Shared Assessments 2015: Trends in Vendor Risk Management

Jake Olcott | May 6, 2015 | tag: Vendor Risk Management

Vendor risk management professionals representing every industry gathered in Baltimore last week at the annual Shared Assessments conference. I am privileged to serve on the Advisory Board for Shared Assessments and found the conference to be highly informative.

Though it was tough to narrow down, here are 5 key items that I'm taking away from the trip: 

  1. Third party risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted - and important - element of a director/officer’s fiduciary duty to the company. Participation in Shared Assessments and the annual conference has grown in recent years, a testament not only to the interest in the issue, but also to the leadership of Cathy Allen and the team.
  2. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective. I heard a lot about the importance of collaboration between legal, procurement, and business units when identifying and managing third party risks. In terms of process and governance maturity, vendor risk management seems to be where cyber risk management was several years ago. 
  3. For a vendor risk management team to succeed, costs must be reduced. I was very surprised to hear about the average costs of on-site assessments. Members are working hard to encourage “sharing” of assessments in order to reduce costs for both first and third parties. Iron Mountain has been a real leader in this work.
  4. Though some highly sophisticated organizations are already there, many participants want to monitor their vendors in real time as a way of implementing their vendor risk management programs. This was reminiscent to me of the time before "continuous monitoring" of one's own network and environment became a standard accepted practice. BitSight is already helping many of these teams to monitor vendors in real time.
  5. There is widespread interest by regulators in third party risk management, but regulators have not yet been prescriptive about the content of those programs. From the OCC to the SEC, and SIFMA to PCI, regulators across the country are asking questions about whether or not regulated entities have third party risk management programs in place. Time will tell whether regulators will begin mandating the existence of certain programmatic elements.

At the end of the day, with so much interest in third party risk management, I wonder how businesses will keep up with the increased security demands by their partners. I heard from at least one participant that his organization planned to dramatically reduce the number of vendors that they use in order to reduce vendor risk. Is this a trend? What does it mean for small business? I expect this will be a key theme that businesses across all sectors will be dealing with in the months and years ahead.

Let me know what you think - you can reach me at

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.