Now Available – Protiviti’s 2015 Vendor Risk Management Benchmark Study

August 24, 2015

Many organizations rely heavily on external vendors and these vendors often have access to the organization’s sensitive information.  But what are organizations doing to manage the risks these vendors pose to their business.  That was the focus of Protiviti’s 2nd Annual Vendor Risk Management Benchmark Study.

Below is a synopsis of the findings from this year’s report and be sure to visit to read the full report, access additional resources, and benchmark your company.

SYNOPSIS: The results of this year’s Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti can be viewed as cause for optimism – or concern, depending on one’s view of the world. From a “glass-is-half-empty” perspective, it appears that third-party risk management programs may be stagnating. This year’s survey respondents rated their overall maturity in most vendor risk management categories to be virtually identical to levels reported in our 2014 results for the same areas.

For those who favor the “glass-is-half-full” point-of-view, these findings may reflect increased knowledge among survey respondents who have gained a greater understanding of vendor risk over the past year. While organizations are striving to make improvements, they also are more accurately assessing the maturity and capabilities of their vendor risk management programs.

That said, the 2015 survey findings are crystal clear on a crucial point: There is still a lot of vendor risk management work to be done. Our key findings from this year’s study:

  • Vendor risk management programs require more substantive advances – The overall maturity rating for program governance in this year’s survey (2.8 on a 5-point scale) should serve as a warning sign of the need for deeper changes that reach into organizational culture and behavior.
  • Cybersecurity threats are a prominent challenge – Cybersecurity threats are clearly on the minds of risk managers, IT functions and regulators. High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency.
  • Vendor risk management programs within financial services organizations are more mature – The financial services industry remains ahead of other industries, including insurance and healthcare, with regard to their vendor risk management programs.

What is your organization doing to manage your vendor risk?