Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

New Prevalent Study Reveals Organizations Are Not Equipped to Handle Increasing Third-Party Security Incidents

A staggering 45% still depend on manual processes, while incident response timelines multiply
May 05, 2022
Blog tprm study 2022 0522

PHOENIX, AZ – January 12, 2022 – Prevalent, Inc., the company that takes the pain out of third-party risk management (TPRM), today announced a new report, Third Party Risk Management Industry Study: TPRM Programs Are at a Crossroads, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide. The findings clearly illustrate that although organizations are starting to adapt their TPRM programs to address new and emerging non-IT risks, much more needs to be done to grow and mature these programs – specifically as it relates to incident response, compliance and the vendor lifecycle.

Key findings from the 2022 Third-Party Risk Management Study include:

45% of organizations experienced a third-party security incident in the last year – but are using disparate tools that extend incident response timelines

69% of respondents say that the top concern facing their organization with regard to their usage of third parties is a data breach, with 45% of respondents reporting that they experienced a security incident in the last year – up from 21% in 2021. However, 8% of companies don’t have a third-party incident response program in place, while 23% take a passive approach to third-party incident response.

40% of organizations are paying more attention to non-IT security risks – but not enough

TPRM programs continue to focus on addressing the risks faced when working with IT vendors, but a surprising 40% of respondents in this year’s study say they are focused on managing both IT and non-IT vendor risks.

However, organizations continue to overlook less quantifiable non-IT risks such as modern slavery, anti-money laundering, and anti-bribery and corruption risks that could still lead to compliance violations, fines or negative reputational impacts.

TPRM is becoming more strategic but 45% of organizations are still using manual spreadsheets to assess third parties

Two-thirds of respondents report that their TPRM programs have more visibility among executives and the board compared to last year. However, getting there took massive increases in third-party vendor and supplier-related cybersecurity issues such as Log4j, the Toyota supply chain breakdown, and the Kaseya ransomware attack. Unfortunately, manual processes are still holding organizations back, with 45% reporting that they use spreadsheets to assess their third parties.

These manual processes add unnecessary complexity and time to third-party risk audits, with 32% of respondents saying it takes more than a month – more than 90 days in some cases – to produce reporting and evidence required to meet regulatory audits.

“The past year has brought even more attention to the risks associated with third-party vendors and suppliers, specifically to the supply chain with continued cyber disruptions,” stated Brad Hibbert, chief strategy officer for Prevalent. “And although today’s survey illustrates that organizations are starting to view their third-party management programs more strategically, there is still more progress to be made. More and more companies are starting to assess non-IT risks, which is a step in the right direction. But unfortunately, over half are not – and that could lead to financial loss. Together with a comprehensive TPRM solution, companies can build a stronger defense against IT and reputational third-party risks.”

The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but three areas require additional improvements to keep companies on track:

  • Simplify audits and unify teams under a single solution that includes built-in questionnaire templates and complementary intelligence for multiple risk areas from business/operational and reputational and financial risks, to ESG and compliance risks.
  • Automate incident response to reduce cost and time. Invest in mature tools and processes that centrally manage all vendors in a single platform – gaining visibility into your third-party ecosystem is the first and most important step. Know which third parties (and Nth parties) are at risk from a breach by mapping supplier relationships based on technology usage and reveal potential impacts by continuously tracking, scoring and managing cyber, business, reputational and financial risks in a single platform.
  • Close the loop on the third-party lifecycle. Look for a TPRM platform with strong contract lifecycle management capabilities. The results can inform ongoing negotiations with your business partners and ensure stronger, long-term business relationships. When offboarding a third-party, conducting a final risk assessment can validate that your systems and data are securely decommissioned, while also providing records for demonstrating compliance with data privacy mandates.

Download the full eBook for additional findings, context and recommendations to benchmark existing TPRM practices.

About Prevalent

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the vendor risk management lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

Media Contact

Angelique Faul, Silver Jacket Communications, 513-633-0897,