Third-party risk management programs studied: questionnaires a weak area?

Published: Tuesday, 24 November 2020 10:26

RiskRecon, a Mastercard Company, and the Cyentia Institute have published an in-depth study that explores the current state of third-party risk management (TPRM) programs and practices. The research found that TPRM professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk. As a result, the study found more enterprises are moving towards data-driven TPRM programs.

The ‘State of Third-Party Risk Management’ research is based on a survey of 154 active TPRM professionals. It found that 79 percent of firms have a TPRM program, 84 percent of which use questionnaires to assess vendor security risk. While 81 percent of enterprises report that at least 75 percent of their vendors claim perfect compliance to their security requirements, only 14 percent are highly confident that vendors actually perform those requirements.

The intent of the study was to understand the challenges currently facing TPRM programs and gather intelligence about how companies are meeting these challenges. And while the adoption of TPRM appears to be on the rise, there are additional lessons to be learned. For example:

“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner and co-founder, Cyentia Institute. “While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined."

Read the report.