Removing Risky Vendors Appears to Be Risky Business
According to a 2019 vendor risk management study published by Protiviti and Shared Assessments, organizations want to give risky vendors the boot. However, the year-over-year data indicate organizations are having a hard time actually doing it.
The report, entitled “Vendor Risk Management Benchmark Study: Running Hard to Stay in Place,” provided insights from a survey conducted during the fourth quarter of 2018 and compared those findings to the previous year. Fifty-seven percent of respondents indicated that they are likely to exit high-risk relationships with their vendors; this is up 2% over the previous year.
Source: Protiviti Vendor Risk Management Study Published 2019
Our Take
While the urgency appears to be building slowly, it’s difficult to translate this “likelihood” into action. Human nature and inertia work against organizations – they only move when they have to. Even then, additional factors impede the good intentions of those involved in the decision-making process:
- The cost of switching from one vendor to another can be high.
- Contract terms may prevent implementing an exit strategy for two or more years.
- Alternate vendors in some industries may not be any less risky.
- Emerging technologies may present abnormal levels of risk for several years until the technology matures.
- Performance concerns associated with a new vendor may influence the evaluation.
Until there is a real impetus to move (such as new regulations or the occurrence of significant risk events), it will be business as usual for most organizations. The survey numbers may go up over time, but we all know talk is cheap and action costs money.