2014 Vendor Risk Management Benchmark Study

2014 Vendor Risk Management Benchmark Study

Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party vendor that s connected to you. This creates a bridge directly into your organization. Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee Member As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, as seen in recent news, as well as in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities. The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council s data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NIST s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment. Despite this, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. The VRMMM sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program s maturity against development goals. The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. Vendor Risk Management Overall Maturity by Area Category Maturity Level Program Governance 2.9 Policies, Standards, Procedures 2.9 Contracts 3.0 Vendor Risk Identification and Analysis 2.7 Skills and Expertise 2.3 Communication and Information Sharing 2.6 Tools, Measurement and Analysis 2.4 Monitoring and Review 2.9 2014 Vendor Risk Management Benchmark Study 1

If you re outsourcing to or relying on a third party, you can t just shut the door and say it s someone else s problem. You can outsource the function but you ultimately own the risk. If a third party doesn t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address. Brad Keller, Senior Vice President & Program Director, The Santa Fe Group (which manages the Shared Assessments Program) The study revealed some interesting trends: Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies This is not a surprise given the highly regulated nature of the financial services industry. Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations. notable areas for improvement include program governance, and policies, standards and procedures While there is no standard, one size fits all approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management. 2 2014 Vendor Risk Management Benchmark Study

Methodology The Vendor Risk Management Survey was conducted by the Shared Assessments Program and Protiviti in the fourth quarter of 2013 and first quarter of 2014. Using governance as the foundational element, this survey is designed to review the components of a comprehensive vendor risk management program. Close to 450 respondents were presented with different components of vendor risk under eight categories related to vendor risk management: Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review For each component, respondents were asked to rate its maturity level as it applies to their organization, according to the following scale: 1 = Initial visioning 2 = Determine roadmap to achieve goals 3 = Fully defined and established 4 = Fully implemented and operational 5 = Continuous improvement benchmarking, moving to best practices 0 = Do not perform 2014 Vendor Risk Management Benchmark Study 3

Program Governance Overall Level of Maturity: 2.9 Key Observations Organizations have a higher level of maturity around articulating goals and objectives and ensuring vendor management projects are aligned with those objectives in terms of risk management, security and privacy, among other areas. However, organizations are not allocating enough resources to ensure these key risk and performance targets are met. A higher level of maturity is also needed in communicating the importance of risk-based vendor management to the organization and in using key risk and performance metrics to inform vendor risk policy. Program Governance Overall Results Vendor Risk Component Maturity Level We articulate the goals and objectives of our organization 3.3 We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives 3.1 We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships 3.1 We revise corporate vendor risk policy as needed to achieve strategic objectives 2.8 We define risk monitoring practices and establish an escalation process for exception conditions 2.8 We communicate to our organization the requirements for risk-based vendor management 2.8 We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor 2.8 risk policy We align specific vendor management objectives with our strategic organizational objectives 2.8 We evaluate key risk and performance indicators provided in management and board reporting 2.7 We allocate sufficient resources for vendor risk management activities 2.7 Commentary Governance serves as the foundational element of every risk program. Because it provides support for every other element of the program, it is essential that a strong and comprehensive governance structure is in place as part of any vendor risk management program. 4 2014 Vendor Risk Management Benchmark Study

Program Governance Industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j We define organizational structures that establish responsibility and accountability for overseeing our a vendor relationships b We articulate the goals and objectives of our organization c We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in d alignment with our existing organizational policies and objectives e We allocate sufficient resources for vendor risk management activities f We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the g acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy h We define risk monitoring practices and establish an escalation process for exception conditions i We evaluate key risk and performance indicators provided in management and board reporting j We revise corporate vendor risk policy as needed to achieve strategic objectives 2014 Vendor Risk Management Benchmark Study 5

Program Governance Focus on the Financial Services Industry* Vendor Risk Component We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships We articulate the goals and objectives of our organization We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives We allocate sufficient resources for vendor risk management activities We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy We define risk monitoring practices and establish an escalation process for exception conditions We evaluate key risk and performance indicators provided in management and board reporting We revise corporate vendor risk policy as needed to achieve strategic objectives $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.8 3.6 3.6 3.4 3.9 3.3 3.5 3.4 3.2 3.8 2.2 2.6 3.0 3.2 3.3 3.9 3.5 3.7 3.6 3.9 2.6 3.0 3.6 2.9 3.4 3.2 2.9 3.6 3.1 3.7 2.8 3.2 3.0 2.9 3.4 3.2 3.1 3.3 3.3 3.8 3.2 2.7 3.6 3.1 3.4 3.7 3.1 3.4 3.5 3.7 * Does not include insurance companies. 6 2014 Vendor Risk Management Benchmark Study

Policies, Standards, Procedures Overall Level of Maturity: 2.9 Key Observations All organizations demonstrate a fair amount of maturity in their vendor selection and contract management processes, including due diligence processes and key personnel assignments. Most organizations have room to grow when it comes to assigning risk to vendors as part of the vendor selection and review processes and integrating this vendor-related risk into the organization s overall risk strategy. Organizations are also lacking in involving senior management in both the approval of vendor policy and risk tiers. There is a notable difference between financial services organizations and other companies when it comes to risk policy, risk assignment and the selection of vendors based on these criteria. The financial services industry is much more risk-conscious, and senior management is more involved in the risk assignment process. One area of concern is the lower maturity around vendor exit criteria and process pointing to potential weaknesses or inconsistencies in performing periodic vendor reviews and risk (re)assignments. Policies, Standards, Procedures Overall Results Vendor Risk Component Maturity Level We have identified key positions involved in the contract management process 3.2 We have created a process for managing contracts 3.2 We have identified key stakeholders involved in each contract process 3.2 We have created a vendor selection process 3.2 We have established standards for vendor selection and due diligence 3.2 We have defined a vendor risk management policy 2.9 We have defined a vendor classification structure 2.9 We have identified existing company policies that may affect the contract process 2.9 We have obtained senior management approval of policy and risk tiers 2.8 We have defined vendor risk tier assignments 2.7 We have defined risk categories for each classification in our vendor classification structure 2.6 We have established criteria and a process for vendor exit strategies 2.5 Commentary Key corporate stakeholders must establish thorough policies and standards for vendor risk classifications and categories that apply equally to vendor selection and ongoing vendor management. These standards allow a company to manage vendor risk uniformly across the enterprise. 2014 Vendor Risk Management Benchmark Study 7

Policies, Standards, Procedures Industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k l a We have defined a vendor risk management policy b We have defined vendor risk tier assignments c We have obtained senior management approval of policy and risk tiers d We have established standards for vendor selection and due diligence e We have created a vendor selection process f We have defined a vendor classification structure g We have defined risk categories for each classification in our vendor classification structure h We have identified existing company policies that may affect the contract process i We have identified key stakeholders involved in each contract process j We have created a process for managing contracts k We have identified key positions involved in the contract management process l We have established criteria and a process for vendor exit strategies 8 2014 Vendor Risk Management Benchmark Study

Policies, Standards, Procedures Focus on the Financial Services Industry* Vendor Risk Component We have defined a vendor risk management policy We have defined vendor risk tier assignments We have obtained senior management approval of policy and risk tiers We have established standards for vendor selection and due diligence We have created a vendor selection process We have defined a vendor classification structure We have defined risk categories for each classification in our vendor classification structure We have identified existing company policies that may affect the contract process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have identified key positions involved in the contract management process We have established criteria and a process for vendor exit strategies $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.9 3.5 3.7 3.5 4.2 3.8 3.5 3.6 3.5 3.9 3.7 3.3 3.9 3.4 4.2 3.4 3.7 3.6 3.1 4.2 2.9 3.7 3.1 2.3 4.0 3.7 3.5 3.9 2.7 4.0 3.3 3.3 3.4 2.9 3.6 2.9 2.9 3.4 2.8 3.6 3.3 3.5 3.6 3.3 4.2 3.6 3.8 3.4 3.1 4.2 3.2 3.5 3.3 3.3 3.9 2.4 2.8 2.9 2.4 3.4 * Does not include insurance companies. 2014 Vendor Risk Management Benchmark Study 9

Contracts Overall Level of Maturity: 3.0 Key Observations Organizations score above average with the contracting process and the incorporation of corporate, regulatory and IT security standards in the contract language and provisions. The same holds true for having an organizational structure in place involved in the negotiation and approval of contracts. Organizations can use help when it comes to reviewing existing contracts, however well structured, to ensure current standards are being met. Organizations that have risk tier assignments, such as those in the financial services industry, do better in this area. More important, many organizations have yet to define or establish a process for embedding performance- and risk-based provisions in contracts including contract review criteria and schedules consistent with these indicators. Contracts Overall Results Vendor Risk Component Maturity Level We have corporate-required standards for mandatory contract language/provisions 3.3 We have defined an organizational structure for vendor contract drafting, negotiation and approval 3.2 We have regulatory-required standards for mandatory contract language/provisions 3.2 We have established procedures for contract exception review and approval 3.2 We have IT/security-required standards for mandatory contract language/provisions 3.2 We have a procedure to review existing contracts for compliance with current contract standards 2.9 We have a remediation process to correct contract deficiencies 2.7 We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have established criteria for the contract review cycle consistent with each vendor risk classification/rating We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating 2.7 2.6 2.6 Commentary Because your contract establishes the rights and responsibilities for all aspects of your relationship with your vendor, it is critically important that it addresses all relevant aspects of that relationship. In addition, because of the changing nature of technology and the threat environment, the contract process must be able to accommodate the need for contract revisions to reflect these changes. 10 2014 Vendor Risk Management Benchmark Study

contracts industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j a b c d e f g h i j We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have It/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLas, KPIs, KrIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating 2014 Vendor Risk Management Benchmark Study 11

Contracts Focus on the Financial Services Industry* Vendor Risk Component We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have IT/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.2 3.3 3.0 3.3 4.0 3.2 3.3 3.3 2.9 3.9 3.2 3.7 3.4 3.1 3.9 3.0 3.7 3.4 3.2 3.7 3.8 3.8 3.6 3.3 3.6 3.4 3.1 3.6 2.6 3.3 2.9 2.8 3.1 2.9 3.3 3.0 3.1 2.9 2.8 3.2 3.0 3.0 3.0 2.9 3.2 3.3 3.3 3.3 2.9 3.6 * Does not include insurance companies. 12 2014 Vendor Risk Management Benchmark Study

VENDOR RISK IDENTIFICATION AND ANALYSIS Overall Level of Maturity: 2.7 Key Observations Organizations have well-defined and established recordkeeping procedures and approval processes for vendors that take the needs of stakeholders in the organization into account. However, consideration of risk through risk tiering and vendor assessment based on risk criteria is still an emerging area for most companies outside the financial services sector. Envisioned but not yet established is measurable assessment of vendor performance, as well as disseminating and discussing these assessment metrics with management and other stakeholders in the organization to ensure targets for vendor performance are met. Vendor Risk Identification and Analysis Overall Results Vendor Risk Component Maturity Level We review vendor requirements with our business, IT, legal and purchasing colleagues 3.2 We maintain a database of current vendor information 3.1 We assess compliance with vendor contracts 3.0 We identify findings and formulate recommendations 2.9 We consistently follow our process to collect and update vendor information 2.8 We develop vendor assessment reports 2.6 We execute scheduling and coordinate assessment activities with vendors 2.6 We conduct a risk assessment for outsourcing the business function 2.6 We determine vendor assessments to be performed based on risk tiering and resources available 2.6 We perform remediation plan follow-up discussions with the vendors 2.6 We execute vendor risk tiering processes 2.6 We have reviewed the defined business requirements for outsourcing 2.6 We send our vendors our self-assessment questionnaire and document request list 2.6 We establish/revise tiering of our vendors 2.5 We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor 2.5 We discuss results of vendor assessments and metrics with management 2.4 We consolidate the results of vendor assessments 2.4 We calculate and distribute vendor assessment metrics 2.2 Commentary This section includes all of the components of the vendor lifecycle from establishing the requirements for determining whether outsourcing is appropriate to the vendor selection and assessment process and assessment/remediation reporting. Failing to include all of the necessary components in this area will result in vendor risks going undetected, with potentially devastating results. 2014 Vendor Risk Management Benchmark Study 13

Vendor Risk Identification and Analysis Industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o p q r a b c d e f g h i j k l m n o p q r We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management 14 2014 Vendor Risk Management Benchmark Study

Vendor Risk Identification and Analysis Focus on the Financial Services Industry* Vendor Risk Component We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 2.4 3.0 2.9 2.8 3.4 2.7 3.1 3.1 3.3 3.4 3.3 3.5 3.3 3.1 3.7 4.0 3.5 3.1 3.2 3.9 We execute vendor risk tiering processes 4.0 3.3 3.4 3.4 3.6 We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations 3.9 3.3 3.3 3.3 3.8 3.9 3.7 3.1 3.0 4.0 2.6 3.3 3.3 3.2 3.3 3.4 2.9 3.0 3.1 3.5 2.6 3.2 3.1 3.0 3.4 3.3 3.2 3.1 3.4 3.5 We develop vendor assessment reports 3.0 3.3 3.1 3.4 3.6 We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor 2.2 3.2 2.9 2.6 3.4 We establish/revise tiering of our vendors 3.6 3.4 3.1 3.3 3.7 We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management 3.2 3.2 2.9 2.8 3.7 2.8 3.0 2.9 2.5 3.6 1.9 2.5 3.0 2.7 3.3 2.6 3.1 2.9 2.8 3.9 * Does not include insurance companies. 2014 Vendor Risk Management Benchmark Study 15

Skills and Expertise Overall Level of Maturity: 2.3 Key Observations Overall, organizations are working to develop the skills and expertise needed to manage vendor risk more cost-efficiently, but vendor risk functions are not sufficiently integrated into the business lines to fully achieve this. Vendor risk management policies and key positions bearing responsibility for vendor risk are in place, but they are not yet fully operational; training and staffing issues continue to be problematic. Budgeting for vendor risk management, including travel and training of personnel, and measuring of ROI for vendor risk management are particularly undeveloped. This holds true for nearly everyone, with the exception of healthcare organizations. Skills and Expertise Overall Results Vendor Risk Component Maturity Level Roles and responsibilities are defined clearly within our job descriptions 2.9 We have assigned vendor risk management accountability to an individual in our organization 2.8 We have defined and communicated vendor risk management policies to our key stakeholders 2.8 We have sufficient qualified staff to meet all vendor risk management objectives 2.5 We periodically communicate our vendor risk management policies and procedures to all personnel 2.4 We have sufficient staff to manage vendor risk management activities effectively 2.4 We train vendor risk management resources to maintain appropriate certifications 2.3 We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI 2.2 2.2 2.1 2.1 2.0 2.0 1.9 1.8 Commentary This section establishes the role of vendor management within the organization, the key factors to consider to determine staffing levels, how vendor training will be executed, and budgeting considerations. Well-established roles and ongoing training for vendor risk managers are critical to a successful program. 16 2014 Vendor Risk Management Benchmark Study

Skills and expertise industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have assigned vendor risk management accountability to an individual in our organization roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel at least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program on an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate roi We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced 2014 Vendor Risk Management Benchmark Study 17

Skills and Expertise Focus on the Financial Services Industry* Vendor Risk Component We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.8 3.6 3.4 2.9 3.6 3.2 3.4 3.3 3.0 3.6 1.9 2.8 3.0 2.5 3.5 2.1 2.5 3.1 2.5 3.2 1.8 2.1 3.1 2.1 2.9 2.1 2.6 3.3 2.4 3.2 3.6 3.3 3.4 3.0 3.9 3.0 2.9 3.4 2.2 3.7 2.8 2.3 2.6 2.6 3.2 2.3 2.5 3.1 2.2 3.3 1.6 1.8 2.1 1.5 2.9 1.7 2.2 2.1 1.6 2.9 1.7 2.3 2.7 1.9 3.3 0.8 1.5 2.3 1.4 2.2 1.9 2.3 2.1 2.0 3.1 * Does not include insurance companies. 18 2014 Vendor Risk Management Benchmark Study

Communication and Information Sharing Overall Level of Maturity: 2.6 Key Observations Communicating and sharing information with regard to vendor risk management is a goal but not yet a fully implemented process for most of our respondents. Once again, organizations show more maturity in developing processes for communicating vendor incidents and reporting results to management, and less maturity in disseminating education and training with regard to vendor management policies and procedures. The financial services industry not only trends significantly higher on all points, but is also particularly strong in its ongoing vendor assessment and assessment results reporting, reflecting the industry s history and experience with being highly regulated. Communication and Information Sharing Overall Results Vendor Risk Component Maturity Level We have a process in place to escalate and communicate incidents and issues 2.8 We have a process in place to track and communicate incidents 2.7 We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) 2.7 We have a process in place to report status of vendor assessments 2.6 We have a process in place to periodically evaluate vendor service delivery 2.6 We have a process in place to evaluate compliance with vendor management processes and procedures 2.6 We have a process in place to provide board and executive management response to vendor assessment results 2.5 We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding 2.5 We have a process in place to manage vendor inventory 2.5 We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) 2.5 We have in place an ongoing education program for vendor management policies, procedures and updates 2.3 Commentary A framework should be in place to establish the process(es) for communicating the results of vendor risk assessments to the board, senior management and key risk committees. The type and complexity of information should be carefully determined (dashboards/scorecards, etc.) to ensure executives are kept fully informed without being overwhelmed with detailed information. A well-developed process for communicating results will help assure senior management that vendors can discharge their obligations to manage vendor risks effectively. 2014 Vendor Risk Management Benchmark Study 19

communication and information Sharing industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results 20 2014 Vendor Risk Management Benchmark Study

Communication and Information Sharing Focus on the Financial Services Industry* Vendor Risk Component We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.3 2.8 2.6 2.4 3.9 2.3 2.5 2.4 2.3 3.5 2.4 2.8 2.7 1.9 3.4 2.2 2.8 2.6 2.6 3.4 2.8 3.0 2.9 2.5 3.2 3.4 3.0 2.7 3.4 3.8 2.1 2.7 2.3 3.0 3.7 2.7 3.3 3.0 2.3 3.4 2.3 3.2 2.9 2.5 3.5 2.3 3.0 2.9 2.7 3.9 3.1 2.9 2.4 2.9 3.6 * Does not include insurance companies. 2014 Vendor Risk Management Benchmark Study 21

Tools, Measurement and Analysis Overall Level of Maturity: 2.4 Key Observations The ability to benchmark, measure and report the financial viability of vendors is at the defined and established level, though not yet fully implemented and operational. Most organizations are beginning to get on track with scheduling reviews for vendor assessments and assigning resources to perform these assessments, but full implementation is not yet achieved. The financial services industry has a notable hands-on, metrics-based approach to assessing its vendors; it is also much more ROI-conscious. Tools, Measurement and Analysis Overall Results Vendor Risk Component Maturity Level We determine the financial viability of key vendors 2.9 We engage finance and procurement partners 2.6 We assign resources to accomplish reviews as scheduled 2.5 We report financial results from our vendors to relevant stakeholders 2.5 We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) 2.4 We establish relevant financial measures and benchmarks 2.4 We provide periodic reporting on review monitoring 2.4 We report risk scoring results to relevant stakeholders 2.3 We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology 2.3 We capture and report on vendor review costs, budget to actual, etc. 2.1 We monitor variances between scheduled reviews and actual reviews performed 2.1 Commentary This section outlines the process necessary to develop and maintain an effective workflow for conducting vendor assessments, including vendor risk scoring and financial viability analysis. Developing mature components in this area is essential to manage assessment resources efficiently and deliver assessment reports in a timely manner. 22 2014 Vendor Risk Management Benchmark Study

Tools, Measurement and Analysis Industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed We provide periodic reporting on review monitoring We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We report risk scoring results to relevant stakeholders We engage finance and procurement partners We establish relevant financial measures and benchmarks We determine the financial viability of key vendors We report financial results from our vendors to relevant stakeholders 2014 Vendor Risk Management Benchmark Study 23

Tools, Measurement and Analysis Focus on the Financial Services Industry* Vendor Risk Component We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B 3.1 2.8 3.0 2.9 3.6 2.7 2.7 2.9 3.1 3.6 1.7 1.8 2.9 1.9 2.6 1.8 2.0 3.3 1.7 3.1 We provide periodic reporting on review monitoring 2.7 2.3 3.3 2.6 3.6 We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology 2.3 2.7 2.9 2.7 3.3 We report risk scoring results to relevant stakeholders 2.4 3.0 2.6 2.7 3.4 We engage finance and procurement partners 2.9 2.9 3.0 2.3 3.9 We establish relevant financial measures and benchmarks 2.3 2.9 2.7 1.7 2.9 We determine the financial viability of key vendors 3.2 3.5 3.4 3.1 4.0 We report financial results from our vendors to relevant stakeholders 2.7 3.3 3.4 2.7 3.7 * Does not include insurance companies. 24 2014 Vendor Risk Management Benchmark Study

Monitoring and Review Overall Level of Maturity: 2.9 Key Observations Most organizations have well-developed processes and involve the appropriate levels of management in the approval, modification and handling of contracts. Organizations are also more developed in their ability to inform stakeholders and respond appropriately to data breaches or other security incidents. Processes to request SLA reporting periodically, survey customers and ensure customer satisfaction are still being articulated and defined. Also developed but not fully functional are processes to conduct vendor testing, including testing via an independent third party, and processes to test vendors business continuity and disaster recovery measures. Monitoring and Review Overall Results Vendor Risk Component Maturity Level We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management 3.5 We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management 3.5 We have policies and procedures in place over the process to store, retain and make available contract terms 3.4 We have standard contract terms in place 3.4 We have a process in place to address expired or cancelled contracts 3.2 We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents 3.1 We have a process in place to review applicable audit reports periodically 2.9 We have a process to respond to and inform key stakeholders of regulatory requirements and trends 2.7 We have a process in place to track and analyze customer complaints 2.7 We obtain independent assurance or third-party testing of key vendors 2.7 We have a process in place to periodically require SLA reporting 2.5 We have a process in place to periodically conduct vendor onsite visits and testing 2.5 We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results 2.5 We have a process to monitor industry and market trends that may negatively impact our vendors 2.4 We have a process in place to periodically conduct customer satisfaction surveys 2.3 Commentary This section includes components for the periodic testing and evaluation of policies and processes to allow management to make well-informed decisions about how to spend resources to manage vendor risk. These components facilitate the ability to review your vendor management program to determine whether revisions need to be made due to changes in the regulatory and/or threat environment. 2014 Vendor Risk Management Benchmark Study 25

Monitoring and Review industry Results 4.0 3.5 3.0 2.5 2.0 1.5 1.0 Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have standard contract terms in place We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department, and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLa reporting We have a process in place to track and analyze customer complaints We have a process in place to periodically conduct customer satisfaction surveys We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or third-party testing of key vendors 26 2014 Vendor Risk Management Benchmark Study

Monitoring and Review Focus on the Financial Services Industry* Vendor Risk Component $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We have standard contract terms in place 3.2 3.7 3.6 3.3 4.1 We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLA reporting We have a process in place to track and analyze customer complaints We have a process to periodically conduct customer satisfaction surveys We have a process to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or thirdparty testing of key vendors 3.3 3.9 3.4 3.3 4.3 3.6 3.8 3.4 3.3 4.3 3.4 3.6 3.1 3.1 4.2 2.9 3.5 3.3 2.7 3.6 2.0 2.6 3.0 2.2 3.6 3.0 3.1 2.6 1.7 2.9 1.8 2.0 1.9 1.9 2.5 3.1 3.5 2.9 2.9 3.9 1.8 2.5 2.3 2.1 2.9 2.3 3.1 2.9 2.7 3.5 2.8 3.1 3.3 3.0 3.6 2.3 3.0 3.0 3.1 3.4 2.1 2.9 3.0 3.1 3.4 2.9 3.3 2.4 3.1 3.3 * Does not include insurance companies. 2014 Vendor Risk Management Benchmark Study 27

SURVEY DEMOGRAPHICS Nearly 450 respondents, including C-suite executives, as well as IT, internal audit and IT audit vice presidents and directors, participated in our study. All demographic information was provided voluntarily and not all participants provided data for every demographic question. Position Chief Financial Officer 2% Chief Audit Executive 9% Chief Risk Officer 2% Chief Information Security Officer 2% Other C-Suite Executive 3% IT VP/Director 13% Internal Audit VP/Director 5% IT Audit VP/Director 2% IT Manager 16% Internal Audit Manager 16% IT Audit Manager 5% Operational Risk Management 9% Procurement/Purchasing/Supply Chain 3% Other 13% Industry Financial Services 36% Healthcare 9% Government/Education/Not-for-profit 8% Insurance 7% Manufacturing 7% Services 4% Technology 4% Professional Services 3% Energy 3% Real Estate 3% Retail 2% Utilities 2% Telecommunications 2% Other 10% 28 2014 Vendor Risk Management Benchmark Study

Size of Organization $20 billion+ 14% $10 billion - $19.99 billion 11% $5 billion - $9.99 billion 12% $1 billion - $4.99 billion 24% $500 million - $999.99 million 10% $100 million - $499.99 million 15% Less than $100 million 14% Organization Headquarters North America 97% Europe 2% Asia/Pacific 1% Type of Organization Public 53% Private 28% Not-for-profit 12% Government 6% Other 1% 2014 Vendor Risk Management Benchmark Study 29

About the Shared Assessments Program The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle, creating efficiencies and lowering costs for all participants. The Program keeps current with regulations, industry standards and guidelines, and the current threat environment. It is adopted globally across a broad range of industries, both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. Shared Assessments Program members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third-party risk. They include financial institutions, healthcare organizations, energy/utility providers, retailers and telecommunications companies. They are service providers of all sizes, consulting companies and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices. About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. 2014 Vendor Risk Management Benchmark Study 31

www.sharedassessments.org Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. www.protiviti.com 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. PRO-0514-101063