Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Third-Party Risk Management Leader Reveals the Maturity of Today’s TPRM Programs is Severely Inadequate

Prevalent’s new study of in-depth maturity assessments identifies massively underserved programs – creating significant security gaps
June 18, 2020
White paper tprm maturity 0620

PHOENIX, AZ — June 18, 2020 – Prevalent, Inc., the company that takes the pain out of third-party risk management, today released the results of a study, titled “The Path From Reactive to Proactive Third-Party Risk Management” that details findings from in-depth maturity assessments conducted for companies in the last six months. The results were astounding with an average score of 2.53 on a scale from 1 (low maturity) to 5 (high maturity). The study illustrates that the majority of third-party risk management programs remain manual and spreadsheet-driven resulting in a low maturity score. These programs lack speed, scale and intelligence to sufficiently manage third-party risk.

The leader in third-party risk management identified five key areas where third-party management practices lagged:

  • Content: Are supporting processes in place to ensure questionnaire content remains up-to-date and fit for purpose based on the scope of entities being assessed? Score: 2.60
  • Roles & Responsibilities: Are representatives contributing to the program aware of their responsibilities and level of involvement within operational workflows? Score: 2.88
  • Coverage: How comprehensive is the scope of the program and is visibility of contributing external entities maintained? Score: 2.67
  • Governance: How is the performance of the program measured, can success be demonstrated, and can metrics be used to provide strategic direction? Score: 2.14
  • Remediation: Is remediation carried out in a consistent manner and have processes been optimized to improve program efficiency? Score: 2.58

“Organizations have more third-parties to deal with than ever before and innumerable compliance requirements to meet,” stated Brenda Ferraro, vice president of third-party risk at Prevalent, Inc. “And most lack the resources and a consistent, repeatable process to assess them – unknowingly allowing vendors to expose them to cyber attacks and other threats to security, privacy and compliance. Fortunately there is only one place to go from here and that is up. The results of the maturity assessment analysis clearly illustrate that there are very specific steps organizations can take to keep from sliding further backward.”

Based on detailed analysis, Prevalent identified three risks that stood out among the others:

  • No remediation guidelines. Without standardized guidelines, the process of reviewing risk findings with third parties can be inconsistent, leading to misalignment with organizational requirements. 86% of companies had inconsistent remediation guidelines.
  • Ignoring Nth parties. Companies must be prepared to address supply-chain disruptions, which include those that third parties face as a result of their third parties. Failure to consider fourth parties or Nth parties can pose unidentified risks and operational bottlenecks. This was an issue for 79% of companies.
  • Insufficient reporting. It is difficult for organizations to make informed decisions without strategic internal conversations about emerging threats, areas of concern, change assessment and risk remediation. The Prevalent study revealed that 69% of companies failed to have important strategic reporting opportunities.

Based on the findings, organizations can improve their third-party risk assessment maturity by easily leveraging existing networks of completed assessments with continuous monitoring, scaling their programs using vendor risk assessment services, and improving consistency with an agile, repeatable model. To learn more about Prevalent’s maturity assessment study findings, please read our blog post, “Avoid These 9 Common Third-Party Risk Management Pitfalls," download “The Path From Reactive to Proactive Third-Party Risk Management” white paper and view the “Third-Party Risk Program Maturity: Don’t Let it Slide” infographic.

About Prevalent

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

Media Contact

Angelique Faul, 513-633-0897,