The results of Protiviti’s 2015 “Vendor Risk Management Benchmark Study,” conducted in partnership with the Shared Assessments Program, can be viewed as cause for optimism—or concern, depending on one’s view of the world.

From a “glass is half empty” perspective, it appears that third-party risk management programs may be stagnating. This year’s survey respondents rated their overall maturity in most of our vendor risk management categories to be virtually identical to levels reported in our 2014 results for the same areas.

For those who favor the “glass is half full” point of view, these changes may reflect increased knowledge among survey respondents who have gained a greater understanding of vendor risk over the past year. This could be due to a number of high-profile data breaches involving vendors as well as the release of new regulatory guidance over the past two years, including the NIST Cybersecurity Framework. In addition, while organizations are striving to make improvements, they also are more accurately assessing the maturity and capabilities of their vendor risk management programs. The prevailing mindset for this view is that organizations have a better understanding of the nature of vendor risks and what is required to avoid and mitigate these threats and, thus, are rating their vendor risk management capabilities accordingly.

Furthermore, there is greater momentum for building stronger vendor risk management programs, as these issues are increasingly becoming a part of the agenda for boards of directors, especially as it relates to loss or exposure of sensitive data through cyberattacks and other compromises. Boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately.

Regardless of one’s perspective, the 2015 survey findings are crystal clear on a crucial point: There is still a lot of vendor risk management work to be done.


The increasing frequency and disconcerting magnitude of cyberattacks (one of the most troubling vendor risks) over the past 12 months, along with a spate of recent and forthcoming regulatory actions, require vendor risk management programs to take a significant leap forward. This change, as a number of regulatory bodies insist, involves fundamental alterations to strategies, processes, organizational cultures and individual mindsets. Iterative improvements—something many organizations may view to be adequate steps—may no longer be sufficient. On this count, our most notable findings are instructive because they point to the types and magnitude of changes that are needed:
  • Vendor risk management programs require more substantive advances: The overall maturity rating for program governance in this year’s survey (2.8 on a five-point scale) should serve as a warning sign of the need for deeper changes that reach into organizational culture and behavior. This mandate is evident in recent regulatory pronouncements. Regulatory agencies in the financial services industry, most notably the US Office of the Comptroller of the Currency, have asserted that “average” risk management will no longer suffice. Instead, financial institutions must enact the mind shifts, organizational culture work and behavioral changes needed to satisfy the “Getting to Strong” regulatory mantra.

  • Cybersecurity threats are a prominent challenge: Cybersecurity threats are clearly on the minds of risk managers, information technology (IT) functions and regulators. High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. The Federal Financial Institutions Examination Council recently issued a cybersecurity self-assessment tool. Strengthening cybersecurity is a top priority among chief information officers within companies of all sizes and also is judged by board members and C-suite executives to be among the top risks organizations are facing this year. A critical element to fortifying cybersecurity defenses is addressing third-party risk with regard to data and other IT and business processes that vendors are managing.

  • Vendor risk management programs within financial services organizations are more mature compared to companies in insurance, healthcare and other industries: The financial services industry, which was the first to establish a Coordinating Council for Critical Infrastructure Protection and Homeland Security in response to the Presidential Decision Directive, remains ahead of other industries with regard to their vendor risk management programs. The insurance and healthcare industries—each of which operate under their own high-powered regulatory microscopes—continue to lag behind financial services organizations in fortifying their vendor risk management capabilities.
There is one final noteworthy insight that also affects how third-party risk is viewed and managed. The number and intensity of vendor risks—and cybersecurity threats, in particular—are increasing. From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66% (according to PwC research). In other words, whether you perceive the glass to be half-empty or half-full, the glass is growing at an accelerated rate.

Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed. The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.

Rocco Grillo is a managing director with Protiviti and leader of the firm’s incident response and forensics practice. Gary Roboff is a senior advisor to the Santa Fe Group and Shared Assessments Program. For more information, visit www.sharedassessments.org and www.protiviti.com.