The 2019 “Vendor Risk Management Benchmark Study: Running Hard to Stay In Place” is the fifth annual survey of its kind by the Shared Assessments Program and consulting company Protiviti. The key finding of the survey is that businesses need to work even harder than before to maintain the same relative level of maturity versus their industry peers. As I was writing my Recaps of the Shared Assessment Summit 2019 blog post I wondered: Why is that the case?
I think there are two reasons why businesses need to run harder just to remain on the treadmill, so to speak.
- Increased cloud computing adoption by IT departments and at the business unit level (aka shadow IT) increases dependence on third parties.
- Regulatory due diligence requirements, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require businesses to control any third-party personal data handling on their behalf.
As the size and scrutiny of the IT third-party universe grows, so does complexity. The 2019 VRM survey authors updated their Vendor Risk Management Maturity Model (VRMMM) to cover fourth-party risk (your vendor’s subcontractors) and other topics. Expanding VRM to fourth-parties more than doubles the scope of responsibility. Note: Transitive third-party assessment has been on the radar screen at least since 2013, when I wrote about how HIPAA’s Omnibus Rule required all Covered Entities to obtain “satisfactory assurances” from their business associates, and business associates to get the same from their subcontractors.
At the Shared Assessments Summit 2019, a member of the audience observed that he’d seen fourth-party risk and, given the transitive nature of liability these days, fifth-party risk. But, “I’ve never seen it go beyond sixth-party risk.”
Key Findings of the 2019 VRM Survey
The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment VRMMM to obtain the results show in the figure at the start of this post.
The survey authors struck a somber tone: “There were no sectors in which more than 50 percent of respondents reported mature vendor risk management programs. Four in ten organizations had fully mature VRM programs, but almost a third had ad hoc or no program in place.” Perhaps that isn’t so surprising considering; it was clear from the Shared Assessments Summit CISOs and board members are still struggling to assess and communicate risk.
The survey highlighted the need for a strong tone at the top: “Awareness of third-party risks by organization’s Board of Directors is a strong indicator of vendor risk management (VRM) program maturity: 57 percent of organizations reporting high levels of board engagement also reported mature and advanced vendor risk management programs.”
Signs of Progress?
On the bright side, we learned, “Every sector reports progress over the last year in identifying, assessing and managing their critical third-party vendors, with 41 percent reporting mature processes in place. Only 7 percent of respondents have not begun identifying and separately managing critical vendors.”
The fact that almost all businesses are starting to triage third parties and scrutinize their most critical vendors is promising. “More than not (55 percent), organizations are extremely or somewhat likely to move away from high risk relationships.”
Another sign of progress is the evident health of the shared assessments community. As I attended sessions at the Shared Assessment Summit wondering what I was going to write about, I found a thriving community of third-party management vendors in a large exhibition area. With them, customers have an opportunity for automation. Perhaps an untold story of the summit is that although customers must run faster to stay in place, a thriving third-party management market is working to help solve the problem.
I’m digging deeper into some of following questions (please comment or shoot me a note if you have thoughts on them):
- What are some good practices for assessing or controlling fourth-party risk? We do recommend that customers require third parties to pass through their requirements in downstream contracts with fourth-party suppliers, and that the third parties operate a program to verify the fourth parties are adhering to the requirements. Customers must then, in turn, verify that suppliers of critical services are doing so. This is a good starting point, but what else must be done and can anything scale to fifth and sixth parties?
- What is the best way to get actual shared assessments, not just shared assessment tools? The Shared Assessments Program provides Standard Information Gathering (SIG) and Standard Control Assessment (SCA) tools, which I’ve had a chance to use myself. I don’t think I need to tell you that third assessment is a lot of work even with these excellent tools. The only way we’ll stop running in place, or worse, is if we get to the point where customers with similar requirements could share their actual assessment with other businesses, or if vendors could post detailed and accurate answers to a questionnaire online for qualified prospects to review. The Cloud Security Alliance (CSA) STAR program enables cloud services providers (CSPs) to post self-assessments based on the Consensus Assessment Information Questionnaire (CAIQ). However, details of independent assessments by trusted auditors are not as easily available. It may be that all one can get (even with the help of third-party risk management vendors) are “certifications” and—possibly—a few details under NDA.
- What does this finding mean? “Sixty-seven percent more organizations reported serious disruption from a cyberattack or hacking incident vs. the previous year. The percentage of organizations fixing such issues within one month dropped by 17 percent.” Perhaps I’ll be able to get further details from the survey authors later.
More businesses are taking proactive steps to secure third-party relationships, but increased complexity and regulatory rigor are raising the bar. To keep up, businesses must mature their third-party risk management programs and consider automating more of the assessments process.
What do you think? Will we ever catch up?