MENLO PARK, Calif.,
Nov. 16, 2017 /PRNewswire/ -- Global
consulting firm Protiviti and the Shared Assessments Program's
annual Vendor Risk Management Benchmark Study, released
today, finds that a majority (53 percent) of organizations surveyed
are likely to exit or change (de-risk) relationships with some
vendors due to heightened risk levels. The reason cited most often
was fourth-party risk issues and an inability to resolve them.
Insurance companies, including healthcare payers, appear much
more likely to make de-risking moves, with cost concerns and a lack
of internal expertise to evaluate vendor controls cited as other
primary reasons. The study, now in its fourth year, finds that 71
percent of these organizations will likely change their high-risk
relationships over the next 12 months. Nearly half of all
respondents (48 percent) said it has become imperative from a risk
and regulatory standpoint to assess vendors' contractors.
The survey of 539 C-suite executives and risk management and
audit professionals was conducted across a wide range of industries
in the second and third quarters of 2017, with the majority of
their organizations having revenues exceeding $1 billion. According to respondents, companies'
board-level engagement around cybersecurity risks has improved
notably during the past year. Massive and costly cyberattacks –
including WannaCry, Petya and the Equifax hack, among others – have
struck in the past year, forcing organizations, and healthcare
providers in particular, to rethink key components of their vendor
risk management approaches.
"While our study revealed increased board engagement in
cybersecurity, there is an 'engagement gap' in that boards remain
more engaged in their own companies' internal cybersecurity risks
than the cybersecurity risks of the organizations' vendors, which
can have negative repercussions if even one of those vendors has a
severe data breach," said Cal Slemp,
managing director, security program and strategy services,
Protiviti. New cybersecurity-related regulations, such as the EU's
General Data Protection Regulation (GDPR), China's complex Cyber Security Law (CSL) and
the stringent New York Department of Financial Services (NYDFS)
Cybersecurity Requirements, have taken effect in the past year or
are set to go into effect in the near future. "Even though
companies have made strides in their vendor risk management
practices as evident in this year's survey results, many
organizations may not have access to enough vendor risk management
expertise to mitigate their risks," added Slemp.
"Despite some improvement in vendor risk management overall, our
study has found that – with some notable exceptions – progress has
been incremental since the study's first iteration in 2014. The
single most important step an organization can take to improve its
third-party risk management performance is to undertake periodic,
arm's length evaluations of its program's effectiveness. Regular
benchmarking is extremely important given the challenges associated
with a rapidly evolving, volatile external risk and regulatory
environment," said Gary Roboff,
senior advisor, The Santa Fe Group, Shared Assessments Program.
The research, which looks at organizations' maturity of vendor
risk management, is based on the comprehensive Vendor Risk
Management Maturity Model (VRMMM) developed by the Shared
Assessments Program.
Resources Available to Learn More
Protiviti will host a complimentary webinar at 10:00 a.m. PST on November
30, 2017 to discuss the results of the survey and offer
insights into what organizations can do to raise their vendor risk
management maturity levels. Joining Roboff on the one-hour webinar
will be Paul Kooney, a director in
Protiviti's security and privacy practice. To register, please
visit www.protiviti.com/webinars. They have also recorded a podcast
about the survey findings, which can be found at
www.protiviti.com/vendor-risk. The site also hosts an infographic
and a short video of the survey's highlights.
To access a complimentary copy of the full report, 2017
Vendor Risk Management Benchmark Study, please click here.
About the Shared Assessments Program
The Shared Assessments Program is the trusted source for third
party risk management with resources, including tools and best
practices, to effectively manage the critical elements of the
vendor risk management lifecycle. Members represent a
collaborative, global, peer community of information security,
privacy, and third party risk management leaders in industries
including financial services, insurance, brokerage, healthcare,
retail, and telecommunications. The Certified Third Party Risk
Professional (CTPRP) certification program, membership, and use of
the Shared Assessments Program Tools, ensure organizations stay
current with the threat and risk environment, including
regulations, industry standards, and guidelines. Shared Assessments
provides organizations and their service providers the rigorous
controls needed for IT, data security, privacy, and business
continuity. The Shared Assessments Program is managed by The Santa
Fe Group (www.santa-fe-group.com), a strategic consulting company
based in Santa Fe, New Mexico. On
the web at http://www.sharedassessments.org.
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that
delivers deep expertise, objective insights, a tailored approach
and unparalleled collaboration to help leaders confidently face the
future. Through its network of more than 70 offices in over 20
countries, Protiviti and its independently owned Member Firms
provide clients with consulting solutions in finance, technology,
operations, data, analytics, governance, risk and internal
audit.
Protiviti has served more than 60 percent of Fortune
1000® and 35 percent of Fortune Global
500® companies. The firm also works with smaller,
growing companies, including those looking to go public, as well as
with government agencies. Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in
1948, Robert Half is a member of the
S&P 500 index.
Protiviti is not licensed or registered as a public
accounting firm and does not issue opinions on financial statements
or offer attestation services.
Editor's note: infographic of survey highlights available in PDF
or JPEG formats. Photos available upon request.
View original content with
multimedia:http://www.prnewswire.com/news-releases/companies-plan-to-change-third-party-vendors-that-pose-highest-risks-according-to-protiviti-and-shared-assessments-survey-300557579.html
SOURCE Protiviti