2.80 3.10

3.34 3.50 3.34 3.33 3.07 3.24 3.15 3.25

2014

2017

2014 and 2017 Category Averages – Insurance/Healthcare Payer

4.0

3.5

3.0

2.5

2.0

Mat

uri

ty L

evel

ProgramGovernance


Procedures


Skills andExpertise


Sharing



2.80 3.00 2.90 2.60 2.00 2.30 2.00 3.10

3.27 3.29 3.44 3.28 3.06 3.12 2.97 3.35

2014

2017


2014 and 2017 Category Averages – Healthcare Provider

2014 and 2017 Category Averages – All Other Industries

4.0

3.5

3.0

2.5

2.0

Mat

uri

ty L

evel

ProgramGovernance


Procedures


Skills andExpertise


Sharing



2.70 2.70 2.70 2.30 2.20 2.20 2.20 2.50

2.85 2.87 3.04 2.94 2.54 2.76 2.70 3.04

2014

2017

4.0

3.5

3.0

2.5

2.0

Mat

uri

ty L

evel

ProgramGovernance


Procedures


Skills andExpertise


Sharing



2.80 2.80 2.90 2.50 2.10 2.40 2.20 2.80

2.83 2.91 2.96 2.91 2.75 2.94 2.80 3.04

2014

2017




The Vendor Risk Management Benchmark Study was

conducted online by the Shared Assessments Program

and Protiviti in the second and third quarters of 2017,

with 539 executives and managers participating in

the study. Using governance as the foundational

element, the survey was designed to comprehensively

review the components of a robust third party risk

management program.

Respondents were presented with different compo-

nents of vendor risk under eight vendor risk manage-

ment categories:

• Program Governance

• Policies, Standards and Procedures

• Contracts

• Vendor Risk Identification and Analysis

• Skills and Expertise

• Communication and Information Sharing

• Tools, Measurement and Analysis

• Monitoring and Review

For each component, respondents were asked to rate

the maturity level as that component applies to their

organization, based on the following scale:

5 = Continuous improvement

4 = Fully implemented and operational

3 = Fully determined and established

2 = Determining roadmap to achieve success

1 = Initial visioning

0 = Non-existent

The survey also included a special section on board

engagement, cybersecurity, incident response and

de-risking.

Methodology


Board Engagement, Cybersecurity, Incident Response and De-RiskingAs we did in 2016, this year’s report includes a special

section on cybersecurity and incident response capa-

bilities of organizations. We also polled participants

about the extent to which, and the reasons why, their

organizations may be moving to exit or “de-risk” third

party relationships with the highest risk.

Significant levels of de-risking activity are occurring

across nearly all industries. A majority of companies

said they are likely to de-risk third party relationships

over the next year, with insurance and healthcare

payer organizations leading the way.

The reasons for ending or changing vendor relationships

to reduce risk are eye-opening. They include fourth

party risk assessment (which represents the primary

reason), costs (associated with assessing vendors), and

a lack of internal support and skills required to test

vendor controls sufficiently. For C-suite executives and

healthcare provider organizations, a lack of internal

resources represents the top reason for de-risking. The

apparent lack of internal expertise is disconcerting

at a time when all industries, especially healthcare

providers, face a pressing need to test and monitor the

ability of vendors’ controls to address risks, especially

those pertaining to cybersecurity.

On a positive note, the maturity levels of organizational

and third party incident-response processes show

year-over-year improvement, as does the board’s level

of engagement with regard to cybersecurity risks (both

internally and among vendors).

Key Observations

• The de-risking results rank among the most compelling find-ings in this year’s survey. A high number of companies are likely to terminate or alter relationships with some vendors over the next year due to heightened risk levels, driven at least in part by fourth party risk issues, cost concerns, and a lack of internal expertise in evaluating vendor controls.

• The board’s engagement and understanding with regard to cybersecurity risks increased significantly compared to last year’s survey results.

• However, the board’s engagement with cybersecurity risks among vendors continues to lag behind the board’s engagement with operational cybersecurity risk inside the organization. Less than 30 percent of boards are highly engaged with cybersecurity issues relating to third parties. This gap requires attention.

• Organizations with low levels of third party board engage-ment show alarmingly low maturity levels in two vendor risk management categories, in particular: Skills and Expertise; and Tools, Measurement and Analysis.

• More companies this year experienced a significant disruption from a recent cybersecurity breach compared to a year ago. Alarmingly, more than half of healthcare providers experienced a significant disruption from a cybersecurity breach in the past 24 months.

• It is encouraging to see that more organizations have an inci-dent response plan in place for addressing events that strike vendors — and that more of these plans are being tested.




Cybersecurity Risks — Business and Internal Operations

High engagement and level of understanding

by the board

Medium engagement and level of understanding by

the board

Low engagement and level of understanding

by the board









Average 3.4 2.9 2.5

How engaged is your board of directors with cybersecurity risks relating to your business and internal operations?

2017 2016

High engagement and level of understanding by the board 42% 39%

Medium engagement and level of understanding by the board 38% 37%

Low engagement and level of understanding by the board 14% 17%

Not shown: “Don’t know” responses


How engaged is your board of directors with cybersecurity risks relating to your vendors?

2017 2016

High engagement and level of understanding by the board 29% 26%

Medium engagement and level of understanding by the board 39% 37%

Low engagement and level of understanding by the board 25% 27%

Not shown: “Don’t know” responses

Cybersecurity Risks — Vendors

High engagement and level of understanding

by the board

Medium engagement and level of understanding by

the board

Low engagement and level of understanding

by the board









Average 3.6 3.0 2.5




Has your organization experienced a significant disruption within the past two years resulting from a cyberattack or hacking incident?

2017 2016

Yes 18% 16%

No 77% 79%

Don’t know 5% 5%

How soon after the cyberattack or incident occurred was your organization able to address the issue sufficiently and incorporate additional security measures to prevent a similar incident in the future?

2017 2016

Within 1 month 40% 38%

Within 2 to 3 months 26% 21%

Within 3-6 months 23% 24%

Within 6 months to 1 year 5% 6%

More than a year 4% 3%

Don’t know 2% 8%

67Percentage of these organizations that are testing the incident response plan with their vendors or third parties.

Percentage of organizations with an incident response plan in place to respond to events at vendors or third parties.

Key Facts

72 65 61


2017 2014 2017 2014

Over the next 12 months, what is the likelihood that your organization will move to exit or “de-risk” third party relationships that are determined to have the highest risk?

Extremely likely 14%

Somewhat likely 39%

Somewhat unlikely 24%

Not at all likely 13%

Don’t know 10%

Which of the following are reasons why your organization may be more inclined to exit or “de-risk” certain third party relationships? (Multiple responses permitted.)

It’s become imperative from a risk and regulatory standpoint to also assess our vendors’ subcontractors. 48%

The cost associated to assess our vendors properly is becoming too high. 29%

We lack the internal support and/or skills for the required sophisticated forensic control testing of our vendors. 24%

We will not receive sufficient internal support to “de-risk” our third party relationships. 18%

We do not have the right technologies in place to assess vendor risk properly. 15%

71 Percentage of insurance companies, including healthcare payers, that over the next 12 months are likely to de-risk or exit third party relationships that are determined to have the highest risk.

Key Facts




Program GovernanceOverall level of maturity: 3.02

Key Observations

• The overall level of maturity for Program Governance

held steady from 2016 to 2017. Of note, C-level

respondents evaluated the overall level of Program

Governance maturity lower this year compared to

last year’s survey results.

• Few Program Governance components demon-

strated significantly different levels of maturity

compared to last year’s results, with two exceptions:

the maturity level for the component of evaluating

key risk and performance indicators provided in

management and board reporting, which declined,

and the component of revising corporate vendor

risk policy as needed to achieve strategic objectives,

which improved.

• Adequate allocation of resources to vendor risk

management activities represents a consistent need

evident across a number of different vendor risk

components, including Program Governance.

Program Governance — Overall Results

Vendor Risk Component 2017 2016 YOY Change

1 We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships. 3.06 3.10 -0.04

2 The organizational structure of our vendor risk management program operates independently of our business lines. 2.88 2.83 0.05

3 We have established a formal program review schedule. 3.08 NA NA

4 We articulate the goals and objectives of our organization. 3.27 3.31 -0.04

5 We align specific vendor management objectives with our strategic organizational objectives. 2.85 2.91 -0.06

6We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives.

3.14 3.09 0.05

7 We allocate sufficient resources for vendor risk management activities. 2.78 2.82 -0.04



8 We communicate to our organization the requirements for risk-based vendor management. 3.07 3.07 0.00

9

We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy.

2.96 2.98 -0.02

10 We define risk monitoring practices and establish an escalation process for exception conditions. 3.06 3.12 -0.06

11 We evaluate key risk and performance indicators provided in management and board reporting. 2.95 3.10 -0.15

12 We revise corporate vendor risk policy as needed to achieve strategic objectives. 3.07 2.98 0.09

Category Averages 3.02 3.03 -0.02

Commentary

While governance marks a foundational enabler of

vendor risk management success, it also is a more

complex capability that requires more time, effort and

adjustments — many of which center on relationships

— to improve. The most elegantly designed governance

approach can fall flat once the plan is executed and

collides with resistance to change, territorial quarrels

and other real-world obstacles. Although the overall

level of maturity for Program Governance did not rise

compared to last year’s findings, it has made strides over

the longer term. Further, while the maturity level for

evaluating key risk and performance indicators provided

in management and board reporting showed a surprising

decline this year, it is encouraging that companies have

improved the ability to revise corporate vendor risk

policy as needed to achieve strategic objectives. This

progress notwithstanding, it is crucial to ensure that all

areas of vendor risk management, including Program

Governance, receive sufficient funding and resources.




Program Governance – Industry Results*

*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components do not have results for 2014.

4.0

3.5

3.0

2.5

2.0

1.5

1 4 5 6 7 8 9 10 11 12 2 3


Vendor Risk Component

Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

1 4 5 6 7 8 9 10 11 12 2 3



Mat

uri

ty L

evel


2017

2014

Program Governance — Focus on the Financial Services Industry

Assets Under Management

< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships.

2.90 3.68 2.89 3.53 3.33 3.80 3.42

The organizational structure of our vendor risk management program operates independently of our business lines.

2.85 3.57 2.95 3.67 3.33 3.55 3.46

We have established a formal program review schedule. 3.10 3.70 3.37 3.80 3.89 3.70 3.27

We articulate the goals and objectives of our organization. 2.95 3.86 3.26 3.80 4.00 3.60 3.42

We align specific vendor management objectives with our strategic organizational objectives.

2.75 3.32 2.68 2.87 3.89 3.10 3.31

We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives.

2.85 4.00 3.05 3.80 4.11 3.30 3.52

We allocate sufficient resources for vendor risk management activities. 2.80 3.71 2.83 3.00 2.89 3.21 3.19

We communicate to our organization the requirements for risk-based vendor management.

2.80 3.89 2.95 3.53 3.89 3.70 3.31

We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy.

2.70 3.71 2.63 3.07 3.22 3.30 2.92





< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We define risk monitoring practices and establish an escalation process for exception conditions.

3.00 3.71 2.89 3.47 3.56 3.25 3.19

We evaluate key risk and performance indicators provided in management and board reporting.

3.05 3.75 2.84 3.33 3.44 3.40 2.92

We revise corporate vendor risk policy as needed to achieve strategic objectives. 3.25 3.85 3.00 3.33 4.00 3.37 3.42

Category Averages 2.92 3.73 2.95 3.43 3.63 3.44 3.28

The most elegantly designed governance approach can fall flat once the plan is executed and collides with resistance to change, territorial quarrels and other real-world obstacles.


Policies, Standards and ProceduresOverall level of maturity: 3.11

Key Observations

• Although the overall maturity level of Policies,

Standards and Procedures changed minimally

compared to prior year results, several vendor risk

components in this category demonstrated signif-

icant improvement; moreover, none of the individual

components declined significantly.

• Areas that displayed the greatest increases in matu-

rity include having a defined vendor classification

structure; researching and reviewing all applicable

regulatory updates and/or industry standards to

ensure the overall program is meeting guidelines

applicable to the organization; having a defined

vendor risk management policy; and having defined

vendor risk tier assignments.

Policies, Standards and Procedures — Overall Results


1 We have defined a vendor risk management policy. 3.17 3.07 0.10

2 We have defined vendor risk tier assignments. 2.98 2.89 0.09

3We research and review all applicable regulatory updates and/or industry standards to ensure the overall program is meeting guidelines applicable to our organization.

3.18 3.06 0.11

4 We have obtained senior management approval of policy and risk tiers. 3.17 3.14 0.03

5 We have established standards for vendor selection and due diligence. 3.23 3.24 -0.01

6 We have created a vendor selection process. 3.19 3.23 -0.04

7 We have defined a vendor classification structure. 3.14 3.01 0.12

8 We have defined risk categories for each classification in our vendor classification structure. 3.01 2.99 0.03

9 We have identified existing company policies that may affect the contract process. 3.08 3.04 0.04

10 We have identified key stakeholders involved in each contract process. 3.16 3.17 -0.01

11 We have created a process for managing contracts. 3.35 3.32 0.02





12 We have identified key positions involved in the contract management process. 3.25 3.26 -0.01

13 We have established the criteria for vendor exit strategies. 2.86 2.83 0.03

14 We have established a process for vendor exit strategies. 2.81 NA NA

Category Averages 3.11 3.10 0.02

Commentary

Peer inside a leading vendor risk management capability

and you will discover board-approved Policies, Standards

and Procedures that are applied consistently throughout

the enterprise and that address the complete vendor

lifecycle, from pre-selection due diligence, to ongoing

management according to the contractual terms,

to the renewal of the contract or the relationship’s

termination. The most effective Policies, Standards and

Procedures undergo regular reviews and adjustments in

response to changing risks and regulations.

Despite the lack of year-over-year improvement in

overall maturity level, only three of the 14 vendor risk

components in this category showed minimal declines

in maturity. The vendor risk components showing the

largest increases in maturity levels suggest that

vendor risk management professionals are attuned

to the current risk and regulatory environment.

For example, having a defined vendor risk management

policy, one that features a defined classification

structure and vendor risk tier assignments, is a critical

enabler of a fully implemented and operational vendor

risk management capability. Additionally, the ability

to monitor and review regulatory updates and industry

standards as a means of ensuring the overall program is

meeting all relevant guidelines has become especially

important as numerous regulatory changes — and new

compliance requirements — are introduced.


Policies, Standards and Procedures — Industry Results*

4.0

3.5

3.0

2.5

2.0

1.51 2 4 5 6 7 8 9 10 11 12 13&14 3



Mat

urity

Lev

el

4.0

3.5

3.0

2.5

2.0

1.51 2 4 5 6 7 8 9 10 11 12 13&14 3



Mat

urity

Lev

el

2017

2014

*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components are combined and some do not have results for 2014.




Policies, Standards and Procedures — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have defined a vendor risk management policy. 3.45 3.81 3.11 3.87 3.89 3.90 3.72

We have defined vendor risk tier assignments. 3.25 3.85 3.32 3.67 4.22 3.65 3.46

We research and review all applicable regulatory updates and/or industry standards to ensure the overall program is meeting guidelines applicable to our organization.

3.45 4.00 3.37 3.80 4.22 3.60 3.44

We have obtained senior management approval of policy and risk tiers. 3.60 4.19 3.37 3.73 4.33 3.60 3.42

We have established standards for vendor selection and due diligence. 3.45 4.11 3.05 3.87 4.11 3.95 3.42

We have created a vendor selection process. 3.15 3.96 3.29 3.07 3.67 3.45 3.38

We have defined a vendor classification structure. 3.20 3.89 3.22 3.40 4.22 3.60 3.54

We have defined risk categories for each classification in our vendor classification structure.

3.20 4.07 3.16 3.80 3.78 3.55 3.36

We have identified existing company policies that may affect the contract process.

2.95 4.04 2.89 3.13 3.44 3.70 3.15

We have identified key stakeholders involved in each contract process. 3.00 3.93 2.89 3.53 3.67 3.80 3.23



< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have created a process for managing contracts. 3.60 4.12 3.32 3.60 3.78 3.70 3.27

We have identified key positions involved in the contract management process. 3.55 4.07 3.21 3.47 3.78 3.60 3.12

We have established the criteria for vendor exit strategies. 2.80 3.63 2.84 2.87 3.44 3.15 2.85

We have established a process for vendor exit strategies. 2.45 3.52 2.68 3.13 3.56 3.25 2.96


The most effective Policies, Standards and Procedures undergo regular reviews and adjustments in response to changing risks and regulations.




Key Observations

• The Contracts vendor risk management category

again has the overall highest level of maturity in

the survey (tied with Monitoring and Review).

• However, the Contracts category’s overall maturity

level remained essentially the same as it was in last

year’s survey findings — as was the case with two

other vendor risk management categories (Program

Governance; and Policies, Standards and Procedures).

• Two individual components in this category

showed notable declines in maturity levels: having

regulatory-required standards for mandatory

contract language/provisions; and having a defined

organizational structure for vendor contract drafting,

negotiation and approval.

• One component — having a process to ensure

inclusion of contract provisions consistent with

each vendor risk classification/rating — posted a

significant improvement in maturity level.

• Insurance and healthcare payers have the best

performance in this area, continuing the strong

improvement first seen in last year’s study.

ContractsOverall level of maturity: 3.12


1 We have defined an organizational structure for vendor contract drafting, negotiation and approval. 3.15 3.26 -0.10

2 We have established procedures for contract exception review and approval. 3.21 3.30 -0.09

3 We have established standards for mandatory contract language/provisions. 3.25 NA NA

4 We have corporate requirements for mandatory contract language/provisions. 3.25 3.29 -0.04

5 We have a process to ensure inclusion of contract provisions terminating a vendor relationship. 3.17 3.15 0.02

6 We have a process to define the terms, if any, under which vendor outsourcing is permissible. 3.02 3.00 0.02

7 We have regulatory-required standards for mandatory contract language/provisions. 3.15 3.26 -0.11

8 We have IT/security-required standards for mandatory contract language/provisions. 3.22 3.24 -0.02

Contracts — Overall Results



9 We have a procedure to review existing contracts for compliance with current contract standards. 3.16 3.16 0.00

10 We have a remediation process to correct contract deficiencies. 3.00 2.92 0.08

11 We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.). 2.99 2.92 0.08

12 We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating. 3.00 2.86 0.14

13 We have established criteria for the contract review cycle consistent with each vendor risk classification/rating. 2.94 2.96 -0.02


Commentary

Unlike more complex categories of vendor risk manage-

ment, such as Program Governance, Contracts represents

a category in which improvements ought to be fairly

straightforward to achieve. Contracts should be written

clearly, align with internal standards and reflect the rela-

tive risk the specific vendor poses to the organization.

Contracts also require regular reviews. Third party

risk management program administrators should

collaborate closely with their legal and risk colleagues

to ensure the contracts — including those that deviate

from standard templates — align with the company’s

current risk appetite. As cybersecurity concerns drive

companies, and regulators, to intensify their focus on

fourth party risk, it has become increasingly important

for contracts to specify the terms under which vendors

(third parties) can outsource work to their subcontrac-

tors (fourth parties). This year’s respondents indicate

that companies have achieved incremental progress

when it comes to having a process to define the terms,

if any, under which vendor outsourcing is permissible.

This is a positive trend which should stimulate addi-

tional progress in overall vendor risk management.




*Please refer to the Overall Results table for the Vendor Risk Components numbered in each x-axis. The order has been adjusted to more easily compare the 2014 and 2017 results, as there have been changes to the VRMMM over that time span. This also is why some components are combined and some do not have results for 2014.

Contracts – Industry Results*

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3&4 7 8 9 10 11 12 13 5 6



Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3&4 7 8 9 10 11 12 13 5 6



Mat

uri

ty L

evel

2017

2014


Contracts — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have defined an organizational structure for vendor contract drafting, negotiation and approval.

2.78 3.58 3.05 3.33 3.44 3.89 3.54

We have established procedures for contract exception review and approval. 2.89 3.65 2.84 3.71 3.11 3.79 3.27

We have established standards for mandatory contract language/provisions. 2.89 3.96 3.05 3.53 3.89 4.00 3.35

We have corporate requirements for mandatory contract language/provisions. 2.56 3.81 3.05 3.47 3.89 3.95 3.44

We have a process to ensure inclusion of contract provisions terminating a vendor relationship.

2.72 3.77 2.79 3.47 3.89 3.74 3.42

We have a process to define the terms, if any, under which vendor outsourcing is permissible.

2.44 3.35 2.42 3.13 3.56 3.74 3.31

We have regulatory-required standards for mandatory contract language/provisions. 3.00 3.96 2.95 3.20 3.56 3.89 3.35

We have IT/security-required standards for mandatory contract language/provisions. 3.06 3.69 3.26 3.33 3.44 3.89 3.54

We have a procedure to review existing contracts for compliance with current contract standards.

2.94 3.72 2.74 3.20 3.22 3.79 3.46





< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have a remediation process to correct contract deficiencies. 2.56 3.65 2.61 2.80 3.22 3.68 3.27

We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.).

2.38 3.62 2.61 3.13 3.33 3.42 3.00

We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating.

2.72 3.62 3.21 3.40 3.67 3.32 3.08

We have established criteria for the contract review cycle consistent with each vendor risk classification/rating.

2.83 3.73 2.84 3.13 3.33 3.45 2.92


Contracts should be written clearly, align with internal standards and reflect the relative risk the specific vendor poses to the organization.


Vendor Risk Identification and AnalysisOverall level of maturity: 3.06

Key Observations

• Vendor Risk Identification and Analysis is one of

two categories (along with Skills and Expertise)

that demonstrated the greatest gains in maturity

level in this year’s survey.

• Three components of this category also displayed the

most dramatic year-over-year improvements in the

entire survey: supporting information gathering in

vendor reviews, executing a formal vendor assess-

ment process, and formally documenting assessment

roles and responsibilities. Clearly, companies are

succeeding in their efforts to improve how they iden-

tify and analyze vendor risk.

• Relatively few individual risk components in this

category score below a maturity level of 3.0. The

vendor risk component with the lowest maturity

level in this category — having a process in place

to determine if a vendor utilizes subcontractors

whenever a vendor contract does not include

vendor outsourcing requirements — represents

a clear call to action, given the critical need to

understand and monitor fourth party (the vendor’s

vendors) risks.

Vendor Risk Identification and Analysis — Overall Results


1 We have reviewed the defined business requirements for outsourcing. 2.94 2.78 0.16

2 We conduct a risk assessment for outsourcing the business function. 3.01 2.87 0.14

3 We consistently follow our process to collect and update vendor information. 3.20 3.12 0.07

4 We maintain a database of current vendor information. 3.34 3.26 0.08

5 We execute vendor risk tiering processes. 3.05 2.92 0.13

6 We determine vendor assessments to be performed based on risk, tiering and resources available. 3.05 2.90 0.16

7 We support information gathering in vendor reviews. 3.20 2.87 0.33

8 We review vendor requirements with our Business, IT, Legal and Purchasing colleagues. 3.27 3.18 0.09

9 We execute scheduling and coordinate assessment activities with vendors. 3.12 3.01 0.12





10 We execute a formal vendor assessment process. 3.31 3.02 0.29

11 We formally document assessment roles and responsibilities. 3.20 2.94 0.26

12 We have a formal process for conducting onsite assessments. 2.90 2.72 0.18

13 We assess compliance with vendor contracts. 3.13 3.06 0.07

14 We assess compliance with business continuity contract terms. 3.02 2.96 0.06

15 We assess compliance with outsourcing requirement contract terms. 2.99 2.80 0.19

16We have a process in place to determine if a vendor utilizes subcontractors whenever a vendor contract does not include vendor outsourcing requirements.

2.85 2.80 0.05

17 We identify findings and formulate recommendations. 3.14 2.95 0.19

18 We develop vendor assessment reports. 3.03 2.89 0.14

19We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor.

2.93 2.78 0.14

20 We establish/revise tiering of our vendors. 2.97 2.83 0.14

21 We perform remediation plan follow-up discussions with the vendor. 2.99 2.93 0.06

22 We have established a process to manage the situation where known vendor issues are not remediated. 3.00 NA NA

23 We consolidate the results of vendor assessments. 3.03 2.82 0.21

24 We calculate and distribute vendor assessment metrics. 2.89 2.79 0.10

25 We discuss results of vendor assessments and metrics with management. 3.03 2.94 0.09



Commentary

If Vendor Risk Identification and Analysis is the engine

of a vendor risk management program, it is firing

away with greater efficiency and power. Not only did

this category post the greatest improvement in overall

maturity level, but every single vendor risk component

within the category improved compared to last year.

This is particularly good news given that Vendor Risk

Identification and Analysis activities can be resource-

intensive and subject to performance declines if funding

is inadequate. While resource concerns crop up in other

areas, as noted throughout our report, companies appear

to be applying sufficient resources to strengthen Vendor

Risk Identification and Analysis processes.

Looking ahead, it would be prudent for vendor risk

management leaders to focus on one increasingly

important vendor risk management component —

having a process in place to determine if a vendor

utilizes subcontractors whenever a vendor contract

does not include vendor outsourcing requirements.

This area is comparatively less mature than all other

individual vendor risk components in this category.

While resource concerns crop up in other areas, companies appear to be applying sufficient resources to strengthen Vendor Risk Identification and Analysis processes.





Vendor Risk Identification and Analysis – Industry Results*

4.0

3.5

3.0

2.5

2.0

1.5

1 32 54 86 139 17 19 21 24 7 11 14 2218 20 23 25 10 12 1615



Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

1 32 54 86 139 17 19 21 24 7 11 14 2218 20 23 25 10 12 1615



Mat

uri

ty L

evel

2017

2014


Vendor Risk Identification and Analysis — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have reviewed the defined business requirements for outsourcing. 2.72 3.28 2.84 2.43 3.00 3.00 3.27

We conduct a risk assessment for outsourcing the business function. 3.06 3.56 2.94 2.86 3.44 3.35 3.35

We consistently follow our process to collect and update vendor information. 3.00 3.88 3.17 3.79 4.11 3.65 3.48

We maintain a database of current vendor information. 3.22 3.80 3.42 3.50 4.00 3.55 3.23

We execute vendor risk tiering processes. 3.33 3.84 3.53 3.71 3.89 3.60 3.50

We determine vendor assessments to be performed based on risk, tiering and resources available.

3.06 4.08 3.26 3.57 4.00 3.55 3.54

We support information gathering in vendor reviews. 3.11 3.96 3.53 3.71 4.00 3.70 3.42

We review vendor requirements with our Business, IT, Legal and Purchasing colleagues.

3.00 4.00 3.21 3.64 3.56 3.75 3.62

We execute scheduling and coordinate assessment activities with vendors. 2.89 3.76 3.37 3.21 3.56 3.65 3.35

We execute a formal vendor assessment process. 3.06 4.12 3.47 4.07 3.67 3.80 3.35

We formally document assessment roles and responsibilities. 2.78 3.88 3.44 3.79 3.78 3.75 3.42

We have a formal process for conducting onsite assessments. 2.06 3.20 3.11 3.00 2.67 3.35 3.42

We assess compliance with vendor contracts. 2.78 3.68 3.21 3.00 3.11 3.55 3.54





< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We assess compliance with business continuity contract terms. 3.00 3.52 2.71 3.43 3.11 3.35 3.50

We assess compliance with outsourcing requirement contract terms. 2.56 3.40 2.68 3.21 3.00 3.25 3.31

We have a process in place to determine if a vendor utilizes subcontractors whenever a vendor contract does not include vendor outsourcing requirements.

2.56 3.48 2.74 3.14 3.33 3.15 3.12

We identify findings and formulate recommendations. 3.11 3.64 3.16 3.57 3.56 3.60 3.54

We develop vendor assessment reports. 2.94 3.84 3.16 3.43 2.89 3.60 3.38

We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor.

2.56 3.60 2.63 3.14 3.11 3.40 3.00

We establish/revise tiering of our vendors. 2.72 3.64 3.11 3.57 3.22 3.35 3.35

We perform remediation plan follow-up discussions with the vendor. 2.56 3.80 2.32 3.07 3.22 3.40 3.31

We have established a process to manage the situation where known vendor issues are not remediated.

2.72 3.68 2.42 3.00 3.78 3.25 3.27

We consolidate the results of vendor assessments. 2.83 3.64 2.89 3.57 3.67 3.35 3.46

We calculate and distribute vendor assessment metrics. 2.56 3.48 2.79 3.14 3.22 3.35 3.44

We discuss results of vendor assessments and metrics with management. 2.72 3.48 2.89 3.29 3.33 3.50 3.58



Skills and ExpertiseOverall level of maturity: 2.86

Key Observations

• Although the Skills and Expertise category continues

to have the lowest level of vendor risk management

maturity in our benchmarking study, it has recently

shown good improvement. In the past two years,

the overall maturity level of this category has

increased more than any other category.

• Four components of the Skills and Expertise

category showed the largest year-over-year

improvements in the entire survey: annually

measuring employee understanding of vendor

risk management accountabilities and reporting

results to management; providing training for

assigned vendor risk management resources to

maintain appropriate certifications; routinely

measuring or benchmarking the organization’s

vendor risk management budget with management

reporting to demonstrate return on investment

(ROI); and implementing metrics and reporting for

compliance to required training and awareness of

vendor risk policies. Companies are succeeding

in their efforts to improve how they identify and

analyze vendor risk.

• Three new Skills and Expertise vendor risk

components were evaluated this year: defining

accountability for vendor risk within the organiza-

tion chart and identified support staff for vendor

risk management; the establishment of a process

for vendor risk management; and the allocation

of a specific vendor risk management budget for

industry memberships and training/education.

Skills and Expertise — Overall Results


1 We have established a process for vendor risk management. 3.17 NA NA

2 We have assigned vendor risk management accountability to an individual in our organization. 3.16 3.03 0.13

3We have defined accountability for vendor risk within the organization chart and identified support staff for vendor risk management.

3.08 NA NA

4 Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions. 3.14 3.07 0.07

5 We provide training for assigned vendor risk management resources to maintain appropriate certifications. 2.98 2.67 0.31

6 We have sufficient staff to manage vendor risk management activities effectively. 2.80 2.79 0.00

7 We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives. 2.73 2.63 0.10





8 We have sufficient qualified staff to meet all vendor risk management objectives. 2.80 2.68 0.12

9 We have formalized governance programs so that staffing levels can be reduced due to optimization. 2.71 2.46 0.25

10 We have defined and communicated vendor risk management policies to our key stakeholders. 3.04 2.90 0.13

11 We periodically communicate our vendor risk management policies and procedures to all personnel. 2.92 2.68 0.25

12At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role.

2.85 2.67 0.18

13We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program.

2.90 2.68 0.22

14On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management.

2.65 2.35 0.31

15 We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies. 2.78 2.50 0.28

16 We have sufficient funding for vendor management training and awareness. 2.72 NA NA

17 We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects. 2.74 2.65 0.09

18 We have allocated a specific vendor risk management budget for industry memberships and training/education. 2.68 NA NA

19 We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI. 2.63 2.32 0.31

20We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced.

2.67 2.45 0.23



Commentary

The level of assessed Skills and Expertise maturity

continues its upward trajectory. This is positive news

considering that Skills and Expertise vendor risk com-

ponents consistently have been among the lowest-rated

since the survey’s inception. All of the individual vendor

risk components within the category that appeared in last

year’s survey have increased in maturity levels — many

of them sizeable increases. Furthermore, four of the

survey’s largest maturity level improvements occurred

in the Skills and Expertise category.

Yet more improvement is warranted: Skills and

Expertise remains one of the two least mature

components of vendor risk management. Three

vendor risk components in the category — routinely

measuring or benchmarking the organization’s

vendor risk management budget with management

reporting to demonstrate ROI, annually measuring

employee understanding of vendor risk management

accountabilities and reporting results to management,

and integrating vendor risk management functions and

tools sufficiently into business lines so that overall costs

and budget for dedicated risk management budgets are

reduced — received the lowest maturity level scores in

the entire survey. The good news, again, is that these

three areas are improving markedly. This year’s results

indicate that companies are making significant strides

in training and developing the talent they currently

have at a time when competition for skilled third party

risk management resources remains intense.

This year’s results indicate that companies are making significant strides in training and developing the talent they currently have at a time when competition for skilled third party risk management resources remains intense.





Skills and Expertise – Industry Results*

4.0

3.5

3.0

2.5

2.0

1.5

2 54 76 108 1211 13 15 17 20 3 1914 18 1 169



Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

2 54 76 108 1211 13 15 17 20 3 1914 18 1 169



Mat

uri

ty L

evel

2017

2014


Skills and Expertise — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have established a process for vendor risk management. 2.88 3.67 3.21 4.00 3.78 3.75 3.58

We have assigned vendor risk management accountability to an individual in our organization.

3.12 3.88 3.11 3.57 3.89 3.70 3.62

We have defined accountability for vendor risk within the organization chart and identified support staff for vendor risk management.

3.18 3.71 2.84 3.64 3.78 3.55 3.38

Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions.

2.82 3.63 3.26 3.14 3.44 3.65 3.50

We provide training for assigned vendor risk management resources to maintain appropriate certifications.

2.65 3.63 2.63 3.31 3.33 3.35 3.38

We have sufficient staff to manage vendor risk management activities effectively. 2.59 3.71 2.53 2.86 2.67 3.20 3.00

We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives.

2.53 3.46 2.53 2.86 2.78 2.65 3.27

We have sufficient qualified staff to meet all vendor risk management objectives. 2.65 3.71 2.58 2.71 2.78 2.85 3.12

We have formalized governance programs so that staffing levels can be reduced due to optimization.

2.59 3.33 2.32 3.07 2.33 2.65 3.19

We have defined and communicated vendor risk management policies to our key stakeholders.

3.18 3.96 2.84 3.50 3.67 3.65 3.58

We periodically communicate our vendor risk management policies and procedures to all personnel.

2.76 3.42 2.89 3.29 3.44 3.40 3.42





< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role.

2.59 3.58 2.68 3.14 2.78 3.15 3.42

We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program.

2.65 3.67 2.47 3.21 3.44 3.50 3.46

On an annual basis, we measure employ-ee understanding of vendor risk manage-ment accountabilities and report results to management.

1.94 3.42 2.39 2.93 2.00 2.50 3.19

We have implemented metrics and report-ing for compliance to required training and awareness of our vendor risk policies.

2.24 3.29 2.63 2.93 2.00 2.70 3.46

We have sufficient funding for vendor management training and awareness. 2.53 3.46 2.37 2.71 2.22 2.70 3.15

We have allocated budget for vendor risk management functions, including basic trav-el, subscriptions, training and small projects.

2.24 3.63 2.21 3.00 2.22 3.20 2.88

We have allocated a specific vendor risk management budget for industry memberships and training/education.

2.41 3.33 2.79 2.43 2.33 3.00 3.23

We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI.

2.12 2.96 2.21 2.43 2.33 2.45 3.19

We have integrated vendor risk manage-ment functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced.

2.12 3.50 2.11 2.79 2.33 2.85 3.04



Communication and Information SharingOverall level of maturity: 3.03

Key Observations

• The overall maturity level of the Communication and

Information Sharing category has increased markedly

during the past two years.

• Having a process in place to periodically communicate

results of vendor assessments is among the handful of

vendor risk components in the survey that showed the

largest year-over-year improvements.

• There are two new Communication and Information

Sharing components in this year’s study: having

policies in place to define roles and responsibilities

over workflow tasks (which scored a maturity level

of 3.10), and having a process in place to periodically

communicate results of vendor assessments (3.04).

Communication and Information Sharing — Overall Results


1We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts).

3.00 2.83 0.17

2 We have a process in place to communicate policies and standards. 3.20 3.15 0.05

3 We have in place an ongoing education program for vendor management policies, procedures and updates. 2.90 2.59 0.31

4 We have clearly defined roles and responsibilities in the areas that manage sourcing, procurement, contracts. 3.15 3.11 0.04

5We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.).

2.95 2.77 0.18

6We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding.

2.94 2.79 0.15

7 We have a process in place to manage vendor inventory. 2.93 2.86 0.06

8 We have a process in place to report status of vendor assessments. 3.02 2.83 0.19

9 We have a process in place to evaluate compliance with vendor management processes and procedures. 3.00 2.83 0.16

10 We have a process in place to periodically evaluate vendor service delivery. 2.99 2.89 0.10





11 We have a process in place to track and communicate incidents. 3.17 3.11 0.06

12 We have a process in place to escalate and communicate incidents and issues. 3.18 3.13 0.04

13 We have policies in place to define roles and responsibilities over workflow tasks. 3.10 NA NA

14 We have a process in place to periodically communicate results of vendor assessments. 3.04 NA NA

15 We have a process in place to provide board and executive management response to vendor assessment results. 2.90 2.87 0.03


Commentary

The Communication and Information Sharing aspect

of vendor risk management has improved dramatically

since 2015. Although the overall maturity level for

this category exceeds 3.0 for the first time since

the survey began, there were several individual

risk components that continued to receive maturity

level scores below this level. This need for further

information-sharing improvements is evident in the

small but consistent differences between how C-level

executives score maturity levels across all categories

(lower) compared with maturity level scores in the

same categories from staff below the C-suite (higher).

While communications concerning third party

risk management are always important, effective

information sharing throughout the company and

with the board becomes even more essential when the

external risk environment is particularly volatile. As

companies continue to refine their improvements of

vendor risk components in this category, they should

consider focusing on activities with lower maturity

levels, such as ongoing education programs for vendor

management policies, procedures and updates;

and processes for providing board and executive

management response to vendor assessment results.


Communication and Information Sharing — Industry Results*

4.0

3.5

3.0

2.5

2.0

1.51 3 5 6 7 8 9 10 11 12 15 2 4 13 14



Mat

urity

Lev

el

4.0

3.5

3.0

2.5

2.0

1.5

1 3 5 6 7 8 9 10 11 12 15 2 4 13 14



Mat

uri

ty L

evel

2017

2014





Communication and Information Sharing — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts).

2.50 3.71 2.63 3.71 3.44 3.58 3.15

We have a process in place to communicate policies and standards. 3.31 4.00 2.89 3.64 3.56 3.58 3.62

We have in place an ongoing education program for vendor management policies, procedures and updates.

2.25 3.71 2.63 3.29 3.11 3.26 3.42

We have clearly defined roles and respon-sibilities in the areas that manage sourcing, procurement, contracts.

2.56 3.71 3.00 3.29 3.22 3.79 3.23

We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environ-ment, operations, etc.).

2.31 3.46 2.47 3.07 3.22 3.37 3.23

We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding.

2.25 3.78 2.53 3.57 2.89 3.37 3.50

We have a process in place to manage vendor inventory. 2.44 3.71 2.68 3.57 3.33 3.32 3.12

We have a process in place to report status of vendor assessments. 2.75 3.96 2.68 3.71 3.56 3.68 3.15

We have a process in place to evaluate compliance with vendor management processes and procedures.

2.25 3.75 2.58 3.64 3.56 3.53 3.19



< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have a process in place to periodically evaluate vendor service delivery. 2.20 3.63 2.42 2.93 3.33 3.42 2.96

We have a process in place to track and communicate incidents. 2.69 3.79 2.95 3.50 3.56 3.47 3.15

We have a process in place to escalate and communicate incidents and issues. 2.50 3.83 2.84 3.21 3.67 3.37 3.15

We have policies in place to define roles and responsibilities over workflow tasks. 2.44 4.00 2.74 3.64 3.56 3.63 3.19

We have a process in place to period-ically communicate results of vendor assessments.

2.56 3.96 3.16 3.36 3.56 3.42 3.15

We have a process in place to provide board and executive management response to vendor assessment results.

2.44 3.58 3.11 3.07 3.56 3.42 3.19


While communications concerning third party risk management are always important, effective information sharing throughout the company and with the board becomes even more essential when the external risk environment is particularly volatile.




Tools, Measurement and AnalysisOverall level of maturity: 2.91

Key Observations

• Scores in this category improved modestly

compared to last year’s survey results.

• The two vendor risk components in this area that

displayed the largest improvements — monitoring

variances between scheduled reviews and actual

reviews performed, and reporting risk scoring

results to relevant stakeholders — are essential to

measurement and analysis as well as to the overall

vendor risk management program.

• Two vendor risk management components in

this category showed minor declines in maturity

levels: establishing relevant financial measures

and benchmarks, and determining the financial

viability of key vendors.


1 We establish vendor review schedules for all vendor assessments (onsite, remote, etc.). 2.89 2.82 0.07

2 We assign resources to accomplish reviews as scheduled. 2.95 2.87 0.08

3 We capture and report on vendor review costs, budget to actual, etc. 2.79 2.69 0.10

4 We monitor variances between scheduled reviews and actual reviews performed. 2.84 2.59 0.25

5 We provide periodic reporting on review monitoring. 2.91 2.76 0.15

6 We process information obtained during the vendor selection or review process into a risk scoring tool. 2.85 NA NA

7 We process information according to an established risk scoring methodology. 2.91 NA NA

8 We report risk scoring results to relevant stakeholders. 2.93 2.71 0.22

9 We engage finance and procurement partners. 3.03 3.03 0.00

10 We establish relevant financial measures and benchmarks. 2.88 2.91 -0.03

11 We determine the financial viability of key vendors. 3.04 3.10 -0.06

12 We report financial results from our vendors to relevant stakeholders. 2.86 2.83 0.03


Tools, Measurement and Analysis — Overall Results


Commentary

As is the case in several other categories, the overall

maturity level for Tools, Measurement and Analysis

has increased significantly during the past three

years. Although the most recent increase was less

dramatic compared to last year’s survey results, two

crucial vendor risk management components showed

substantial improvement. Companies made significant

strides in monitoring variances between scheduled

reviews and actual reviews performed, and in reporting

risk scoring results to relevant stakeholders.

The overall maturity level for Tools, Measurement and Analysis has increased significantly during the past three years.





Tools, Measurement and Analysis — Industry Results*

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3 4 5 6 8 9 10 11 12 7



Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3 4 5 6 8 9 10 11 12 7



Mat

uri

ty L

evel

2017

2014


Tools, Measurement and Analysis — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We establish vendor review schedules for all vendor assessments (onsite, remote, etc.). 2.47 3.46 2.89 3.64 3.78 3.63 3.31

We assign resources to accomplish reviews as scheduled. 2.35 3.50 2.68 3.64 3.78 3.74 3.50

We capture and report on vendor review costs, budget to actual, etc. 2.24 3.50 2.11 2.21 2.00 2.89 3.04

We monitor variances between scheduled reviews and actual reviews performed. 2.24 3.38 2.53 2.93 2.67 3.53 3.27

We provide periodic reporting on review monitoring. 2.53 3.58 2.68 3.29 3.33 3.26 3.38

We process information obtained during the vendor selection or review process into a risk scoring tool.

2.82 3.67 2.05 3.50 3.33 3.32 3.27

We process information according to an established risk scoring methodology. 2.76 3.71 2.83 3.21 3.33 3.32 3.35

We report risk scoring results to rele-vant stakeholders. 2.65 3.63 3.00 3.64 3.67 3.32 3.38

We engage finance and procurement partners. 2.59 3.63 2.79 3.50 3.33 3.79 3.38

We establish relevant financial measures and benchmarks. 2.35 3.46 2.42 2.86 3.22 3.16 2.96

We determine the financial viability of key vendors. 2.71 3.67 3.11 3.71 3.78 3.42 3.12

We report financial results from our vendors to relevant stakeholders. 2.59 3.50 2.50 3.07 3.89 3.32 3.27





Monitoring and ReviewOverall level of maturity: 3.12

Key Observations

• Monitoring and Review activities continued the steady

improvement they have made in previous years.

• Notable improvements were made regarding business

continuity management and responding to, esca-

lating and informing key stakeholders of relevant

data security, breaches or other similar incidents.

These are crucial Monitoring and Review activities

during a period of heightened cybersecurity risk.

• Having a process in place to periodically require SLA

reporting showed one of the largest increases in

maturity level of any of the vendor risk components in

the entire survey. In addition to strengthening vendor

risk management capabilities, companies are striving

to optimize the returns they generate from their

vendor investments.

• Another Monitoring and Review improvement —

having a process in place to monitor industry and

market trends that may negatively impact vendors

— represents a foundational element of a real-time

monitoring capability.

Monitoring and Review — Overall Results


1 We have standard contract terms in place. 3.45 3.46 -0.01

2We have a process in place to facilitate approval of final contract terms by our Legal department and an appropriate level of management.

3.39 3.46 -0.06

3We have a process in place to modify contracts and approve modifications by our Legal department and an appropriate level of management.

3.44 3.41 0.03

4 We have policies and procedures in place over the process to store, retain and make available contract terms. 3.38 3.33 0.05

5 We have a process in place to address expired or canceled contracts. 3.29 3.18 0.11

6 We have a process in place to periodically require SLA reporting. 3.02 2.74 0.29

7 We have a process in place to track and analyze customer complaints. 3.19 3.09 0.09

8 We have a process in place to periodically conduct customer satisfaction surveys. 3.06 2.94 0.13



9We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breaches or other similar incidents.

3.25 3.11 0.14

10 We have a process in place to monitor industry and market trends that may negatively impact our vendors. 2.97 2.83 0.14

11 We have a process in place to respond to and inform our key stakeholders of regulatory requirements and trends. 3.12 2.99 0.13

12 We have a process in place to regularly assess providers’ financial conditions. 3.02 2.93 0.09

13 We have a process in place to review applicable audit reports periodically. 3.13 3.12 0.00

14We have a process in place to test our vendors’ business continuity and disaster recovery measures periodically, and review the test results.

2.93 2.74 0.18

15 We have a process in place to determine if additional control validation is necessary. 2.93 2.81 0.12

16 We have a process in place to periodically conduct vendor onsite visits and testing. 2.90 2.83 0.07

17 We obtain independent assurance or third party testing of key vendors. 2.89 2.82 0.07

18 We have a process in place to determine if an onsite assessment is necessary. 2.84 2.82 0.01





Commentary

Monitoring and Review capabilities have taken on new-

found importance as cybersecurity breaches increas-

ingly strike more organizations. Companies appear to

be responding to this shift by improving relevant facets

of their Monitoring and Review activities. Two of these

activities — communicating with key stakeholders, in-

cluding vendors, regarding data security and breaches;

and testing vendors’ business continuity management

and disaster recovery measures — showed significant

improvements compared to last year’s survey results.

Monitoring and Review activities also extend beyond

risk management into relationship management and

optimization. Having a process in place to periodically

require SLA reporting shows one of the largest in-

creases in maturity levels of any component in the

entire survey this year. This shows that companies are

working to maximize the returns on their investments

in third party services. One other Monitoring and

Review result relates to an emerging capability that we

expect more organizations to implement. Companies

improved the process they have in place to monitor

industry and market trends that may negatively

impact vendors. This capability is frequently a facet

of real-time monitoring, and this growth in maturity

indicates that more organizations are becoming aware

that impacts to vendor risk do not occur at predefined

intervals but instead may materialize at any time.

Monitoring and Review capabilities have taken on newfound importance as cybersecurity breaches increasingly strike more organizations.



Monitoring and Review — Industry Results*

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3 4 5 6 7 8 9 10 11 1413 1716 1512 18



Mat

uri

ty L

evel

4.0

3.5

3.0

2.5

2.0

1.5

1 2 3 4 5 6 7 8 9 10 11 1413 1716 1512 18



Mat

uri

ty L

evel

2017

2014




Monitoring and Review — Focus on the Financial Services Industry


< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have standard contract terms in place. 2.59 3.67 3.43 3.00 3.44 3.84 3.88

We have a process in place to facilitate approval of final contract terms by our Legal department and an appropriate level of management.

2.82 4.00 3.50 3.11 3.22 3.95 3.88

We have a process in place to modify contracts and approve modifications by our Legal department and an appropriate level of management.

2.82 4.04 3.50 3.21 3.67 3.84 3.92

We have policies and procedures in place over the process to store, retain and make available contract terms.

2.82 4.08 3.64 3.00 3.78 3.84 3.81

We have a process in place to address expired or canceled contracts. 2.65 3.92 3.43 2.74 3.67 3.79 3.35

We have a process in place to periodically require SLA reporting. 2.18 3.67 3.29 2.21 2.78 3.26 3.35

We have a process in place to track and analyze customer complaints. 3.19 3.92 3.57 2.37 3.44 3.26 3.15

We have a process in place to periodically conduct customer satisfaction surveys. 2.65 3.67 2.57 2.53 2.33 3.00 3.31

We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breaches or other similar incidents.

3.19 3.96 3.21 2.79 3.78 3.74 3.31

We have a process in place to monitor industry and market trends that may negatively impact our vendors.

2.35 3.58 2.93 2.47 2.78 3.32 3.19



< $1B $1B to $5B

$5B to $10B

$10B to

$25B

$25B to

$50B

$50B to

$250B>

$250B

We have a process in place to respond to and inform our key stakeholders of regulatory requirements and trends.

2.76 4.08 3.57 2.68 3.33 3.53 3.27

We have a process in place to regularly assess providers’ financial conditions. 2.88 3.96 3.64 2.44 3.89 3.26 3.62

We have a process in place to review applicable audit reports periodically. 3.06 3.79 3.71 2.95 3.56 3.56 3.50

We have a process in place to test our vendors’ business continuity and disaster recovery measures periodically, and review the test results.

2.18 3.33 3.29 2.37 3.33 3.37 3.40

We have a process in place to determine if additional control validation is necessary. 2.63 3.58 3.36 2.16 3.11 3.47 3.12

We have a process in place to periodically conduct vendor onsite visits and testing. 2.12 3.42 3.21 2.11 2.67 3.21 3.40

We obtain independent assurance or third party testing of key vendors. 2.47 3.71 3.00 2.74 3.22 3.16 3.12

We have a process in place to determine if an onsite assessment is necessary. 2.24 3.42 3.07 2.16 2.89 3.21 3.04





Demographics

Position

Chief Financial Officer 7%

Chief Risk Officer 3%

Chief Technology Officer 2%

Chief Information Officer 4%

Chief Information Security Officer 3%

Chief Security Officer 1%

Chief Audit Executive 3%

IT VP/Director 15%

Internal Audit VP/Director 1%

IT Audit VP/Director 1%

Finance Director 5%

IT Manager 19%

Finance Manager 8%

Internal Audit Manager 2%

IT Audit Manager 1%

Operational Risk Management 8%

Procurement/Purchasing/Supply Chain 7%

Other 10%


Industry

Financial Services – Banking 20%

Technology (Software/High-Tech/Electronics) 12%

Manufacturing (other than Technology) 8%

Insurance 6%

Professional Services 6%

Financial Services – Asset Management 5%

Healthcare Provider 5%

Government 4%

Retail 4%

Financial Services – Other 3%

Consumer Packaged Goods 2%

Higher Education 2%

Financial Services – Broker-Dealer 2%

Pharmaceuticals and Life Sciences 2%

Transportation and Logistics 2%

Media and Communications 1%

Not-for-Profit 1%

Agriculture, Forestry, Fishing 1%

Automotive 1%

Construction 1%

Healthcare Payer 1%




Hospitality, Leisure and Travel 1%

Power and Utilities 1%

Biotechnology, Life Sciences and Pharmaceuticals 1%

Oil and Gas 1%

Wholesale/Distribution 1%

Chemicals 1%

Distribution 1%

Other 4%

Size of Organization (outside of Financial Services) – by gross annual revenue in U.S. dollars

Greater than $20 billion 19%

$10 billion to $19.99 billion 9%



$500 million to $999.99 million 10%

$100 million to $499.99 million 8%

Less than $100 million 16%


Financial Services Industry – Size of Organization (by assets under management)

Greater than $250 billion 17%

$50 billion to $250 billion 16%





Less than $1 billion 16%

Type of Organization

Public 51%

Private 37%

Not-for-Profit 6%

Government 5%

Other 1%





ABOUT SHARED ASSESSMENTS

The Shared Assessments Program is the trusted source in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: The Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments for cybersecurity, IT, privacy, data security, and business resiliency controls. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can — and should — be a good citizen. Corporations should be built on a foundation to provide greater good to society. We help organizations determine core values, make meaningful connections, facilitate collaboration and affect change. For more information on Shared Assessments, please visit www.sharedassessments.org.

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

http://www.santa-fe-group.com

http://www.sharedassessments.org

© 2017 The Santa Fe Group, Shared Assessments Program. All rights reserved. © 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-1117-101103

www.sharedassessments.org www.protiviti.com

http://www.sharedassessments.org

The Shared Assessments Program and - Protiviti · conducted online by the Shared Assessments...

Documents

Transcript of The Shared Assessments Program and - Protiviti · conducted online by the Shared Assessments...