In 2024, third-party risk management (TPRM) will become more crucial than ever. As supply chains expand and businesses continue to interconnect in complex ways, robust risk management is critical. Our latest survey, involving 112 experienced risk management professionals, provides insights into this rapidly changing sector. We see a striking shift: 90% now view TPRM as a growing priority, a substantial increase from 2020. It’s unsurprising, considering this rise coincides with more security incidents involving third parties. These now affect nearly a quarter of organizations — a significant jump from previous results.
TPRM’s evolution into a strategic area of focus reflects major changes in recent years. Traditional paradigms in risk management have been disrupted, blurring the lines between “us” and “them” in cybersecurity risk management. This shift was underscored by the Security and Exchange Commission’s (SEC) recent ruling, which recognized that investors now perceive first and third-party breaches as having an equal material impact in cyber events.
But what does this mean for TPRM today? Our analysis captures the current state and contrasts it with our findings from 2020, revealing important shifts and developments. Based on original survey research, this blog outlines top trends and challenges for 2024 and beyond, providing TPRM professionals with practical and forward-thinking solutions.
Risks are getting more complex and extensive
Organizations increasingly rely on third parties to support their core products and services, a trend accelerated by the 2020 pandemic and a shift to a remote workforce. This means firms have larger vendor portfolios. Our research shows that, compared to 2020, the number of TPRM programs managing at least 250 vendors nearly doubled, and over two-thirds of firms now have 50 or more vendors in their portfolio, up from 41%. Complementing this trend, the percentage of TPRM teams managing less than ten vendors shrank to just 9%.
Supply chains are expanding globally and diversifying, reflecting the disruptions of the last few years. Simply put, TPRM programs have more vendors to manage, posing a standalone challenge. But what’s particularly worrisome is that a significant portion of these vendors represent heightened levels of risk. About one-fifth of firms believe that at least half of their third-party vendors could cause material harm. These factors mean firms must find ways to manage these complex networks efficiently.
Risks are expanding in scope
Most TPRM programs – 89 % – assess non-cyber risks or plan to do so imminently. This approach makes sense, considering other risk categories are closely intertwined with cybersecurity. The interconnection of various risks is a part of the modern business environment, requiring firms to develop a comprehensive and holistic risk management strategy. These include privacy, operational risks, financial ratings, regulatory sanctions, and geopolitical, environmental, and social governance risks. For example, a cybersecurity event like a data breach can lead to privacy violations, operational disruptions, and regulatory fines. Similarly, geopolitical risks can escalate into state-sponsored cyber attacks. Including these categories represents a significant shift in TPRM, broadening its focus and scope.
However, while this expansion is logical, it has led to an unintended consequence: staffing inadequacy. 57% of respondents report that their TPRM program is understaffed. The growing strain means teams must innovate to improve efficiency.
New trends are shaping risk assessment & risk management strategy
While traditional security assessment methods like questionnaires remain the most common for checking third-party risk, they’re becoming lengthier, signaling more in-depth checks. Interestingly, the use of custom-built questionnaires has risen substantially. In 2020, 78% of organizations reported that most of their vendors (at least 75%) sailed through their assessment questionnaire without major issues. Contrastingly, new figures reveal a dramatic decline to just 30%, indicating a shift in mindset away from permissiveness and to a more diligent vetting process.
Despite the increasing length of security questionnaires to capture more information, only 4% of respondents express high confidence in their accuracy. Because of this, many firms are pivoting to security rating services to enhance both efficiency and reliability. In response to growing skepticism about traditional assessment methods, the adoption of security rating services has jumped from 42% to 61%. This shift in TPRM highlights a clear trend towards advanced, stronger, and more reliable tools for better risk management, marking a key development to watch for in the field.
Ready to discover more trends in TPRM?
While powerful findings backed by survey data, these are only some of the top trends we found in an extensive report. For more exciting insights on the state of TPRM in 2024 download the report.