PHOENIX, AZ – January 12, 2022 – Prevalent, Inc., the company that takes the pain out of third-party risk management (TPRM), today announced a new report, Third Party Risk Management Industry Study: TPRM Programs Are at a Crossroads, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide. The findings clearly illustrate that although organizations are starting to adapt their TPRM programs to address new and emerging non-IT risks, much more needs to be done to grow and mature these programs – specifically as it relates to incident response, compliance and the vendor lifecycle.
Key findings from the 2022 Third-Party Risk Management Study include:
69% of respondents say that the top concern facing their organization with regard to their usage of third parties is a data breach, with 45% of respondents reporting that they experienced a security incident in the last year – up from 21% in 2021. However, 8% of companies don’t have a third-party incident response program in place, while 23% take a passive approach to third-party incident response.
TPRM programs continue to focus on addressing the risks faced when working with IT vendors, but a surprising 40% of respondents in this year’s study say they are focused on managing both IT and non-IT vendor risks.
However, organizations continue to overlook less quantifiable non-IT risks such as modern slavery, anti-money laundering, and anti-bribery and corruption risks that could still lead to compliance violations, fines or negative reputational impacts.
Two-thirds of respondents report that their TPRM programs have more visibility among executives and the board compared to last year. However, getting there took massive increases in third-party vendor and supplier-related cybersecurity issues such as Log4j, the Toyota supply chain breakdown, and the Kaseya ransomware attack. Unfortunately, manual processes are still holding organizations back, with 45% reporting that they use spreadsheets to assess their third parties.
These manual processes add unnecessary complexity and time to third-party risk audits, with 32% of respondents saying it takes more than a month – more than 90 days in some cases – to produce reporting and evidence required to meet regulatory audits.
“The past year has brought even more attention to the risks associated with third-party vendors and suppliers, specifically to the supply chain with continued cyber disruptions,” stated Brad Hibbert, chief strategy officer for Prevalent. “And although today’s survey illustrates that organizations are starting to view their third-party management programs more strategically, there is still more progress to be made. More and more companies are starting to assess non-IT risks, which is a step in the right direction. But unfortunately, over half are not – and that could lead to financial loss. Together with a comprehensive TPRM solution, companies can build a stronger defense against IT and reputational third-party risks.”
The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but three areas require additional improvements to keep companies on track:
Download the full eBook for additional findings, context and recommendations to benchmark existing TPRM practices.
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the vendor risk management lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.