This annual survey is designed to help benchmark some of the key questions that can indicate the status and health of your third-party risk/supplier risk/vendor risk program. For example:
  • Does your program have the appropriate funding?
  • What is the typical organizational structure?
  • How are third party risk professionals remunerated?
  • How engaged is your board?
  • How mature are programs and what are the greatest challenges?
 
It’s completely anonymous and will take no longer than 10 minutes to complete. All those who participate will be placed into a prize draw to win a free pass to one of our upcoming 2019 conferences. 
 
The report builds on last year’s research and will be an invaluable resource to benchmark your programs against your peers, drive investment conversations within your organization, and instill best practice approaches within your program. The final report will be available free of charge to participants and the wider third-party risk community to support education and benchmarking.





DEMOGRAPHICS

Question Title

* 1. What is your job title?

Question Title

* 2. What is your seniority?

Question Title

* 5. Size of Organization | Corporate - by revenue

Question Title

* 6. Size of Organization | Financial Services - by assets under management

OWNERSHIP

Question Title

* 7. Under which function is third party risk management primarily located and managed in your organization:

Question Title

* 8. Is third party risk management in your organization:

Question Title

* 9. What is the size of your team dedicated to Third-Party Risk Management?

Question Title

* 10. Are you outsourcing any part of your third party risk management processes to shared services or managed services operations? (e.g. validation, due diligence, etc)

BUDGET, SKILLSET & RENUMERATION

Question Title

* 11. Approximately how much budget (US$) outside headcount does your organization have for third party risk management?

Question Title

* 12. On a scale of 1-5, 1 being fully agree to 5 being fully disagree, do you consider your third party risk management program has the right level of funding:

  1 - Fully agree 2 3 4 5 - Fully disagree
For the people (right skill set and coverage) required to run your program successfully
For the tools (technology and content sets) required to run your program successfully
For innovation and continuous improvements to your program

Question Title

* 13. In the next 12 months do you expect:

Question Title

* 14. Please indicate your annual salary:

We understand salary information can be sensitive. We’re asking this to help provide an industry benchmark, and as a relatively young discipline to reflect on whether there’s divergence from other assurance functions/divergence according to where in an organization it is situated and whether the maturity of the program has an impact.

Please skip this question if you would prefer not to answer.

BOARD ENGAGEMENT

Question Title

* 16. How frequently does your organization report to the board on third-party risk?

Question Title

* 17. How would you categorize board engagement with your third-party program?

Question Title

* 18. What is the greatest concern for your board associated with third-parties?

THIRD PARTY UNIVERSE

Question Title

* 19. How many Third Parties does your organization work with?

Question Title

* 20. Do you have a single inventory of all your third parties?

Question Title

* 21. If no, what % of your third parties are maintained in a single inventory?

Question Title

* 22. What percentage of your third parties would you classify as ‘critical'?

Question Title

* 23. What percentage of your third parties are classified as high-risk?

Question Title

* 24. What percentage of your third parties have had initial due diligence conducted?

Question Title

* 25. What percentage of your third parties have ongoing monitoring / due diligence conducted?

Question Title

* 26. Which of the following process(es) does your organization use to manage your third parties? (check all that apply)

Question Title

* 27. What risk types are managed in your third-party program? (Check all that apply)

Question Title

* 28. Please indicate which of these statements reflects the third-party program you have in place in your organization:

  Yes - fully No Partially I don't know
We require an initial risk assessment for all new third parties pre-contract
Our program addresses the full life cycle the of third party relationship
Our program is applied consistently across all lines of business
Business continuity is factored into our third party programs
Our third party risk program is aligned to the risk appetite of our organization
Third parties are required to identify fourth parties
Our program has controls in place for how third parties manage sub-contractors/ fourth parties
Due diligence is performed on critical fourth parties

Question Title

* 29. Please indicate how easy it is to report on the following in your program

  Completely and quickly Completely but would take some time Partially and quickly Partially and would take some time Impossible
All third parties
All critical third parties
Third parties with the highest level of inherent risk
Third parties with the highest level of residual risk
Non-compliant third parties
Third parties with breaches or incidents
Third party risk scorecard / profile across all applicable risk and performance domains.
Third parties with remediation plans underway
Third parties with cyber-risk exposure
INCIDENTS

Question Title

* 30. In the last 12 months we have had:

TECHNOLOGY

Question Title

* 31. What technology / tools does your firm use to track and manage your third party risk processes?

Question Title

* 32. What are the greatest technology challenges associated with your program?

CHALLENGES AND OPPORTUNITIES

Question Title

* 33. What do you think will be the greatest challenges ahead for third party risk management in your organization in the next 12 months?

Question Title

* 34. What do you think will be the greatest opportunities ahead for third party risk management in your organization in the next 12 months?

PROGRAM MATURITY

Question Title

* 35. How long has your third-party risk management program been in place?

Question Title

* 36. Which maturity level do you consider most closely describes your overall third party risk management program?

Question Title

* 37. What is the key driver for third party risk management in your organization?

Question Title

* 38. Are there any additional observations or comments that you would like to share about third party risk and its management?

Question Title

* 39. Please provide your contact information to receive a copy of the final report:

T