2020 State of Third-Party Risk Management

The rise of mass outsourcing of systems and services to third parties is perhaps the largest risk landscape shift in the last 20 years. Protecting assets not only requires watching one’s own house, but also watching the house of every third-party. This 2020 report analyzes the state of Third-Party Risk Management (TPRM) programs to identify why practitioners are struggling to keep up. While 63% say managing third-party risk is a growing priority, resources and reliable data remain critical bottlenecks.

The reliance on security questionnaires—a staple of 84% of programs—is increasingly viewed as ineffective. Only 34% of professionals actually believe the responses they receive from vendors, and a mere 14% are confident that vendor security posture truly meets their firm’s requirements. This “trust gap” is compounded by a staffing crisis where the typical program assesses 50 vendors per year for every one staff member dedicated to TPRM. Managing risk well requires frequent acquisition of good data that reveals the completeness of the risk management activities and the quality of the program outcomes.

The study proves that the strain on TPRM teams is more accurately measured by “material risk” rather than raw vendor counts. Teams managing 30 or more high-impact vendors per staff member never feel adequately staffed, whereas those managing 5-6 typically do. This report rewards the click by providing a roadmap for moving toward data-driven TPRM, leveraging objective signals like security ratings to improve transparency and decision speed. It is in the companies that are building data-driven TPRM programs where the future patterns and practices of third-party risk management will be defined.

Key Findings

• 86% Confidence Gap: Only 14% of TPRM professionals express high confidence that their vendors’ security postures actually meet their requirements.
• The 50:1 Staffing Ratio: TPRM programs typically manage a ratio of 50 assessed vendors for every one full-time equivalent staff member.
• Low Remediation Action: 81% of TPRM programs say they rarely require vendors to remediate findings, despite noting widespread passing grades on questionnaires.
• Questionnaire Trust Deficit: Only 34% of security practitioners believe the answers provided in vendor risk assessment questionnaires.
• The 8-to-1 Ripple Effect: Downstream entities affected by supply chain “ripple” incidents outnumber primary breach victims by more than 8-to-1.
• Adequacy Threshold: TPRM staff only feel “always” adequately staffed when managing six or fewer high-impact (material risk) vendors per FTE.