Prevalent Study Reveals Manual Processes Still Dominate Third-Party Risk Management Programs

A staggering 48% of companies still depend on spreadsheets, while 41% reported experiencing an impactful third-party breach in the last year.
May 10, 2023
Press 2023 tprm study 0523

PHOENIX, May 10, 2023 – Prevalent, Inc., the company that takes the pain out of third-party risk management (TPRM), today announced a new report, The 2023 Third Party Risk Management Study: How Are Organizations Avoiding TPRM Turbulence?, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide.

The findings clearly illustrate that 2022 was a turbulent year for the practice of third-party risk management (TPRM). Over the past year, organizations dealt with the fallout from the Russian invasion of Ukraine and resulting supply chain disruptions, damaging and widespread third-party breaches and security incidents (including LastPass, OpenSSL, Okta, Toyota, and several in healthcare), and emerging regulatory oversight in areas beyond IT security such as ESG. While organizations have matured their TPRM programs since last year’s study, there is still more work to do.

Key findings from the 2023 Third-Party Risk Management Study include:

41% of companies experienced an impactful third-party breach in the last 12 months but rely on overlapping tools and manual processes, which slows incident response

An overwhelming majority of companies (71%) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. However, manual methods still persist, with a disappointingly large percentage of companies using spreadsheets and an increasing percentage using news feeds to learn about breaches. The good news is that companies not monitoring for third-party breaches dropped from 12% to 4%.

Third-party data breaches and security incidents are driving increased information security involvement in TPRM

70% of respondents report that Information Security (InfoSec) is more involved in third-party risk management than ever, and 71% indicate that InfoSec fully owns the TPRM program. 62% of respondents to this year’s study indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.

Nearly half of companies continue to use spreadsheets

A disappointing trend continues in 2023 as a growing number of organizations (48%) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45% and 42% of companies, respectively, said they were using spreadsheets. The good news is that only 4% of respondents indicated that they are not currently assessing third parties at all, which continued a downward trend from 2021 (10%) and 2022 (8%).

There is a huge gap between tracking and remediating risks across the lifecycle – and, on average, 20% of companies are doing nothing

Not surprisingly, the Offboarding and Termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47%) and remediating (38%) risks, and the highest percentage of companies doing nothing at all (39%). The significant gap between tracking and remediating risks in the Initial Assessment and Sourcing and Pre-Contract Due Diligence stages is especially surprising, as these are the primary stages to discover and remediate risks before they impact the organization.

“Year over year we continue to see a significant increase in supply chain disruptions and widespread third-party security incidents,” stated Brad Hibbert, chief strategy officer for Prevalent. “And although this survey illustrates that organizations are making third-party risk management programs a priority with more people across the organization involved and only 4% reporting that they’re not monitoring their third-party suppliers, there is still more to do. Companies need to ditch manual processes for good and partner with an automated TPRM solution to manage risks across the third-party risk lifecycle.”

The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but four areas require additional improvements to keep companies on track:

  • Automate Incident Response to Reduce Costs and Risk Exposure: Shortening the gap between incident discovery and mitigation can reduce costs and limit the company’s risk exposure with automated incident response processes. Eliminate spreadsheets or overlapping tools that only tell part of the incident’s origin story.
  • Build a Single Source of the Truth to Eliminate Silos and Extend Risk Visibility Throughout the Enterprise: Results from this study show that, although information security risks are considered the most important, multiple enterprise teams are involved in third-party risk management – each with their own goals, workflows, assessment processes, and risks to review. Unify all internal teams with a single set of workflows, third-party risk profiles, assessments and reporting.
  • Do Away with Spreadsheets and Automate Assessment and Monitoring Processes Across the Lifecycle: Invest in a solution that centralizes contract lifecycle management to ensure key contractual provisions are tracked throughout the lifecycle; offers remediation guidance to ensure offboarded vendors meet company compliance and security requirements to an acceptable level of risk; and delivers a prescriptive process to address final tasks and report according to compliance requirements.
  • Remediation: Data from this study shows a significant fall-off between risk tracking and remediation. To remediate risks to an acceptable level to the business (or to require proof of compensating controls in the place of specific remediations), leverage a third-party risk management platform with built-in remediation recommendations.

Read the blog post and download the full e-book and infographic for additional statistics, context and recommendations to benchmark existing TPRM practices. Request a demo for a strategy session with a TPRM expert.

About Prevalent

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party risk management lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

Media Contact

Angelique Faul, Silver Jacket Communications, 513-633-0897,