35% of Vendor Risk Management Programs are Fully Mature Compared to 0% a Year Ago

The survey report provides exclusive insights into how financial institutions are managing “vendor” and “nonvendor” third-party risks

Philadelphia, PA (February 17, 2016)—

The 2015 Risk Management Association (RMA) Third-Party/Vendor Risk Management Survey, sponsored by MetricStream, provides exclusive insights into the third-party risk management programs of leading financial services organizations of various asset sizes across the U.S., Canada, and Europe. The survey, featuring the perspectives of 80 financial services institutions, provides detailed information on the current challenges and best practices in third-party risk management. All the participating institutions are regulated by one or more of the following regulators – OCC, FRB, FDIC, State, FINRA, and OSFI (Canada).

The survey is an update to, and extension of, the 2014 Third-Party/ Vendor Risk Management Survey conducted by the RMA in association with MetricStream, and is designed to track the progress and evolution of third-party risk management practices at financial services companies.

The following areas and topics are addressed in the 2015 survey report: third-party risk management program scope, design, and maturity; key stakeholder roles and responsibilities; technology and workload management; regulatory criticism; and insights and advice. The survey also differentiates between “vendor” and “nonvendor” third parties. This distinction is important due to differences in how institutions identify in-scope relationships, and manage risks across various types of third parties.

 “Going into 2016, the message from regulators is loud and clear―activities can be outsourced to third parties, but responsibility cannot,” said Edward J. DeMarco Jr., RMA General Counsel and Director of Operational Risk. “The impetus is therefore on financial institutions to ensure that they have the right people, processes, and technology in place to protect stakeholders against a growing range of potentially harmful vendor and nonvendor risks such as fraud, data breaches, and corruption.”

Some key findings from the 2015 RMA survey include:

  • 35% of the institutions surveyed reported that their “vendor” third-party risk management program is fully mature, compared to 0% in 2014. However, only 13.8% of respondents reported that their “nonvendor” third-party risk management program is fully mature.
  • 50% of the respondents said that “nonvendor” third-party risk management is a regulatory requirement and their institution is formally addressing the risk.
  • The majority of institutions surveyed have a “center-led” or “hybrid” approach to supporting the first line of defense in the execution of their responsibilities for both vendor and nonvendor third-party relationships. Meanwhile, the number of FTEs supporting related activities has grown since the 2014 survey.
  • Technology adoption is much higher than reported in the 2014 survey. Today, only a minority (28.8%) of the respondents still use manual tools such as MS Access, Excel, or SharePoint to manage their third-party risk management programs. Most institutions also acquire data from third parties like Dunn and Bradstreet, LexisNexis, and Moody’s to support due diligence and monitoring.
  • 17 institutions surveyed disclosed that they have achieved “clean” regulatory examinations. 
  • According to respondents, the areas that received criticism during the most recent regulatory exams included due diligence: quality and completeness of documentation (20%), consistency of program across all lines of business (18.8%), monitoring (18.8%), and business continuity/resilience (15%).

Commenting on the survey results, Susan Palm, Senior Vice President of Industry Solutions at MetricStream said, “The findings from this survey validate what many of our customers in the financial industry are telling us―that as their third-party networks grow larger, more global, and more complex, the associated risks can simply not be managed as a siloed or one-time activity. Rather, organizations are building an integrated and streamlined risk management program spanning all the three lines of defense. Timely risk visibility is key―and to that end, technology plays an important role in delivering real-time risk data, actionable reports, and advanced analytics that are needed by business leaders in financial institutions to successfully anticipate and manage third-party risks.”

Highlights of the RMA survey will be featured in an upcoming edition of The RMA Journal which will be published in April 2016.

About RMA
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,500 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by 18,000 individuals located throughout North America, Europe, Australia and Asia/Pacific.

About MetricStream
MetricStream is the market leader in enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions. MetricStream solutions are used by leading global corporations in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-Tech and Manufacturing to manage their risk management programs, quality management processes, regulatory and industry-mandated compliance and other corporate governance initiatives. MetricStream is headquartered in Palo Alto, California, USA (www.metricstream.com).

Media Contacts
Stephen Krasowski,  skrasowski@rmahq.org, 215-446-4095 
Frank Devlin,  fdevlin@rmahq.org, 215-446-4137