Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

35% of Vendor Risk Management Programs Are Fully Mature Compared to 0% a Year Ago

Published by Gbaf News

Posted on February 19, 2016

4 min read

Last updated: January 22, 2026

Add as preferred source on Google

A financial skyline of the UK symbolizing the AltFi revolution in fintech - Global Banking & Finance Review — A vibrant UK financial skyline representing the AltFi revolution, highlighting the potential challenges for traditional banking. This image connects to the article discussing fintech investment trends.

The survey report provides exclusive insights into how financial institutions are managing “vendor” and “nonvendor” third-party risks

The 2015 Risk Management Association (RMA) Third-Party/ Vendor Risk Management Survey, sponsored by MetricStream, provides exclusive insights into the third-party risk management programs of leading financial services organizations of various asset sizes across the U.S., Canada, and Europe. The survey, featuring the perspectives of 80 financial services institutions, provides detailed information on the current challenges and best practices in third-party risk management. All the participating institutions are regulated by one or more of the following regulators – OCC, FRB, FDIC, State, FINRA, and OSFI (Canada).

The survey is an update to, and extension of, the 2014 Third-Party/ Vendor Risk Management Survey conducted by the RMA in association with MetricStream, and is designed to track the progress and evolution of third-party risk management practices at financial services companies.

The following areas and topics are addressed in the 2015 survey report: third-party risk management program scope, design, and maturity; key stakeholder roles and responsibilities; technology and workload management; regulatory criticism; and insights and advice. The survey also differentiates between “vendor” and “nonvendor” third parties. This distinction is important due to differences in how institutions identify in-scope relationships, and manage risks across various types of third parties.

“Going into 2016, the message from regulators is loud and clear―activities can be outsourced to third parties, but responsibility cannot,” said Edward J. DeMarco Jr., RMA General Counsel and Director of Operational Risk. “The impetus is therefore on financial institutions to ensure that they have the right people, processes, and technology in place to protect stakeholders against a growing range of potentially harmful vendor and nonvendor risks such as fraud, data breaches, and corruption.”

Some key findings from the 2015 RMA survey include:

35% of the institutions surveyed reported that their “vendor” third-party risk management program is fully mature, compared to 0% in 2014. However, only 13.8% of respondents reported that their “nonvendor” third-party risk management program is fully mature.
50% of the respondents said that “nonvendor” third-party risk management is a regulatory requirement and their institution is formally addressing the risk.
The majority of institutions surveyed have a “center-led” or “hybrid” approach to supporting the first line of defense in the execution of their responsibilities for both vendor and nonvendor third-party relationships. Meanwhile, the number of FTEs supporting related activities has grown since the 2014 survey.
Technology adoption is much higher than reported in the 2014 survey. Today, only a minority (28.8%) of the respondents still use manual tools such as MS Access, Excel, or SharePoint to manage their third-party risk management programs. Most institutions also acquire data from third parties like Dunn and Bradstreet, LexisNexis, and Moody’s to support due diligence and monitoring.
17 institutions surveyed disclosed that they have achieved “clean” regulatory examinations.
According to respondents, the areas that received criticism during the most recent regulatory exams included due diligence: quality and completeness of documentation (20%), consistency of program across all lines of business (18.8%), monitoring (18.8%), and business continuity/resilience (15%).

Commenting on the survey results, Susan Palm, Senior Vice President of Industry Solutions at MetricStream said, “The findings from this survey validate what many of our customers in the financial industry are telling us―that as their third-party networks grow larger, more global, and more complex, the associated risks can simply not be managed as a siloed or one-time activity. Rather, organizations are building an integrated and streamlined risk management program spanning all the three lines of defense. Timely risk visibility is key―and to that end, technology plays an important role in delivering real-time risk data, actionable reports, and advanced analytics that are needed by business leaders in financial institutions to successfully anticipate and manage third-party risks.”

Highlights of the RMA survey will be featured in an upcoming edition of The RMA Journal which will be published in April 2016.