Organizations are not adequately addressing IT and security risks that emerge from outsourcing and partnering with third-party vendors, according to a new survey by consulting firm Protiviti and Shared Assessments Program, a community of risk management professionals.
Despite the many standards and regulations in the business environment today and the need for increased vigilance due to highly publicized data breaches and cyber threats, the study found that companies lack mature vendor risk-management practices and don’t have the necessary resources and staff to meet best practice standards.
“Managing the risks associated with outsourced services and vendor relationships is one of the many challenges facing organizations when it comes to data security,” Rocco Grillo, a managing director at Protiviti and the firm’s global leader for incident response and forensic investigations, said in a statement.
“Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks,” Grillo said. “This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations.”
Nearly 450 IT and risk management professionals in the study rated their organizations on the Vendor Risk Management Maturity Model, a best practice tool from Shared Assessments that measures the quality and maturity of an existing risk management program.
“While the needs to manage vendor risk vary by specific company profile and needs, we found that organizations are still falling short of best practice recommendations,” Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program. “The increased use of third parties could create a wider gap for risk managers that can only be addressed through closer attention to consistency in policies, procedures and governance. Failing to include the necessary components may result in vendor risks going undetected, with potentially devastating results.”