The Shared Assessments Program and Protiviti have released their fifth vendor risk management benchmark study, and this year’s report is full of the usual best practice insights and data meant to help organizations mature their third-party risk management programs. The theme of this year’s report (Running Hard to Stay in Place) is appropriate, as it indicates that despite significant advancements in third-party risk, progress is lacking.
I recommend you read the full report, and in this blog, I’ll break down the five (5) key findings and pose questions to help you gauge where you might be in the process of maturing your TPRM program.
The five key findings from the report include the following:
- Program maturity is relatively unchanged from prior reports, coming in at a 3 on a 5 scale. Shared Assessments and Protiviti believe that organizations are in sustain mode with their programs.
- A highly-engaged board equates to a mature VRM program (but not all mature VRM programs feature strong board engagement) – and the percentage of highly-engaged boards continues to grow, no doubt due to the increasing number of high-profile breaches originating from third-parties.
- Cyber attacks are increasing, and it’s taking longer to find and fix them.
- Organizations are moving away from higher-risk vendor relationships – likely due to better identification measures, and continuing resource constraints.
- Costs continue to increase, while resources are stagnant.
If the five key findings from this year’s report speak to the state of your own TPRM program, you’re not alone. I would contend there are four (4) actions you can take today to move your program in the right direction.
1. Improve board-level reporting – but be wary of “scoring” or “security ratings”
To improve board engagement, start with great reporting. One of the biggest challenges organizations can face in reporting, is a lack of clarity or completeness of scoring; or a misunderstanding of what a score really means. This issue is only amplified the higher-up you need to report. In our experience, great executive/board-level reporting is:
- Flexible – it enables you to weight vendors based on importance to the business.
- Clear – it maps answers to control frameworks or regulatory mandates for easy interpretation.
- Future-focused – it projects future risk based on in-process remediations, so you can gauge how risk mitigation efforts are playing out.
This issue is all about visibility… in context; getting decision-makers the context they need. I do want to caution you, though. Don’t get suckered into believing a “score” or “security rating” will solve what ails you. They tend to be too shallow, only providing an external network scan showing basic cyber risks – but there’s much more to scoring that could get you into hot water in front of the board. If you’re currently leveraging scoring or ratings services, make sure you have answers to these questions:
- What about measuring a vendor’s internal adherence to compliance mandates? Can an external scan reveal that?
- Can a score articulate the risk a vendor poses to your business in-region? Does it give you a view into extended fourth-party relationships?
- Can a security score tell you how a vendor handles your data?
- How can security ratings automate the collection of vendor evidence and due diligence?
With no vendor assurance, scoring and rating vendors provides a limited view of vendor risk, meaning there is no real assessment happening. Best practices for TPRM as published by Shared Assessments, Gartner, Forrester, and others include vendor questionnaire assessments plus continuous monitoring.
Look for automation of assessment processes, and deep insights into the internal controls vendors use when handling data. Considering there are so many data breaches involving lapses in controls, you might want to dive deeper into that security score and see if it tells you how a vendor would handle your data.
2. Increase visibility into vendor’s cyber activity
Conducting your periodic controls-based standardized assessment is the most important activity your vendor risk management team can conduct to gain the deepest view of your vendor’s data security practices for compliance. However, they are point-in-time, and a lot can happen in between or during assessments.
Consider conducting continuous monitoring of your vendors’ networks to gain immediate insights into vendor risks that can inform assessments. Continuous insights into potential vendor risks make for better prioritization and risk awareness all around. Those insights can then serve to inform your overall risk scoring coming from the deep controls-based assessment.
One thing that can be particularly helpful here is to look not only at the cyber/data risks of vendors, but their business and operational risksas well. For example, considering factors such as revenue announcements, layoffs, data breach notifications, and the like can add an important qualitative metric to your cyber scanning, and can serve as predictive measure for possible future risks.
3. Improve remediation with better communication
This year’s study shows that there is better identification of risky vendor relationships, but with shortages of resources to address these remediations, organizations are moving away from risky relationships. Moving away from risky relationships is a good thing, but if they’re providing essential services for your organization, what’s the cost of onboarding a new vendor to perform the same service?
To me, perhaps another path that you can take here – for critical, hard-to-replace vendors only – is to simplify workflow and communications. What we’ve seen successful here is:
- Define assessment schedules – with included chasing reminders.
- A real-time view into the status of the content gathering request– visible to both assessors and vendor users.
- Automatic generation of a risk register once a request has been completed so that all parties are aware of specific control failures.
- Bi-directional workflow with built-in discussion tools between assessors and vendors.
- Easy-to-use dashboard to capture and audit conversations, record completion dates, assign tasks, and match documentation or evidence.
Taking a few simple steps to benefit vendors and simplify their reporting back to you will save your team time as well.
4. Consider a unified platform for automated continuous assessments and monitoring
Costs – and time – to complete thorough vendor assessments are going up, while resources to perform these assessments is staying rather stagnant. Consider automating the cumbersome process of collecting, analyzing, and remediating vendor resiliency, while continuously monitoring vendor data and business risks – and roll it up into a single, integrated platform based on standard industry content. This comprehensive model delivers maximum visibility, simplifies management, and lowers total cost of ownership. The benefits here are clear: Fewer vendors to manage; less time to complete, analyze and remediate vendor control problems; and less cost to support.
How can Prevalent help?
As a pioneer and leader in the third-party risk management market, and partner of both Shared Assessments and Protiviti, Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Delivered in the simplicity of a secure cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, and evidence sharing with expert advisory and consulting services to optimize your risk management program. With Prevalent, organizations simplify compliance, reduce vendor-based risks, and improve efficiency to better scale third-party risk management.
As you are maturing your third-party vendor risk management program, consider the benefits of a single, integrated platform – better visibility into vendor risks, maximum efficiency, and scale.
For more on Prevalent, or to see a customized demo, contact us today.