The Shared Assessments Program and Protiviti have released their fifth vendor risk management benchmark study, and this year’s report is full of the usual best practice insights and data meant to help organizations mature their third-party risk management programs. The theme of this year’s report (Running Hard to Stay in Place) is appropriate, as it indicates that despite significant advancements in third-party risk, progress is lacking.
I recommend you read the full report, and in this blog, I’ll break down the five (5) key findings and pose questions to help you gauge where you might be in the process of maturing your TPRM program.
The five key findings from the report include the following:
If the five key findings from this year’s report speak to the state of your own TPRM program, you’re not alone. I would contend there are four (4) actions you can take today to move your program in the right direction.
1. Improve board-level reporting – but be wary of “scoring” or “security ratings”
To improve board engagement, start with great reporting. One of the biggest challenges organizations can face in reporting, is a lack of clarity or completeness of scoring; or a misunderstanding of what a score really means. This issue is only amplified the higher-up you need to report. In our experience, great executive/board-level reporting is:
This issue is all about visibility… in context; getting decision-makers the context they need. I do want to caution you, though. Don’t get suckered into believing a “score” or “security rating” will solve what ails you. They tend to be too shallow, only providing an external network scan showing basic cyber risks – but there’s much more to scoring that could get you into hot water in front of the board. If you’re currently leveraging scoring or ratings services, make sure you have answers to these questions:
With no vendor assurance, scoring and rating vendors provides a limited view of vendor risk, meaning there is no real assessment happening. Best practices for TPRM as published by Shared Assessments, Gartner, Forrester, and others include vendor questionnaire assessments plus continuous monitoring.
Look for automation of assessment processes, and deep insights into the internal controls vendors use when handling data. Considering there are so many data breaches involving lapses in controls, you might want to dive deeper into that security score and see if it tells you how a vendor would handle your data.
2. Increase visibility into vendor’s cyber activity
Conducting your periodic controls-based standardized assessment is the most important activity your vendor risk management team can conduct to gain the deepest view of your vendor’s data security practices for compliance. However, they are point-in-time, and a lot can happen in between or during assessments.
Consider conducting continuous monitoring of your vendors’ networks to gain immediate insights into vendor risks that can inform assessments. Continuous insights into potential vendor risks make for better prioritization and risk awareness all around. Those insights can then serve to inform your overall risk scoring coming from the deep controls-based assessment.
One thing that can be particularly helpful here is to look not only at the cyber/data risks of vendors, but their business and operational risksas well. For example, considering factors such as revenue announcements, layoffs, data breach notifications, and the like can add an important qualitative metric to your cyber scanning, and can serve as predictive measure for possible future risks.
3. Improve remediation with better communication
This year’s study shows that there is better identification of risky vendor relationships, but with shortages of resources to address these remediations, organizations are moving away from risky relationships. Moving away from risky relationships is a good thing, but if they’re providing essential services for your organization, what’s the cost of onboarding a new vendor to perform the same service?
To me, perhaps another path that you can take here – for critical, hard-to-replace vendors only – is to simplify workflow and communications. What we’ve seen successful here is:
Taking a few simple steps to benefit vendors and simplify their reporting back to you will save your team time as well.
4. Consider a unified platform for automated continuous assessments and monitoring
Costs – and time – to complete thorough vendor assessments are going up, while resources to perform these assessments is staying rather stagnant. Consider automating the cumbersome process of collecting, analyzing, and remediating vendor resiliency, while continuously monitoring vendor data and business risks – and roll it up into a single, integrated platform based on standard industry content. This comprehensive model delivers maximum visibility, simplifies management, and lowers total cost of ownership. The benefits here are clear: Fewer vendors to manage; less time to complete, analyze and remediate vendor control problems; and less cost to support.
How can Prevalent help?
As a pioneer and leader in the third-party risk management market, and partner of both Shared Assessments and Protiviti, Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Delivered in the simplicity of a secure cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, and evidence sharing with expert advisory and consulting services to optimize your risk management program. With Prevalent, organizations simplify compliance, reduce vendor-based risks, and improve efficiency to better scale third-party risk management.
As you are maturing your third-party vendor risk management program, consider the benefits of a single, integrated platform – better visibility into vendor risks, maximum efficiency, and scale.
For more on Prevalent, or to see a customized demo, contact us today.