Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Manual Processes Still Dominate Third-Party Risk Management Programs: Study

A majority of companies (71%) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices.
May 10, 2023
Logo supply demand chain executive

Editor's Note: This article was originally published on www.sdcexec.com.

Nearly 48% of companies still depend on spreadsheets, while 41% reported experiencing an impactful third-party breach in the last year, according to new research from Prevalent, Inc.

“Year over year we continue to see a significant increase in supply chain disruptions and widespread third-party security incidents,” says Brad Hibbert, chief strategy officer for Prevalent. “And although this survey illustrates that organizations are making third-party risk management programs a priority with more people across the organization involved and only 4% reporting that they’re not monitoring their third-party suppliers, there is still more to do. Companies need to ditch manual processes for good and partner with an automated TPRM solution to manage risks across the third-party risk lifecycle.”

From Prevalent:

  • 41% of companies experienced an impactful third-party breach in the last 12 months, but rely on overlapping tools and manual processes which slows incident response.
  • A majority of companies (71%) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. However manual methods still persist, with an increasing percentage using news feeds to learn about breaches.
  • 62% of respondents to this year’s study indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.
  • A growing number of organizations (48%) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45% and 42% of companies, respectively, said they were using spreadsheets. The good news is that only 4% of respondents indicated that they are not currently assessing third parties at all, which continued a downward trend from 2021 (10%) and 2022 (8%).
  • The offboarding and termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47%) and remediating (38%) risks, and the highest percentage of companies doing nothing at all (39%). The significant gap between tracking and remediating risks in the initial assessment and sourcing and pre-contract due diligence stages is especially surprising, as these are the primary stages to discover and remediate risks before they impact the organization.