More than three-quarters (77%) of respondents have five or fewer FTEs committed to working in vendor management. This is an improvement from 90% last year, perhaps due to adding new company types across the surveyed financial services and financial technology industries. Given the challenges of third party risk management, particularly at smaller companies where vendor management may be an afterthought for the already overwhelmed compliance manager, it’s important that the function is appropriately staffed with people sufficiently trained to do the job.
believe there is ROI from efficient vendor risk management
say regulatory requirements is their primary reason for doing vendor risk management
A majority (77%) of respondents, with the exception of wealth and asset management, require a pre-contract risk assessment, an improvement from last year’s 67%. The pre-contract risk assessment is not only a best practice and general industry standard, but informs management of the risks they are assuming, allows them to craft better contracts to address risk and highlights additional areas for due diligence and ongoing monitoring.
say they have updated their vendor management policy documents in the last year
say they use the centralized operating model for their vendor management program
Keeping your vendor management policy documents up-to-date and consistent with regulatory guidance and best practices is incredibly vital to having a successful practice. This year, 76% say they update the policy at least yearly, a slight improvement from last year’s 74%. Just like an annual checkup that can catch a medical issue early, the longer you leave the vendor management policy in place without refreshing it, the longer a potential unseen concern can grow and get worse.
Cybersecurity absolutely needs to be a front burner issue for the industry; in an era when it’s not a matter of “if” but “when” an incident will occur, companies need to be poised to react and the best way to do that is to prepare well in advance. Regarding fourth parties, while there has been very little mention in formal guidance, examiners are laser-focused on companies that have even tangential access to customer data and what the third party is doing to protect it.
say fourth party assessments are their next biggest hurdle
say cybersecurity assessments of third parties are their next biggest hurdle
This is Venminder’s third annual whitepaper. This year we expanded the survey to include respondents from the wider financial services and financial technology industries. We believe this year’s results provide a broader lens to look at the third party risk management industry as a whole and, on balance, acknowledge the shared challenges of managing a highly outsourced vendor model.
Venminder promoted the survey to both clients and non-clients through email and social media. Results were tabulated as of December 17, 2018. To increase confidence in the validity of responses, answers are anonymous and confidential.
Fill out the form for full access and download this complimentary whitepaper.