State of Third-Party Risk Assessments

Leave a reply

Organizations across many industries increasingly believe their Third-Party Risk Management (TPRM) programs are mature. The data in the ProcessUnity State of Third-Party Risk Assessments 2026 tells a more complex story.

While most organizations have established assessment processes, policies, and frameworks, the data from our 1,465 respondents uncovers that many have not achieved true program maturity, and the gap between perception and reality is growing.

That gap has a measurable cost. Organizations are experiencing frequent third-party breaches, prolonged assessment cycles, slow vendor responses, incomplete remediation, and persistent blind spots across their third-party ecosystems. In fact, organizations report experiencing an average of 12 third-party breaches per year, signaling that third-party risk is not an edge case, but a recurring operational reality. These outcomes highlight a critical truth: having processes in place is not the same as operating a mature, scalable, and effective TPRM program.

Ponemon Institute surveyed 1,465 IT and IT security practitioners in the US (632 respondents), Asia-Pac (402 respondents) and EMEA (431 respondents) who are involved in their organizations’ approach to assessing data risks created through outsourcing business functions to third parties. The purpose of this research is to gain insights into how organizations assess and minimize risks associated with both direct and indirect relationships with third parties. This includes identifying vulnerabilities and mitigating potential operational, reputational, financial and compliance risks.

On average, organizations have one data breach or security incident each month that was caused by a third party. Organizations represented in this research report they have experienced an average of 12 data breaches or security incidents caused by third parties in the past year. The two most serious consequences of these events were operational disruptions (64 percent of respondents) and financial loss (52 percent of respondents).

The following research findings illustrate the challenges of preventing third-party data breaches and security incidents. 

  • Few organizations have a budget dedicated to their TPRM programs. Resources are important to supporting organizations’ efforts to achieve a proactive or optimized level of maturity. Only 37 percent of respondents say their organizations allocate funding specifically for the TPRM program. Of those organizations, the average annual budget is $3.1 million.  
  • Reliance on manual and inconsistent assessments can result in a small percentage of third parties being assessed. Organizations have an average of 2,643 third parties in their portfolio and an average of only 36 percent of these third parties are assessed to determine risks and vulnerabilities.
  • The maturity of most TPRM programs is low. Fifty-two percent of respondents say their programs are reactive and assessments are still manual and inconsistent (30 percent) or ad hoc with only a few defined processes in place for third-party assessments. Less than half of respondents rate their TPRM program maturity as proactive which means assessments are standardized and repeatable for most third parties with defined policies, tools and remediation processes (29 percent) or optimized which is defined as the TPRM program being fully embedded in business operations using automation, advanced analytics and continuous monitoring to manage vendor risk proactively (19 percent). 
  • The IT or IT security functions are most responsible for third-party risk assessments, not the TPRM team. To have an optimized and mature TPRM program, automation, advanced analytics and continuous monitoring is key. For this reason, many organizations may be assigning responsibility for assessments to IT security/cybersecurity (30 percent of respondents) or IT (22 percent of respondents). Only 20 percent say the TPRM team is most responsible for conducting assessments. 
  • Assessments can be a drain on staff’s time and backlogs are a reality for many organizations. Outsourcing one or more assessment processes can be a solution to this problem. Forty-three percent of respondents say their organizations outsource part of the assessment process. Of these respondents, 59 percent say collection or monitoring is outsourced. 
  • To understand the extent of third-party risks, more organizations should measure the TPRM’s effectiveness. Fifty-three percent of respondents believe their TPRM assessments are very effective. However, less than half of respondents (49 percent) measure effectiveness. Of these respondents, 49 percent measure the increase in assessments completed, 37 percent say the metric used is the percentage of complete/accurate assessments and 36 percent say the metric used is sufficient staffing. 
  • Understanding the initial level of risk is a critical first step in a comprehensive third-party risk management program. This allows organizations to then implement appropriate controls to reduce third-party risk to an acceptable level.Fifty-two percent of respondents say their organizations use the inherent risk process to determine the frequency of third-party risk assessments. Of these respondents, 53 percent say they scope their assessment questionnaire or use a specific questionnaire based on the third-party’s inherent risk. 
  • Most organizations use homegrown/IT built tools or spreadsheets as part of the assessment. Sixty-seven percent of respondents say they rely upon homegrown/IT built tools followed by spreadsheets (64 percent of respondents). Sixty-one percent of respondents say they use a GRC platform and 58 percent of respondents say their organizations use TPRM platforms. 
  • Only 45 percent of respondents say their organizations use independent ratings of the third parties’ cybersecurity and risk posture as part of the assessment. Mostly used are SLAs (62 percent of respondents) and vendor documentation of their practices and policies to assess potential risks (51 percent of respondents). 
  • Despite lacking trust in fourth parties, few organizations assess the risk. Despite not having complete trust in visibility into fourth parties that could impact their companies, only 42 percent of respondents say their organizations assess fourth-party or subcontractor risk (23 percent) or only for critical suppliers (19 percent). 38 percent of respondents either have no trust (22 percent) or only slight confidence with minimal assurance with significant doubts (16 percent). Only 31 percent say they are highly confident with complete trust in visibility. Further, only 41 percent of respondents say they receive alerts from third parties to any security incidents generated by fourth parties in the last 12 months. If they did, it was an average of 15 alerts were received in the past year. 
  • Organizations are at risk because third-party assessments take a long time and often require further attention or remediation. Sixty percent of respondents say it can take 4 months to more than 12 months to complete just one assessment. Only 37 percent of respondents say it takes the team less than 8 hours (10 percent) or between 8 to 40 hours (27 percent). An average of 43 percent of third-party responses require follow-up or remediation and it can take an average of 6 days to remediate issues found during a third-party assessment with only one-third party.
  • Sixty percent of respondents say they wait for a vendor’s response to the questionnaire in 4 months to as long as more than 1 year. An average of 27 percent of third parties do not respond to questionnaires. Forty-five percent of respondents say they receive updates on changes in vendor risk posture only yearly (27 percent) or never (18 percent).
  • Due to the time and amount of effort because of mostly manual processes, 40 percent of respondents say they currently have a backlog of third-party assessments. The reasons for backlogs are incomplete information from vendor (67 percent of respondents), lack of vendor response (64 percent of respondents) and limited resources such as lack of budget, technology and in-house expertise (62 percent of respondents). 
  • Only 16 percent of respondents say that 90 percent to 100 percent of the third parties that required remediation are completed. During the onboarding process, 44 percent of respondents say it is between 26 percent to more than 50 percent of third parties that require remediation activities to meet their security and privacy requirements. The primary reasons are resource constraints (66 percent of respondents), technical dependency on another team or provider (59 percent of respondents) and data access uses (58 percent of respondents).
  • AI tools as part of the TPRM program may help organizations deal with the challenges revealed in this research. Forty-four percent of respondents have either fully (19 percent) or partially adopted AI (25 percent) for TPRM programs. Only 19 percent of respondents say there are no plans to adopt AI. AI is seen to address many of the challenges faced in identifying risks and inefficiencies. Fifty-three percent of respondents say the primary benefit of using AI is that it frees staff for higher-value work. Other benefits are real-time intelligence to identify vulnerabilities (48 percent of respondents) and management of TPRM programs (42 percent of respondents). 

Part 2. Key findings

This section of the report presents an analysis of the global findings. The complete research results are shown in the Appendix. The report is organized according to the following topics.

  • Background on Third-Party Risk Management (TPRM) programs
  • Threat assessment operating models and methods
  • Challenges in conducting third-party risk assessments
  • Regional differences

To read detailed key findings and the rest of this report, visit  ProcessUnity’s website.

 

Leave a Reply

Your email address will not be published. Required fields are marked *