Highlights from the State of Third-Party Risk Management 2025 Survey

Third-party risk professionals are focused on cybersecurity and artificial intelligence risk while working with fewer resources and managing an increasing number of vendors. Those are the top findings of the Venminder and Ncontracts’ State of Third-Party Risk Management 2025 survey.  

With input from a diverse range of industries — including financial services, fintech, retail, healthcare, insurance, IT, and more – the survey reflects organizations of all sizes, from small businesses with less than 100 employees to industry giants with over 5,000 employees.  

Highlights from the State of Third-Party Risk Management 2025 Survey 

The survey results showed several key trends and highlights for current third-party risk management (TPRM) programs. Here’s 4 takeaways from the results: 

• Cybersecurity risk is a top concern – Cybersecurity risk is once again a top concern. Nearly half (49%) experienced some type of third-party cyber incident over the past 12 months. 
• Organizations are starting to mitigate vendor artificial intelligence (AI) risk – As AI products and services explode in popularity, third-party risk professionals are paying closer attention. For the second year in a row, vendor AI risk was ranked as the second-highest TPRM concern. Last year, most organizations hadn’t started to manage AI risk, but this year, they are actively taking steps to manage it, with 40% adding usage language to vendor contracts, among other controls including documenting the risk internally, verbally communicating with the vendor, and sending questionnaires.  
  
  Related: Artificial Intelligence Sample Vendor Questionnaire 
• TPRM program sizes are decreasing – Despite overseeing more vendors, TPRM staffing hasn’t kept pace. The number of programs with 11–20 employees dropped significantly from last year’s survey, while those managing 1,000 or more vendors grew by 16%. Most organizations reported having just one or two employees dedicated to TPRM. With limited resources and an expanding vendor inventory, managing third-party risk becomes increasingly challenging — raising the likelihood of overlooked risks and potential harm to your organization.
• TPRM programs are maturing with fewer relying on manual processes – Organizations continue to move away from manual vendor risk management processes towards software solutions. Most respondents use a dedicated TPRM software platform — a 19% increase from last year. Manual methods like Excel/Google Sheets decreased by 29%. This makes programs more effective at identifying, assessing, and monitoring risks while also enabling employees to focus on more critical issues.  

Strategies to Improve Your TPRM Program in 2025

The results of the State of TPRM 2025 survey show that respondents are addressing emerging risks, navigating TPRM with fewer resources, and working on continually improving their programs.

The findings support implementing the following strategies is a smart move for organizations that want to keep pace with vendor risk management: 

• Monitor vendor AI usage – AI is an increasingly popular option for organizations to implement. Ask your vendors about how they use AI and what safeguards are in place. Regularly review the performance and decision-making processes of vendors’ AI systems.  
• Assess current TPRM resources – If you’ve experienced a decline in resources, inventory what’s currently available to your program. You may identify underutilized resources to take advantage of or unused resources to remove. Consider your TPRM processes and what obstacles may be in place. Foster collaboration between departments so TPRM processes work more effectively.  
• Prioritize automation – If your organization currently uses TPRM software, research what automations are available and work with your account executive to implement them. Manual processes are more challenging to automate. Develop standardized templates for each process for consistency, use predefined criteria to evaluate vendors, and automate repetitive tasks and workflows. This can remove some of the manual effort involved.  
• Utilize risk intelligence to stay on top of cyber alerts – Point-in-time assessments won’t always navigate the constant changes in a vendor’s cybersecurity environment. Risk intelligence is a helpful tool to actively monitor a vendor’s cybersecurity environment. You’ll receive alerts to changes or active vulnerabilities that need remediation. This allows your organization to quickly respond to potential risks or incidents.  
  
  Related: Examples and Benefits of Continuous Third-Party Monitoring

As third-party risk professionals continue to mature their programs and take steps to mitigate vendor cybersecurity and AI risk, they are also managing smaller programs and navigating daily challenges. By implementing the suggested strategies, organizations manage risks more effectively and set their programs up for success. 

Download the State of Third-Party Risk Management 2025 Whitepaper to discover more insights from third-party risk professionals.