Survey shows third-party vendor-risk management programs are not where they should be.
At a time when managing the risk of third-party vendors should be improving, companies seem to be falling behind. That’s one takeaway from results of the latest vendor-risk management survey by the Shared Assessment Program, a collaborative vendor-risk management organization and risk consultancy Protiviti. The survey measures how corporate executives rate the overall maturity their vendor risk programs, and that level has dipped this year vs. last year.
Although the level has sagged, the surveyors suggest that rather than a lack of progress the survey results could actually indicate greater awareness of corporate shortcomings and executives’ natural anxiety about the progress so far.
“We’re not living in a static security environment—the goal posts keep getting pushed back,” said Gary Roboff, senior advisor at the Shared Assessment Program, which has set standards in vendor risk assessment since 2005. “Senior officers know what’s happening across the enterprise and also about the threat environment, so it’s not surprising they’re a bit harder on themselves.”
By attaching scores to 11 vender-risk categories, the survey found vender-risk management stagnating. In judging the overall results of their companies’ risk governance programs, the more than 460 respondents to the survey arrived at an average score of 2.8 (on a 5-point scale), down slightly from 2.9 the year before. One category – articulating the goals and objectives of the organization – fell by 0.2—the largest drop. Other categories, such as allocating sufficient resources for vendor risk management activities and revising corporate vendor risk policy as needed to achieve strategic objectives, either remained the same or rose or fell by 0.1.
The study notes its results can be viewed from a glass-half-empty perspective or the reverse. However since managing risk has become a top priority in the wake of possible third-party-vendor-caused breaches at major retailers and banks over the last year, the study suggests the glass-half-full interpretation is probably more accurate.
On the bright (or glass half-full) side, the study found that financial institutions, particularly banks, were well ahead of other companies in terms of the maturity and strength of their vendor-risk management programs. This is largely because the highly regulated institutions’ regulators have aggressively addressed the issue of cyber risk. In fact, financial institutions, with the exception of insurers, generally scored well above the other categories broken out in the study, which included program governance; policies, standards, procedures; contacts; vendor risk identification and analysis; skills and expertise; and communication and information sharing. In most cases, the insurance industry ranked last, with healthcare and other companies falling in between.
“Even if your company is not in the banking business, you should be looking at guidance from financial regulators anyway, because it’s best practice and it describes the security hygiene your company should be looking to achieve,” Mr. Roboff said.
Mr. Roboff added that The Office of the Comptroller of the Currency (OCC) has recently encouraged banks to push for higher levels of security, and the Federal Financial institutions (FFIEC) recently issued a Cyber security self-assessment tool.
Rocco Grillo, a managing director at Protiviti, noted that of the 11 categories program governance scored an average 2.8, a result that should be of particular note for treasury and other corporate executives concerned about whether their companies have the right controls in place to confront cyber risks. He said that given the heightened regulatory scrutiny, highly regulated companies such as banks might be expected to score higher. The two lowest categories were skills and expertise, and tools, measurement and analysis, respectively scoring 2.3 and 2.4, either staying the same as the year before or dropping slightly.
Mr. Roboff said those categories, at least at first glance, should not be “mechanically” difficult to improve. Their lack of improvement thus appears to point to another theme that emerges from the studies more than 100 detailed questions.
“There aren’t enough resources devoted to it,” Mr. Roboff said. “This notion of a lack of resources comes up time and time again.”