The trend to having more employees dedicated to a vendor risk management program continues. In 2018, 90% said they have less than 5 employees, in 2019 77% and for 2020 72% said they had 5 or fewer employees. The trend to have more employees continues with 17% now having 6 or more employees dedicated to their vendor risk management program. Given the challenges of third-party risk management, it’s important that the function is appropriately staffed with people sufficiently trained to do the job (whether through in-house or supplementing externally).
believe there is ROI from efficient vendor risk management
say regulatory requirements is their primary reason for doing vendor risk management
A majority (77%) of respondents, with the exception of wealth and asset management, require a pre-contract risk assessment, an improvement from last year’s 67%. The pre-contract risk assessment is not only a best practice and general industry standard, but informs management of the risks they are assuming, allows them to craft better contracts to address risk and highlights additional areas for due diligence and ongoing monitoring.
say they require a written or formal risk assessment for all new vendors pre-contract
say they use the centralized operating model for their vendor management program
Seventy-one percent (71%) of respondents require a pre-contract risk assessment. The pre-contract risk assessment is not only a best practice and general industry standard, but informs management of the risks they’re assuming, allows them to craft better contracts to address risk and highlights additional areas for due diligence and ongoing monitoring. Once the contract is signed and the vendor is onboarded, it’s more difficult to establish appropriate reporting, breach notification provisions, obtain missing due diligence and a myriad of other items. It’s not just a good idea, it simply better helps inform the due diligence, contract and oversight processes.
Cybersecurity absolutely needs to be a front burner issue for the industry; in an era when it’s not a matter of “if” but “when” an incident will occur, companies need to be poised to react and the best way to do that is to prepare well in advance. Regarding fourth parties, while there has been very little mention in formal guidance, examiners are laser-focused on companies that have even tangential access to customer data and what the third party is doing to protect it.
say fourth party assessments are their next biggest hurdle
say cybersecurity assessments of third parties are their next biggest hurdle
This is Venminder’s fourth annual whitepaper. This year we again expanded the survey to include respondents from a wider variety of industries. We believe this year’s results provide a broader lens to look at the third-party risk management industry as a whole and, on balance, acknowledge the shared challenges of managing a highly outsourced vendor model.
Venminder promoted the survey to both clients and non-clients through email and social media. Results were tabulated as of December 17, 2019. To increase confidence in the validity of responses, answers are anonymous and confidential.
Fill out the form for full access and download this complimentary whitepaper.