New Report Reveals Third-Party Risk Management’s Next Chapter

After six years of tracking third-party risk management programs (TPRM), one thing has become clear: having a program doesn't necessarily mean it's working. 

Our latest The State of Supply Chain Defense report reveals an interesting shift. Organizations are spending more than ever on securing their vendor ecosystem, with 95% planning to increase their budgets in the next year. Programs are maturing, with nearly half of surveyed organizations reporting established and optimized initiatives. Yet the breaches still keep coming. 

A staggering 97% of organizations experienced at least one breach in their supply chain — a sharp increase from 81% just a year ago. 

So what's going wrong? 

The Maturity Trap 

Even though programs are becoming more mature, they’re lacking a critical piece: internal support and commitment. While organizations have built infrastructure, invested in the right tools, and hired teams, internal-buy in is still a real challenge. Programs that operate in isolation (particularly those outside security functions) may struggle to be strategic and reach their full potential. 

Our report found that 60% of organizations cite internal resistance as their top barrier to program effectiveness. Despite having sophisticated TPRM programs, these teams are fighting an uphill battle for organizational support. The majority of surveyed organizations (59%) only brief senior leadership on security matters every three to six months. Without this visibility, executives are less likely to support a program they don’t understand or aren’t fully aware of. 

Checking Boxes Instead of Reducing Risk 

One of the most revealing findings was what's driving these programs in the first place. Risk reduction ranked last on the priority list, with only 16% of organizations identifying it as a primary driver. 

Instead, programs are built to satisfy cyber insurance requirements, meet contractual obligations, and appease board mandates. The focus has shifted from "How do we protect our organization?" to "How do we meet the minimum requirements?" 

This compliance-first mentality might explain why breaches continue to grow, despite more investment. Without a strategic security focus, you’ll likely miss the big picture of risk. 

The Growing Challenge of Scale 

The attack surface is consistently growing. Nearly all organizations (96%) expect their vendor ecosystems to expand over the next year, with many planning double-digit growth. A bigger vendor ecosystem means more potential entry points, more relationships to manage, and more complexity to navigate. 

Organizations are making smart investments in tools like continuous monitoring, security rating systems, and threat intelligence feeds, yet they struggle with integration. Among the organizations we surveyed, the number one operational challenge was integration with existing enterprise risk and GRC processes.  

Without seamless alignment, tools and teams can’t communicate with each other, and leadership misses out on a holistic view of risk.  

Shifting Toward Collaboration 

Fortunately, there are encouraging signs in the data. 

Organizations are moving beyond passive vendor attestation, with nearly a quarter now using external monitoring and threat intelligence for verification. Even more promising, 45% work directly with vendors to remediate identified issues — a positive shift toward partnership. 

The data also reveals interesting regional differences that suggest organizational culture and economic context matter as much as technology. Singapore stands out as a global leader with 60% program maturity and strong executive engagement, while other markets struggle despite similar tool adoption. 

The Path Forward 

Six years of research reveals that the question is no longer "Should we build a TPRM program?" but "Why isn't our program working?" 

The answer, it turns out, has less to do with technology and more to do with organizational alignment. Without genuine executive commitment, cross-functional integration, and a shift from compliance to risk reduction, even the most sophisticated programs will struggle. 

To get the full story, including a breakdown of the data by industry and region, download the report here.