March 09, 2015 | Palo Alto, California: MetricStream, the market leader in Governance, Risk, and Compliance (GRC) Management Apps, sponsored the Risk Management Association (RMA) Third-Party/Vendor Risk Management Survey, which drew responses from over 100 leading financial institutions. This survey addressed vendor management frameworks, vendor selection and monitoring processes, critical vendors and critical activities, tools and techniques, contracts, regulatory compliance, and fourth-party suppliers.

With the growing need to grow the business, provide new offerings, reduce overall costs, and maximize profitability and revenues, outsourcing to third-party service providers has become the norm for most banks and financial institutions (FIs) worldwide. Larger organizations have tens of thousands of vendor relationships to manage, and in this scenario, are increasingly exposed to financial loss and reputation if they fail to maintain adequate quality control over all third-party activities.

“Managing the risks inherent in vendor and other third party relationships has become critically important in recent years, as the actions of vendors can cause significant financial and reputational impact to organizations, no matter their size or industry,” said Edward J. DeMarco, RMA's General Counsel and Director of Operational Risk.

Some of the key findings of the RMA Third-Party/Vendor Risk Management Survey conducted in association with MetricStream, include:

  • Third-party relationships have evolved beyond traditional models of goods and service providers to include agents, agency agreements, channel and distribution agreements, debt buyers, co-branded products and services, and correspondent bank agreements, among others.
  • Some of the bigger organizations surveyed have thousands of supplier relationships to manage, which is extremely difficult without a mature vendor governance framework in place that is thoughtfully planned, dutifully executed and consistently monitored.
  • 97% of the surveyed organizations have either defined, or are in the process of defining the ‘critical activities’ in their institution.
  • 67% of the surveyed organizations do not perform due diligence on their fourth parties. 20% of the respondents perform due diligence at the time of sourcing/contracting the third-party, and 13% do it when the primary supplier notifies them of a new material fourth party.
  • Validation of regulatory compliance and effectiveness of the vendor risk management framework is conducted annually by 72% of the responding institutions.


“The importance of third party risk management, as highlighted by the findings of this survey, is consistent with what MetricStream is hearing from the industry at large, as well as from our banking and financial service clients,” said Susan Palm, Vice President, Industry Solutions at MetricStream. She continued, “Companies must keep pace with new sanctions and frequent regulatory changes, increasing operational complexity, and an increasingly risky and diverse multi-tier vendor ecosystem. Organizations must remain especially focused on managing their third parties amidst the backdrop of new and emerging risk areas such as data theft and cyber-crime, along with rising mobility, prolific social media usage, and the introduction of disruptive e-commerce and payments methods.”

To download a complimentary copy of the corresponding report article featured in the RMA Journal, please click here.

About RMA
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by more than 16,000 risk management professionals who are chapter members in financial centers throughout North America, Europe, and Asia/Pacific. Visit RMA on the Web at

RMA Media Contacts:
Mr. Frank Devlin, [email protected], 215-446-4137
Mr. Stephen Krasowski, [email protected], 215-446-4095

About MetricStream

MetricStream is the independent market leader in enterprise cloud applications for governance, risk, compliance (GRC), and quality management. MetricStream apps and software solutions improve business performance by strengthening risk management, corporate governance, regulatory compliance, audit management, vendor governance, and quality management for organizations across industries, including banking and financial services, health care, life sciences, energy and utilities, consumer brands, government, technology, and manufacturing. MetricStream is headquartered in Palo Alto, California, with an operations and GRC innovation center in Bengaluru, India, and sales and operations support in 12 other cities globally.(

Press contact

[email protected]

Get a demo Download RFP Template Pricing Contact