Protiviti InfographicPost-resession, partnering with third-party vendors and outsourcing tasks that were once handled in-house has become a common cost-saving strategy. Unfortunately, many organizations aren’t prepared to address the information technology and security risks that can emerge from outsourcing, according to a new survey by the Shared Assessments Program and consulting firm Protiviti.

The survey, which asked companies about their current vendor risk management programs, found a general lack of mature vendor risk management practices as well as insufficient resources and staff to meet current best practice standards.

“Managing the risks associated with outsourced services and vendor relationships is one of the many challenges facing organizations when it comes to data security,” Rocco Grillo, Protiviti’s global leader for incident response and forensic investigations, said in a release. “Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations.”

The survey relied on ratings from 450 IT and risk management professionals using a tool from Shared Assessments to measure the quality and maturity of existing risk management programs. Respondents scored more than 100 characteristics about their organizations’ vendor risk management strategies on a maturity scale of 1 to 5 across eight categories.

Overall, the survey found that financial services firms outperform other industries, though they too fell below the desired range. The difference was attributed to stricter guidelines and regulation in financial services. The survey also identified what it called “lackluster procedures for assessing vendors,” including a lack of policies and guidelines or ongoing risk reviews.

The complete report is available here: 2014 Vendor Risk Management Survey 

[ Graphic courtesy of Protiviti ]