Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
PHOENIX, May 10, 2023 – Prevalent, Inc., the company that takes the pain out of third-party risk management (TPRM), today announced a new report, The 2023 Third Party Risk Management Study: How Are Organizations Avoiding TPRM Turbulence?, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide.
The findings clearly illustrate that 2022 was a turbulent year for the practice of third-party risk management (TPRM). Over the past year, organizations dealt with the fallout from the Russian invasion of Ukraine and resulting supply chain disruptions, damaging and widespread third-party breaches and security incidents (including LastPass, OpenSSL, Okta, Toyota, and several in healthcare), and emerging regulatory oversight in areas beyond IT security such as ESG. While organizations have matured their TPRM programs since last year’s study, there is still more work to do.
Key findings from the 2023 Third-Party Risk Management Study include:
An overwhelming majority of companies (71%) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. However, manual methods still persist, with a disappointingly large percentage of companies using spreadsheets and an increasing percentage using news feeds to learn about breaches. The good news is that companies not monitoring for third-party breaches dropped from 12% to 4%.
70% of respondents report that Information Security (InfoSec) is more involved in third-party risk management than ever, and 71% indicate that InfoSec fully owns the TPRM program. 62% of respondents to this year’s study indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.
A disappointing trend continues in 2023 as a growing number of organizations (48%) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45% and 42% of companies, respectively, said they were using spreadsheets. The good news is that only 4% of respondents indicated that they are not currently assessing third parties at all, which continued a downward trend from 2021 (10%) and 2022 (8%).
Not surprisingly, the Offboarding and Termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47%) and remediating (38%) risks, and the highest percentage of companies doing nothing at all (39%). The significant gap between tracking and remediating risks in the Initial Assessment and Sourcing and Pre-Contract Due Diligence stages is especially surprising, as these are the primary stages to discover and remediate risks before they impact the organization.
“Year over year we continue to see a significant increase in supply chain disruptions and widespread third-party security incidents,” stated Brad Hibbert, chief strategy officer for Prevalent. “And although this survey illustrates that organizations are making third-party risk management programs a priority with more people across the organization involved and only 4% reporting that they’re not monitoring their third-party suppliers, there is still more to do. Companies need to ditch manual processes for good and partner with an automated TPRM solution to manage risks across the third-party risk lifecycle.”
The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but four areas require additional improvements to keep companies on track:
Read the blog post and download the full e-book and infographic for additional statistics, context and recommendations to benchmark existing TPRM practices. Request a demo for a strategy session with a TPRM expert.
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party risk management lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.
Angelique Faul, Silver Jacket Communications, 513-633-0897, firstname.lastname@example.org