2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

Transcription

1 2015 Vendor Risk Management Benchmark Study The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

2 INTRODUCTION/EXECUTIVE SUMMARY MANY ORGANIZATIONS ARE NOT PREPARED TO MANAGE THEIR OWN INCIDENTS AND CYBERATTACKS LET ALONE PLAN FOR THIRD-PARTY INCIDENTS AND ATTACKS. THE SAME DUE DILIGENCE THAT ORGANIZATIONS APPLY TO THEIR OWN INCIDENT RESPONSE PLANS MUST BE APPLIED IN THIS CRITICAL AREA OF MANAGING SENSITIVE DATA OUTSOURCED TO THIRD PARTIES, INCLUDING DEMONSTRATING HOW THEY ARE PROTECTING THE DATA, MAINTAINING A MATURE INCIDENT RESPONSE PLAN, TESTING THE PLAN, AND PROVIDING STRONG CONTRACTUAL SERVICE LEVEL AGREEMENTS TO REPORT COMPROMISES BACK TO THE ORGANIZATION. ROCCO GRILLO, MANAGING DIRECTOR, PROTIVITI The results of this year s Vendor Risk Management Benchmark Study can be viewed as cause for optimism or concern, depending on one s view of the world. This marks the second year that the Shared Assessments Program and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program, a collaborative consortium of financial institutions, Big Four accounting firms, and third-party risk management leaders in insurance, brokerage, healthcare, retail and telecommunications dedicated to assisting organizations understand, manage and monitor vendor risk effectively and efficiently. From a glass-is-half-empty perspective, it appears that third-party risk management programs may be stagnating. This year s survey respondents rated their overall maturity in most of our vendor risk management categories to be virtually identical to levels reported in our 2014 results for the same areas (see table on page 3, Vendor Risk Management Overall Maturity by Area ). For those who favor the glass-is-half-full point-of-view, these changes may reflect increased knowledge among survey respondents who have gained a greater understanding of vendor risk over the past year. This could be due to a number of high-profile data breaches involving vendors, as well as the release of new regulatory guidance over the past two years, including the NIST Cybersecurity Framework. In addition, while organizations are striving to make improvements, they also are more accurately assessing the maturity and capabilities of their vendor risk management programs. The prevailing mindset for this view is that organizations have a better understanding of the nature of vendor risks and what is required to avoid and mitigate these threats, and thus are rating their vendor risk management capabilities accordingly. Furthermore, there is greater momentum for building stronger vendor risk management programs, as these issues are increasingly becoming a part of the agenda for boards of directors, especially as it relates to loss or exposure of sensitive data through cyberattacks and other compromises. Boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately. A recent article from Fortune.com referenced a survey that revealed boards are holding CEOs and the C-suite accountable for data breaches. 1 As noted in the article, Boardrooms are increasingly assigning fault to chief executive officers, according to a survey of 200 corporate directors conducted 1 Here s who boardrooms are blaming for data breaches, Fortune Magazine, May 29, 2015, boardroom-data-breach-blame/. 1

3 by the New York Stock Exchange in partnership with the Burlington, Mass.-based security company Veracode... In terms of accountability, the directors point their fingers like so: First at the CEO, then at the chief information officer, next at the full C-suite, and fourthly at the chief information security officer, whose job is to keep a company s data and technology protected. 2 Regardless of one s perspective, the 2015 survey findings are crystal clear on a crucial point: There is still a lot of vendor risk management work to be done. The increasing frequency and disconcerting magnitude of cyberattacks (one of the most troubling vendor risks) over the past 12 months, along with a spate of recent and forthcoming regulatory actions, require vendor risk management programs to take a significant leap forward. This change, as a number of regulatory bodies insist, involves fundamental alterations to strategies, processes, organizational cultures and individual mindsets. Iterative improvements something many organizations may view to be adequate steps may no longer be sufficient. On this count, our most notable findings are instructive because they point to the types and magnitude of changes that are needed. Vendor risk management programs require more substantive advances The overall maturity rating for program governance in this year s survey (2.8 on a 5-point scale) should serve as a warning sign of the need for deeper changes that reach into organizational culture and behavior. This mandate is evident in recent regulatory pronouncements. Regulatory agencies in the financial services industry, most notably the U.S. Office of the Comptroller of the Currency, have asserted that average risk management no longer suffices; instead, financial institutions must enact the mind shifts, organizational culture work and behavioral changes needed to satisfy the Getting to Strong regulatory mantra. 3 Cybersecurity threats are a prominent challenge Cybersecurity threats are clearly on the minds of risk managers, IT functions and regulators. High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. The Federal Financial Institutions Examination Council recently issued a cybersecurity self-assessment tool. 4 Strengthening cybersecurity is a top priority among CIOs within companies of all sizes, 5 and also is judged by board members and C-suite executives to be among the top risks organizations are facing this year. 6 A critical element to fortifying cybersecurity defenses is addressing third-party risk with regard to data and other IT and business processes that vendors are managing. Vendor risk management programs within financial services organizations are more mature compared to companies in insurance, healthcare and other industries The financial services industry (FSI), which was the first to establish a Coordinating Council for Critical Infrastructure Protection and Homeland Security in response to Presidential Decision Directive 63, remains ahead of other industries with regard to their vendor risk management programs. 7 The insurance and healthcare industries each of which operate under their own high-powered regulatory microscopes continue to lag behind financial services organizations in fortifying their vendor risk management capabilities. 2 Ibid. 3 Getting to Strong: What Banking Organizations Need to Know, Protiviti, 2013: Industries/Getting-to-Strong-What-Banking-Organizations-Need-to-Know-Protiviti.pdf. 4 OCC Bulletin , FFIEC Cybersecurity Assessment Tool, June 30, 2015, bulletin html. 5 Today s Enterprise Cyberthreats Lurk Amid Major Transformation: Assessing the Results of Protiviti s 2015 IT Priorities Survey, 6 Executive Perspectives on Top Risks for 2015, North Carolina State University s ERM Initiative and Protiviti, TopRisks

4 Vendor Risk Management Overall Maturity by Area Category 2015 Index 2014 Index YOY Change Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review Assessing Results by Respondent Role We also tabulated the 2015 and 2014 survey results by respondent role to identify notable trends in the data. Interestingly, there is a consistent trend in both years showing that, in general, the higher the level of respondent in the organization, the lower the assessed score is for a vendor risk component or category. It is likely that C-suite executives have a greater understanding of their vendor risk management and remediation processes across their enterprise, as well as a clearer view of how the external thirdparty risk and regulatory environments are changing. Thus, this group not only may have the best view of the current state of vendor risk management, but likely also sets a higher bar for vendor risk management maturity. C-Suite executives rated their firm s maturity slightly higher this year, albeit from a lower base. C-Level VP/Director Level Manager Level Category Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review Average Management Level C-Level VP/Director Manager Score 3

5 There is one final noteworthy insight that also affects how third-party risk is viewed and managed. The number and intensity of vendor risks and cybersecurity threats, in particular are increasing. From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66 percent. 8 In other words, whether you perceive the glass to be half-empty or half-full, the glass is growing at an accelerated rate. Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed. The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing. CYBERATTACKS REINFORCE THE URGENCY TO IMPLEMENT STRONGER THIRD-PARTY RISK MANAGEMENT PROGRAMS. THE FINDINGS OF THIS STUDY INDICATE ORGANIZATIONS THAT OUTSOURCE CRITICAL SERVICES HAVE VARYING LEVELS OF MATURITY CROSS-INDUSTRY AND VENDORS ARE NOT IN ALIGNMENT WITH DATA SAFEGUARDS AND SECURITY POLICIES AND PROCEDURES. EVEN THOSE VERTICALS WITH MORE MATURE PROGRAMS, SUCH AS FINANCIAL SERVICES, NEED TO IMPROVE VENDOR RISK MANAGEMENT PROGRAMS THROUGH STANDARDIZATION OF ASSESSMENT METHODOLOGIES AND PEER COLLABORATION. CATHERINE ALLEN, CHAIRMAN AND CEO, THE SANTA FE GROUP 8 A PwC Research figure cited in the Verizon 2015 PCI Compliance Report: 4

6 METHODOLOGY The Vendor Risk Management Benchmark Study was conducted online by the Shared Assessments Program and Protiviti in the fourth quarter of 2014 and first quarter of More than 460 executives and managers (n=468) participated in the study. Using governance as the foundational element, the survey is designed to review the components of a comprehensive vendor risk management program. Respondents were presented with different components of vendor risk under eight categories related to vendor risk management: Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review For each component, respondents were asked to rate its maturity level as it applies to their organization, based on the following scale: 5 = Continuous improvement benchmarking, moving to best practices 4 = Fully implemented and operational 3 = Fully defined and established 2 = Determine roadmap to achieve goals 1 = Initial visioning 0 = Do not perform 5

7 PROGRAM GOVERNANCE OVERALL LEVEL OF MATURITY: 2.8 Key Observations Overall, the results are generally consistent with our prior year s findings, with organizations indicating they have a higher level of maturity in articulating vendor management goals and objectives, and ensuring vendor management projects are aligned with those goals in terms of risk management, security, privacy and company policies, among other areas. The alignment of specific vendor management objectives with strategic organizational objectives and the allocation of sufficient resources for vendor risk management activities mark the two lowest-rated areas of Program Governance. There is a somewhat lower level of maturity with regard to vendor risk management programs operating independently of other business lines (a new Program Governance component added to this year s survey). For every component, financial services organizations show a higher level of maturity relative to other industries those in the $10 billion to $20 billion asset range have the highest level of maturity in their vendor risk management programs. Program Governance Overall Results Vendor Risk Component YOY Change We articulate the goals and objectives of our organization We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives We revise corporate vendor risk policy as needed to achieve strategic objectives We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy We evaluate key risk and performance indicators provided in management and board reporting We define risk monitoring practices and establish an escalation process for exception conditions We communicate to our organization the requirements for risk-based vendor management The organizational structure of our vendor risk management program operates independently of our business lines We align specific vendor management objectives with our strategic organizational objectives NA NA We allocate sufficient resources for vendor risk management activities Category Average

8 Commentary Governance is one of the most important foundational elements of vendor risk management programs. Effective governance requires the right processes as well as the right mindset and behaviors. Regulatory agencies whose purview covers third-party risk have clearly expressed their desire for compliance and risk management programs that exhibit a genuine need to move beyond a checklist mentality. Program governance is a key enabler of meeting this objective. While all these drivers exist, a recent survey of 40 banks by the New York Department of Financial Services found that nearly one in three do not require third-party vendors to alert them about information security breaches or other cybersecurity intrusions. 9 THIRD-PARTY RISK IS NOT CREATED EQUALLY. DEFINE CRITERIA TO CLASSIFY YOUR SERVICE PROVIDERS BY RISK OR CRITICALITY, AND FOCUS OVERSIGHT EFFORTS. MAKE SURE YOU DEFINE AND DRIVE YOUR THIRD-PARTY PROGRAM, LEVERAGING TOOLS TO SUPPORT YOUR OBJECTIVES VERSUS LETTING A TOOL DRIVE YOUR THIRD-PARTY RISK STRATEGY. LINNEA SOLEM, CHIEF PRIVACY OFFICER AND VICE PRESIDENT-RISK/COMPLIANCE, DELUXE CORPORATION 9 Banks face new cyber security rules for vendors, USA Today, April 9, 2015, 7

9 Program Governance Industry Results Financial Services Insurance Healthcare All Others a b c d e f g h i j k We define organizational structures that establish responsibility and accountability for overseeing our vendor a relationships b The organizational structure of our vendor risk management program operates independently of our business lines c We articulate the goals and objectives of our organization d We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in e alignment with our existing organizational policies and objectives f We allocate sufficient resources for vendor risk management activities g We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the h acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy i We define risk monitoring practices and establish an escalation process for exception conditions j We evaluate key risk and performance indicators provided in management and board reporting k We revise corporate vendor risk policy as needed to achieve strategic objectives 8

10 Program Governance Focus on the Financial Services Industry Vendor Risk Component We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships The organizational structure of our vendor risk management program operates independently of our business lines We articulate the goals and objectives of our organization We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives We allocate sufficient resources for vendor risk management activities We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy We define risk monitoring practices and establish an escalation process for exception conditions We evaluate key risk and performance indicators provided in management and board reporting We revise corporate vendor risk policy as needed to achieve strategic objectives $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B

11 POLICIES, STANDARDS, PROCEDURES OVERALL LEVEL OF MATURITY: 2.9 Key Observations The results suggest that, compared to most other categories in the study, organizations have a higher level of vendor risk management program maturity with their policies, standards and procedures. This is positive news, given that policies, standards and procedures represent another key foundational element of effective vendor risk management programs. While financial services organizations stand out as having higher levels of maturity in this category, healthcare and insurance organizations are aligned with most other companies, despite the more stringent regulatory requirements in these two industries. Policies, Standards, Procedures Overall Results Vendor Risk Component YOY Change We have established standards for vendor selection and due diligence We have identified key positions involved in the contract management process We have created a vendor selection process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have defined a vendor risk management policy We research and review all applicable regulatory updates and/ or industry standards to ensure the overall program is meeting guidelines applicable to our organization 3.0 NA NA We have obtained senior management approval of policy and risk tiers We have defined a vendor classification structure We have identified existing company policies that may affect the contract process We have defined vendor risk tier assignments We have defined risk categories for each classification in our vendor classification structure We have established criteria and a process for vendor exit strategies Category Average Commentary Program governance is executed through policies, standards and procedures, which are key building blocks of vendor risk management programs. Policies and standards for vendor risk classifications and categories should apply equally to vendor selection and ongoing vendor management. These standards allow a company to manage vendor risk uniformly across the enterprise. 10

12 Policies, Standards, Procedures Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m a b c d e f g h i j k l m We have defined a vendor risk management policy We have defined vendor risk tier assignments We research and review all applicable regulatory updates and/or industry standards to ensure the overall program is meeting guidelines applicable to our organization We have obtained senior management approval of policy and risk tiers We have established standards for vendor selection and due diligence We have created a vendor selection process We have defined a vendor classification structure We have defined risk categories for each classification in our vendor classification structure We have identified existing company policies that may affect the contract process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have identified key positions involved in the contract management process We have established criteria and a process for vendor exit strategies 11

13 Policies, Standards, Procedures Focus on the Financial Services Industry Vendor Risk Component We have defined a vendor risk management policy We have defined vendor risk tier assignments We research and review all applicable regulatory updates and/ or industry standards to ensure the overall program is meeting guidelines applicable to our organization We have obtained senior management approval of policy and risk tiers We have established standards for vendor selection and due diligence We have created a vendor selection process We have defined a vendor classification structure We have defined risk categories for each classification in our vendor classification structure. We have identified existing company policies that may affect the contract process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have identified key positions involved in the contract management process We have established criteria and a process for vendor exit strategies $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B

14 CONTRACTS OVERALL LEVEL OF MATURITY: 2.9 Key Observations There is a slightly higher level of maturity in establishing regulatory-required standards for mandatory contract language and provisions. Several components of contracts are in particular need of attention and improvement, including the establishment of a process to ensure there are contract provisions consistent with each vendor risk classification and rating. Surprisingly, a component that received a relatively low maturity rating is mandatory IT/security-required standards in contracts and the numbers are especially low for healthcare organizations. Contracts Overall Results Vendor Risk Component YOY Change We have regulatory-required standards for mandatory contract language/provisions We have corporate-required standards for mandatory contract language/provisions We have defined an organizational structure for vendor contract drafting, negotiation and approval We have IT/security-required standards for mandatory contract language/provisions We have established procedures for contract exception review and approval We have a procedure to review existing contracts for compliance with current contract standards We have a process to ensure inclusion of appropriate performancebased contract provisions (SLAs, KPIs, KRIs, etc.) We have a remediation process to correct contract deficiencies We have established criteria for the contract review cycle consistent with each vendor risk classification/rating We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating Category Average Commentary Contracts lay out the obligations and responsibilities for all aspects of specific vendor relationships. As such, these documents should be clear, comprehensive, aligned with internal standards, and subject to a consistent and rigorous internal review process. Organizations appear more advanced relative to those aspects of contracts. The findings show that organizations struggle more with the review of contracts and with troubleshooting, when such a need arises. (This challenge also is evident in the Communication and Information Sharing findings in our study see page 24.) 13

15 Contracts Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j a b c d e f g h i j We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have IT/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating 14

16 Contracts Focus on the Financial Services Industry Vendor Risk Component We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have IT/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B

17 VENDOR RISK IDENTIFICATION AND ANALYSIS OVERALL LEVEL OF MATURITY: 2.7 Key Observations While the overall maturity level in this category is comparable to last year s results, there are a number of changes in specific components for example, assessing compliance with vendor contracts shows a notable decrease. There also is a notable year-over-year decrease in the maturity level tied to crossfunctional review of vendor requirements with colleagues in other departments/roles (Business, IT, Legal, Purchasing, etc.). As is the case in other areas, there is significant separation between financial services firms, which have a higher level of maturity, and other types of organizations. Healthcare firms, in particular, are not doing a good enough job reporting on vendor assessments internally. One in three do not develop vendor assessment reports, nor do they calculate and distribute vendor assessment metrics. Vendor Risk Identification and Analysis Overall Results Vendor Risk Component YOY Change We review vendor requirements with our Business, IT, Legal and Purchasing colleagues We maintain a database of current vendor information We identify findings and formulate recommendations We consistently follow our process to collect and update vendor information We determine vendor assessments to be performed based on risk, tiering and resources available We assess compliance with vendor contracts We execute scheduling and coordinate assessment activities with vendors We send our vendors our self-assessment questionnaire and document request list We execute vendor risk tiering processes We conduct a risk assessment for outsourcing the business function We perform remediation plan follow-up discussions with the vendor We develop vendor assessment reports We have reviewed the defined business requirements for outsourcing We discuss results of vendor assessments and metrics with management We establish/revise tiering of our vendors We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics Category Average

18 Commentary Vendor risk identification and analysis encompasses all of the components of the vendor lifecycle, from establishing the requirements for determining whether outsourcing is appropriate, to the vendor selection process, and to ongoing vendor assessment reporting and remediation. Neglecting to address any of the activities within this identification and analysis lifecycle can cause major vendor risks to arise and grow without detection. One of the best ways to get started on strengthening vendor risk identification and analysis is by communicating with partners in procurement and business management. Ongoing discussions about vendor risk can help ensure that these programs keep pace with the ever-changing landscape of thirdparty risk and regulations. 10 WITH A RAPIDLY CHANGING CYBERSECURITY THREAT LANDSCAPE, IT IS IMPORTANT TO INFLUENCE YOUR VENDOR COMMUNITY TO ACTIVELY PARTICIPATE IN INFORMATION SHARING AND ANALYSIS CENTERS (ISAC) TO CONTINUALLY DETECT AND SHARE INFORMATION ABOUT CYBER THREATS. THE MORE INFORMATION ORGANIZATIONS SHARE, THE MORE RESILIENT ALL OF OUR IT SECURITY PROGRAMS WILL BE. BRENDA WARD, DIRECTOR, GLOBAL INFORMATION SECURITY, AETNA 10 Garrubba, Tom. In 2015, Don t Just Make New Year Resolutions Regarding Third Party Risk, Keep Them! Shared Assessments post, January 29, 2015: 17

19 Vendor Risk Identification and Analysis Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o p q r a b c d e f g h i j k l m n o p q r We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk, tiering and resources available We review vendor requirements with our Business, IT, Legal and Purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendor We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendor We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management 18

20 Vendor Risk Identification and Analysis Focus on the Financial Services Industry Vendor Risk Component We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk, tiering and resources available We review vendor requirements with our Business, IT, Legal and Purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendor We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendor We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management

21 SKILLS AND EXPERTISE OVERALL LEVEL OF MATURITY: 2.3 Key Observations Lower levels of vendor risk management maturity are reported in this category, which overall has the lowest maturity index in our benchmarking study. Of particular note, relatively few organizations appear to offer training on vendor risk management policies and procedures, or measure employee understanding of vendor risk management accountabilities. Skills and Expertise Overall Results Vendor Risk Component YOY Change We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions We have defined and communicated vendor risk management policies to our key stakeholders We have sufficient qualified staff to meet all vendor risk management objectives We have sufficient staff to manage vendor risk management activities effectively We periodically communicate our vendor risk management policies and procedures to all personnel We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We provide training for assigned vendor risk management resources to maintain appropriate certifications We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management Category Average

22 Commentary Skills and expertise are the lowest rated components of vendor risk management throughout all of the survey findings. Companies across all industries should seek to improve the human capital management facets of vendor risk management, including creating specific roles and positions responsible for the hiring, managing and continuous training of these individuals. 21

23 Skills and Expertise Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions We provide training for assigned vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced 22

24 Skills and Expertise Focus on the Financial Services Industry Vendor Risk Component We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities (e.g., risk, sourcing, procurement, contracts) are defined clearly within our job descriptions We provide training for assigned vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management budgets are reduced $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B

25 COMMUNICATION AND INFORMATION SHARING OVERALL LEVEL OF MATURITY: 2.5 Key Observations Overall maturity levels in this category trend lower compared to other categories in the study. In particular, relatively few organizations have an ongoing education program for vendor management policies, procedures and updates. Managing vendor inventory and evaluating internal compliance with vendor onboarding, assessment and off-boarding are two areas that require significant attention. Financial services organizations show higher levels of maturity in nearly every vendor risk component in this category. Communication and Information Sharing Overall Results Vendor Risk Component YOY Change We have a process in place to escalate and communicate incidents and issues We have a process in place to track and communicate incidents We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have a process in place to report status of vendor assessments We have a process in place to provide board and executive management response to vendor assessment results We have a process in place to periodically evaluate vendor service delivery We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to manage vendor inventory We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have in place an ongoing education program for vendor management policies, procedures and updates Category Average

26 Commentary A framework should be in place to establish how results of vendor risk assessments are shared with the board, senior management and key risk committees. Too many responding organizations appear not to have such a framework in place or are unhappy with their existing approaches. Respondents also gave low marks for their ability to track and communicate risk-related incidents (which includes escalating this information when it meets predetermined criteria). Keeping the board informed of third-party risk is absolutely essential. Some boards address this topic through risk or audit committees; other boards maintain committees (or at least standing agenda items) devoted to third-party risk updates. 11 Regardless of the precise manner in which boards address third-party risks, executives and managers responsible for vendor risk management should ensure the board remains informed. 11 For more on this topic, see The Board s Role in Managing Third-Party Relationships video interview with Catherine A. Allen, Chairman and CEO of The Santa Fe Group: 25

27 Communication and Information Sharing Industry Results Financial Services Insurance Healthcare All Others a b c d e f g h i j k a b c d e f g h i j k We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results 26

28 Communication and Information Sharing Focus on the Financial Services Industry Vendor Risk Component We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results

29 TOOLS, MEASUREMENT AND ANALYSIS OVERALL LEVEL OF MATURITY: 2.4 Key Observations There is little to no year-over-year movement in the maturity level for most vendor risk components in this category. Healthcare organizations have a low level of maturity in establishing relevant financial measures and benchmarks. Tools, Measurement and Analysis Overall Results Vendor Risk Component YOY Change We determine the financial viability of key vendors We engage finance and procurement partners We assign resources to accomplish reviews as scheduled We establish vendor review schedules for all vendor assessments (on-site, remote, etc.) We report risk scoring results to relevant stakeholders We report financial results from our vendors to relevant stakeholders We establish relevant financial measures and benchmarks We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We provide periodic reporting on review monitoring We capture and report on vendor review costs, budget to actual, etc We monitor variances between scheduled reviews and actual reviews performed Category Average Commentary One of the best ways to achieve improvements in this area, which relates to the process necessary to develop and maintain an effective workflow for conducting vendor assessments, including vendor risk scoring and financial viability analysis, is to perform an onsite assessment of a vendor. This assessment should be performed when a third-party service provider is deemed critical or valuable to an organization s key processes and strategy. 12 Developing mature components in this area is crucial to producing assessment reports in an effective, timely and cost-efficient manner. 12 Garrubba, Tom. In 2015, Don t Just Make New Year Resolutions Regarding Third Party Risk, Keep Them! Shared Assessments post, Jan. 29, 2015: 28