Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Prevalent Study Reveals Few Companies Are Expanding Third-Party Risk Management Programs Despite Increasing Threats

Less Than Half of Respondents Report Tracking Non-Cybersecurity Reputation Risks
April 15, 2021
Blog 2021 tprm study 0421

PHOENIX — April 15, 2021 – Prevalent, Inc., the company that takes the pain out of third-party risk management (TPRM), today announced a new report, 2021 Third Party Risk Management Study: Looking Beneath the Cyber Risk Surface, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide. The findings clearly illustrate that most companies are missing key risks at more than one stage of the vendor risk lifecycle, yet few are expanding their TPRM programs to address these risks.

Key Findings from the 2021 Third-Party Risk Management Study include:

83% of companies report increased focus on third-party risk due to COVID-19, yet only 40% are expanding their programs

COVID-19 was the biggest event of 2020, increasing organizational focus on third-party risk management for 83% of companies. Yet, only 40% of study respondents report expanding their TPRM programs as a result. More concerning is that 44% of companies report not actively tracking supply chain risks, which were the primary pandemic-related third-party risk management impact.

Fewer than half of companies are actively tracking non-cybersecurity reputational risks

Because IT and security teams own third-party risk management in 50% of companies, and likely due to increasing numbers of damaging third-party data breaches, the study illustrates that cybersecurity risks are getting the most attention. However, study respondents admit they should be tracking risks such as SLAs and performance (47%), geo-political (47%), labor standards (45%), environmental (45%), human rights, trafficking and slavery risks (40%), and ABAC (39%). Not tracking these types of risks can open an organization up to reputational damage.

50% of companies don’t have the pre-contract due diligence necessary to effectively evaluate potential vendors

More than 50% of respondents indicated the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks. More alarming is that 59% indicate they are not actively assessing third-party risks during the offboarding stage of the vendor lifecycle. Organizations are missing critical risks at multiple stages of the third-party lifecycle.

Only 22% of companies involve procurement teams in third-party risk management

55% of organizations saw an increase in third-party risk management ownership by security over the past year, yet only 22% of companies are seeing an increase in ownership by procurement teams, meaning that important ESG, ABAC and vendor financial risks typically required by these teams to properly assess vendors may not getting the attention they require.

65% of companies are not satisfied with spreadsheets

42% of respondents said they assess their third parties using spreadsheet-based questionnaires and 65% of these respondents are either unsatisfied or neutral with this approach.

“The past year has brought even more attention to the risks associated with third-party vendors and partners, specifically to the supply chain, stated Brenda Ferraro, vice president of third-party risk management for Prevalent. “And the threats that these vendors and partners bring into an organization go well beyond cybersecurity and data privacy. Companies need to start thinking about the underlying risks below the surface such as environmental, social and governance (ESG), anti-bribery and corruption (ABAC) and SLA performance. A successful TPRM program must expand beyond traditional cybersecurity risks and involve several departments across the organization. Together these teams will keep customers, employees and partners safe.”

The results of this study demonstrate that IT security and business teams need to collaborate more closely to identify and mitigate more types of risks at all stages of the third-party lifecycle. The report concludes with the following recommendations for unifying IT security and business for better outcomes from onboarding to offboarding:

  • Expand assessments beyond cybersecurity to include reputational and vendor financial information, helping to create a more holistic vendor risk profile
  • Bridge the gap between Business and IT with a unified strategy for addressing risks spanning the organization
  • Manage risk at every step of the third-party lifecycle, starting with more complete pre-contract due diligence and ending with secure vendor offboarding
  • Outsource the time-consuming work to the experts, leaving your team to focus on risk remediation and management

Read the complete report including expanded conclusions. View and download an infographic highlighting key findings from the report.

About Prevalent

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the entire vendor risk lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

Media Contact

Angelique Faul, Silver Jacket Communications, 513-633-0897,