How mature are vendor risk management programs?
- Published: Thursday, 18 February 2016 08:29
The recently published 2015 Risk Management Association (RMA) Third-Party/ Vendor Risk Management Survey report provides insights into the third-party risk management programs of leading financial services organizations of various asset sizes across the US, Canada, and Europe. The report, featuring the perspectives of 80 financial services institutions, provides detailed information on the current challenges and best practices in third-party risk management. All the participating institutions are regulated by one or more of the following regulators – OCC, FRB, FDIC, State, FINRA, and OSFI (Canada).
The survey is an update to, and extension of, the 2014 Third-Party/ Vendor Risk Management Survey conducted by the RMA, and is designed to track the progress and evolution of third-party risk management practices at financial services companies. Both the 2015 and 2014 surveys were sponsored by MetricStream.
Some key findings from the 2015 RMA survey include:
- 35 percent of the institutions surveyed reported that their vendor third-party risk management program is fully mature, compared to 0 percent in 2014. However, only 13.8 percent of respondents reported that their non-vendor third-party risk management program is fully mature.
- 50 percent of the respondents said that non-vendor third-party risk management is a regulatory requirement and their institution is formally addressing the risk.
- The majority of institutions surveyed have a ‘center-led’ or ‘hybrid’ approach to supporting the first line of defense / defence in the execution of their responsibilities for both vendor and non-vendor third-party relationships. Meanwhile, the number of FTEs supporting related activities has grown since the 2014 survey.
- Technology adoption is much higher than reported in the 2014 survey. Today, only a minority (28.8 percent) of the respondents still use manual tools such as MS Access, Excel, or SharePoint to manage their third-party risk management programs. Most institutions also acquire data from third parties like Dunn and Bradstreet, LexisNexis, and Moody's to support due diligence and monitoring.
- 17 institutions surveyed disclosed that they have achieved ‘clean’ regulatory examinations.
- According to respondents, the areas that received criticism during the most recent regulatory exams included due diligence: quality and completeness of documentation (20 percent), consistency of program across all lines of business (18.8 percent), monitoring (18.8%), and business continuity / resilience (15 percent).