State of Third-Party
Risk Management
Venminder’s State of Third-Party Risk Management 2021 survey provides insight into how organizations are managing third-party risk management in today’s increasing regulatory and risky climate.
Download a PDF Version
As 2020 brought about unprecedented change, it’s particularly relevant that we look for shared lessons learned, best practices to follow, challenges faced and ways to continuously improve our third-party risk management practices.
2021
Third-party risk management was very much tested as an operational risk mandate, rather than simply a regulatory requirement in 2020. The pandemic pushed organizations to be more innovative, work remotely and rely more heavily on outsourced practices.
The (still ongoing) COVID-19 pandemic has validated for many that third-party risk management isn’t just a regulatory issue, but a practical real-world consideration. It has driven heightened awareness in the need for well-managed third-party risk management practices and the importance in ensuring that your data is protected, whether it’s in your hands or a vendors, and wherever it is – whether in a remote or office environment.
Internal Resources Committed
to Vendor Management
Commitment to Vendor Management
Real concerns in certain areas
How many full-time employees are dedicated to your vendor management program?
Vendor Management Processes
At most companies, vendor management is complex
This response isn’t necessarily indicative of the size of the organization responding, because there are also varying degrees in which the organization outsources functions.
Does the organization embrace outsourcing everything or just certain functions they may not be able to adequately staff in-house?
Often, some of the larger organizations outsource to less companies than you’d expect as many tend to have the resources to throw an army of people at projects to build their own infraustructure.
Size and Makeup of
Vendor Landscape
What is your primary tool for managing your vendors?
Survey Highlights
Why we do what we do
Primary Benefits of Vendor Risk Management
Not surprisingly, the primary reasons organizations are conducting vendor risk management is to meet regulatory requirements and protect their organization. This falls in line with the other results of our survey.
We all know that this is a best practice that ultimately protects from incidents, reputation damage and excess spending…but it often takes that big brother to hold us to the fire before resources are dedicated to a non-revenue generating function.
Rank 1 to 6 your primary reasons for doing vendor risk management.
1
Regulatory requirements
Avoid third-party cyber incidents
2
Reputation protection
3
Best practice
4
Quality assurance
5
Cost control
6
About the Report
Venminder is an industry recognized leader of third-party risk management solutions. Dedicated to third-party risk, the company is the go-to partner for software, high-quality assessments on vendor controls, certified subject-matter expertise and education. The Venminder platform is used by almost 1000 clients across a wide range of industries to efficiently execute their third-party risk management programs. As Venminder’s solutions are designed to accommodate growth and various levels of program maturity, clients range in size from small to top Fortune 100 organizations.
The maturity of third-party risk management practices continues to evolve and, notably, improve
More organizations than ever are placing a priority on
third-party risk management,
as evidenced by the investment of budget expenses increasing for many
have formal risk assessment processes in place to determine inherent risk and residual risk for all new vendors
pre-contract
Organizations are continuing to see a practical advantage of third-party risk management as a positive return on investment (ROI)
The #1 biggest vendor management challenge is not having enough internal resources to manage the workload
76%
It’s important that management today are aware of the vital role that third-party risk management plays in the organization. Seeing that almost 75% of our sample base had less than two people dedicated to third-party risk management tells us that the constraints on people’s time will continue to be tested as the associated workload is not small.
Download a PDF Version
Download a PDF Version
Download a PDF Version
A vendor management module inside of an ERM, GRC (or other) platform
A dedicated vendor management software platform
Excel
Sharepoint
21%
59%
Other
10%
4%
4%
2%
Access database
Regulatory requirements
Avoid third-party cyber incidents
1
2
Reputation protection
3
Best practice
4
Quality assurance
5
Cost control
6
