Next, we look at program maturity. So, I'm going to ask you ... We have a polling question, I think, on the next slide, Joe. So if you could all just have a look at this, when we looked at the program maturity, we identified six levels, and then we did this in conjunction with other research that we've seen. So we're trying to build on that basis knowledge that's out there, just kind of identify the development of third party risk management practices for us all. If you could look at this, we found that there were six levels.

Now, we're going to exclude "no policy" in the poll that we have, but effectively, there's a level called ad hoc, where processes still exist but they are unpredictable and they are of an ad hoc nature. Processes that could be described as reactive and which are project-specific, dealing with individual instances as they occur, moving to more organized, where the processes are formalized and documented, and then we move onto controlled, where it is, again, formalized but it's measured and controlled. We see a more serious program in place. Finally to mature, and these are the processes that are highly mature and emphasize system feedback and improvement. 

So we'll ask you a polling question now, and if you can decide which of these levels your organization's at, we'd really find that info valuable for everyone, and we'll present the results immediately afterwards. ... So the polling question's in front of you now. Choose the option below that best represents your third party risk management program. Would you describe it as ad hoc, reactive, organized, controlled, which is more mature, and then mature, which is at the highest level? So if you could respond to that, please.

I see we're getting some answers in here now and it looks quite interesting. I'm going to leave that open because we still have some people responding. ... Okay. We've closed up there now and the results will be up in just one moment. So here we go. It's quite interesting. We see 14% of people working off an ad hoc basis, 22 on reactive, 45 on organized, 14 on controlled, and 4% on mature, which are the most sophisticated programs. Now, if we'll just bear that in mind, I'm going to move on and show you the next slide, which is where our ... respondents came in.

So when we look at the 243 financial organizations from around the world, on ad hoc we had 10%, and of the groups that are on this webinar, we scored 14. It's close enough. I mean, this is unscientific. At reactive, within the respondents group, we had 15% and among webinar attendees today it's the 22. Organized, though, is higher among the group on this webinar, 45% versus just over 30% on the respondents group. Fourteen percent are controlled. However, in the research group we saw almost 30%, and the research group predicted approximately 12% of the people who are in mature, and we hit 4%. So we're tracking close enough to them.

It's unscientific but it's interesting to see the comparisons. Now, because it is one of the more interesting findings, and because obviously the maturity of the programs determine at one level the exposure of many organizations to potential risk. We went into some cross-tabulation. So first of all, we looked at the maturity of these programs relative to the size of the company as measured by the number of employees in the company, and what you see very clearly is the larger the company, the more mature the program.

If you just went to the very bottom line there, processes are highly mature and they emphasize system feedback and improvement, small companies 7%, medium companies 11%, over 5,000 employees, large companies 15%. Effectively, the bubble of maturity moves up with the size of the company very clearly. So it's probably not unsurprising when we think that larger companies are more likely to be engaging, as we've seen, with third parties in multiple countries and jurisdictions. Therefore, they may need more sophisticated programs.

They will also have more resources available to them, but we can see though, that there's quite a close comparison really in the first two stages, certainly on the ad hoc processes between small and medium. So it's quite an interesting finding there, but not unsurprising. If we went on to look at the difference between banking as a sector, in terms of maturity versus others, which includes insurance, we see a marked difference again here. 

Banking is very much more mature in its approach. It's further down the scale. Although at the very top level, there's no real discernible difference, 11 versus 12 is not a significant finding. However, when you look at the fifth level of formalized, measured, and controlled, you can see the banking is well ahead. Banking is primarily in that fourth and fifth stage of maturity, whereas other industries are a stage and a half behind them in terms of development.

You can download a copy of the research report discussed here.