Poll: Over Half of Risk Managers Say Their Vendor Risk Management Program is Underperforming
ProcessUnity recently participated in a live webinar with IT GRC and other leading Vendor Risk Management (VRM) experts to educate organizations on the cyber risk posed by vendors, suppliers and third parties.
If you weren’t able to attend the Key Steps to Identify Risk and Master Vendor Risk Management webinar, download the on-demand recording here.
Five hundred risk management professionals joined the webinar to understand the risks that come with managing a multitude of vendors, and with an overwhelming amount of interest and participation, it’s clear that VRM is only rising in importance. But how are their programs performing? We had the opportunity to ask that question via a live audience poll.
A third party risk management (TPRM) program is more than just checking a box, and organizations can grade their maturity level through the Third-Party Risk Management Maturity model. This model has four levels of program maturity – with informal indicating that organizations are playing with fire to optimized where TPRM is a top priority for the organization. In the live poll taken during the webinar, 56 percent said that their programs are underperforming…or not performing at all.
Almost one in five (18 percent) indicated that their program is informal, where they have little to no program in place at all. These organizations do not have established policies or procedures for assessing risk, nor consistent processes for onboarding new vendors, or negotiating contracts. Today’s digital landscape exposes even the smallest businesses to devastating risks, and if these organization’s vendors have access to crucial business data without any means of protection, they are playing with fire.
Another 38 percent said that they have a reactive TPRM, where there are minimal resources, manual questionnaire reviews and due diligence distribution, and little to no executive support. The policies and procedures of these companies fulfill the basics of point-in-time risk assessments but offer no pathways toward ongoing monitoring. Without centralization of data and command of workflows, it’s difficult to demonstrate consistent, repeatable processes – not to mention the real risk of manual errors.
That means more than half of these organizations are putting third-party risk management on the back burner.
While many may be at risk, there is also a significant amount of organizations recognizing the need and are making real changes to their vendor management processes. 37 percent of organizations said that they are proactive and have a dedicated, full-time third-party risk management team. In proactive organizations, risk policies and procedures are fulfilled through a dedicated third-party risk management system that automates workflows, centralizes data, coordinates internal and external communications, archives contracts and other relationship documentation, and enables basic reporting that can draw insights from aggregate risk data.
Finally, only four percent of participants believe that their program is optimized. Optimized programs not only have all the benefits of proactive programs, but also can take third-party risk management from the tactical to the strategic level. These leaders are leveraging strategic advantages to reduce costs and improve service quality, while also having visibility into every vendor relationship.
How to Develop An Effective Third-Party Risk Management Program
It’s clear that many organizations are on the right path to a successful and automated TPRM, however still need to take the necessary steps to further mitigate risk. Businesses operate at different scales, with a variety of risks that have different degrees of severity…and potential consequences.
As a leading provider of Third-Party Risk Management software, we’ve found that the right mix of people, processes, and technology result in the most effective and comprehensive programs, however the poll indicates that many organizations are still in the early stages of developing a sound Third-Party Risk Management program. TPRM programs can not only save valuable time and money, but also can safeguard companies from potential weaknesses in their vendors that can lead to data extraction, financial and reputational damage, and more.
How do you rate your Third-Party Risk Management program? Optimized? Reactive? Proactive?
Download ProcessUnity’s Third-Party Risk Management Maturity Model to determine where your program falls, and how ProcessUnity can get you to the next level.