Find suppliers across any category or industry with advanced filtering, real-time search capabilities, and weekly data updates.
We love our data, and now that you're here, you're one step closer to loving it too.
A wide sample of data, so you can explore what is possible with our data
Choose ->
built with procurement in mind. Focused on manufacturers, products and more
Choose ->
built with insurance in mind. Focused on classifications, business activity tags and more
Choose ->
built with sustainability in mind. Focused on sustainability commitments, and environmental and social governance insights.
Choose ->
built with strategic insights in mind. Focused on market trends, competitor analysis, and industry-specific data
Choose ->
Keep up to date with our technology, what our clients are doing and get interesting monthly market insights.
Relationships with external parties are now more complex and more critical than ever.
It’s no wonder, then, that third-party risk management (TPRM) has become a priority in procurement.
But knowing it matters is not enough.
To manage risk effectively and guide investments, procurement teams need to stay on top of current trends and benchmarks.
To help you understand them, we’ll highlight nine key statistics that capture the state of TPRM today.
Many companies are reluctant to invest in TPRM, but studies like KPMG’s 2022 Third-Party Risk Management Outlook show why that’s a non-negotiable.
KPMG found that even companies that invest in TPRM can face major third-party disruptions, making the risks far greater for those that neglect it.
To paint the full picture, they surveyed 1,263 senior third-party risk management professionals across six sectors and 16 countries, territories, and jurisdictions worldwide.
One of its most staggering findings?
Almost three in four respondents said they had experienced at least one major third-party disruption in the three years preceding the survey.
Illustration: Veridion / Data: KPMG
To make matters worse, as many as 38% of respondents didn’t just experience one such disruption, but three or more.
While there are many potential causes of such frequent disruptions, one that stands out is the growing complexity of supply chains.
Alexander Geschonneck, Partner at KPMG in Germany, notes that many disruptions reported by the respondents were actually caused not by third parties, but by fourth parties in their networks.
Illustration: Veridion / Quote: KPMG
So, how should companies respond to these increasing complexities and frequency of third-party disruptions?
Well, most will need robust TPRM programs.
More precisely, they’ll need more proactive and resilient practices to mitigate risks on time and survive threats more easily.
Luckily, data suggests that organizations are becoming increasingly aware of this imperative.
It seems that more and more businesses are recognizing the value of TPRM.
According to the same KPMG study, as many as 85% were making it a strategic priority in 2022.
This is up from 77% before the pandemic, which goes to show how global disruptions can raise internal awareness.
Illustration: Veridion / Data: KPMG
This suggests that businesses are no longer treating TPRM as just a compliance checkbox.
They’re now more likely to treat it as a core business strategy, perhaps due to third-party disruptions they had experienced firsthand.
Many professionals, including Dov Goldman, the VP of Risk Strategy at Panorays, agree that this is the right approach.
Goldman explains that TPRM has many wide-ranging business benefits and helps safeguard against just as many business risks.
Illustration: Veridion / Quote: Panorays
In a nutshell, the outcomes of TPRM go beyond just managing third-party risks.
Instead, they have far-reaching effects that influence the business as a whole, including its resilience, financial performance, regulatory standing, and stakeholder trust.
Because of this, TPRM should indeed be treated as a strategic priority.
However, as we’ll see below, organizations still need to learn that this entails not only adopting TPRM in principle, but also funding it appropriately.
Despite more businesses making TPRM a priority, the same KPMG survey showed that 61% of third-party risk management professionals believe it’s still underestimated.
One potential reason is that they don’t believe organizations are putting their money where their mouth is.
In other words, they frequently label TPRM a strategic priority, but often underfund it in practice.
According to respondents, it is precisely this limited funding that keeps over half of them from managing third-party risks effectively.
Illustration: Veridion / Data: KPMG
Without sufficient funding, TPRM professionals can struggle to achieve their goals and keep the promises they make to stakeholders.
According to Matan Or-El, CEO of Panorays, this is especially problematic because of the growing scale and scope of third-party risks.
He warns that supply chains are becoming more complex and interconnected, thus requiring more advanced, and often more expensive, management solutions.
Illustration: Veridion / Quote: Manufacturing.net
To overcome insufficient funding, companies should consider building strong business cases for TPRM programs.
Creating TPRM business cases goes beyond just getting stakeholder backing or improving risk management.
Studies like the 2023 EY Global Third-Party Risk Management Survey show that doing so also leads to significant indirect benefits, including cost savings.
After surveying over 500 institutions across sectors, EY found that 43% of those with TPRM business cases successfully reduced expenses.
Illustration: Veridion / Data: EY
So, although TPRM might be undervalued, it can indeed bring significant, measurable benefits.
TPRM professionals may simply need to reframe how they present them.
As Ed Thomas, VP of Marketing at the TPRM company ProcessUnity, notes, TPRM’s value lies less in generating a massive ROI and more in helping organizations avoid costly pitfalls.
While this may not appear particularly exciting at first glance, it is highly beneficial.
Illustration: Veridion / Quote: ProcessUnity
For example, Thomas notes that TPRM can reduce operating costs, eliminate surprises, and mitigate risk.
In the long run, these advantages prove just as critical as the more attention-grabbing outcomes, such as increased revenue.
It is up to risk teams to present them convincingly and structure their strategies to support them.
Organizations that wish to realize more TPRM benefits should consider centralizing it.
According to Gartner, centralization leads to greater cost savings, better data, more streamlined processes, and other tangible gains.
It also helps organizations assess their third-party risk as a whole and improve risk management strategies.
Luckily, the same EY survey revealed that 90% of organizations had already adopted a centralized approach to TPRM in 2023, marking a 5% increase compared to 2022.
Illustration: Veridion / Data: EY
However, despite the many advantages of a centralized approach, 10% of organizations said they intended to continue working in a non-centralized way.
In other words, they planned to continue assessing third parties separately or in risk silos.
This isn’t optimal, as it prevents organizations from applying consistent practices, prioritizing risk, and appropriately using resources to manage or mitigate it.
Michael Rasmussen, CEO of GRC Report, warns that non-centralization hides the true breadth of risks.
Illustration: Veridion / Quote: GRC 2020
In other words, companies are only able to assess and manage risks in a fragmented way.
The data below further shows that this can significantly slow down risk management processes.
The same EY survey also found that only 8 in 100 organizations can complete third-party control assessments in 30 days or less.
Most need between 31 and 60 days, but even that window is feasible primarily for organizations with centralized risk structures.
Among those operating with hybrid models, only 43% can achieve the same.
Illustration: Veridion / Data: EY
So, it is easy to deduce that centralized models allow companies to speed up control assessments.
According to the survey, this is largely because they embed TPRM tools, technology, and data, which benefits risk reporting in many ways.
For instance, 41% say this allows them to perform predictive analytics and, thus, implement proactive risk management practices.
A further 11% say it reduces manual processes, making management quicker.
Illustration: Veridion / Data: EY
This is where data providers like Veridion fit in.
Veridion uses AI to collect and update data on 134M companies in 250 countries on a weekly basis, allowing risk teams to largely automate data collection.
Using Veridion’s company data and APIs, they can further accelerate third-party assessments, reduce manual work, and even enable predictive analytics for faster and more accurate decision-making.
Source: Veridion
As shown above, tools like Veridion significantly reduce the time teams spend on data collection and enrichment while also enhancing accuracy.
In turn, risk teams can focus on more strategic, high-impact activities that may still need to be handled by experts, such as risk-based third-party segmentation.
Deloitte’s 2023 Global TPRM Report found that many companies are still not segmenting third parties based on risk.
To assess this, Deloitte collected 1,356 responses from professionals accountable for TPRM activities within their organizations.
The survey spanned a wide range of companies from as many as 40 countries.
It found that only half of them are formally segmenting the third-party population based on risk.
Illustration: Veridion / Data: Deloitte
Out of the remaining companies, 32% said they aren’t implementing risk-based segmentation at all, while 18% said they’re not sure.
This is concerning, especially considering the rapid expansion of third-party networks.
As noted earlier, many companies struggle to scale their TPRM resources at the same pace, making effective resource allocation all the more critical.
That usually means focusing the most effort on the highest-risk parties, which is only possible with segmentation.
Deloitte notes there’s no universal approach to it, as organizations that segment third parties differ widely in the number of tiers they use.
Illustration: Veridion / Data: Deloitte
So, when segmenting your third-party population, tailor your approach to your needs.
Also, don’t forget to regularly revisit your segmentation as circumstances change. A once high-risk vendor can suddenly become low-risk, and vice versa.
Again, the right technology, tools, and data can significantly help in tracking this.
EY’s survey also revealed that over half of companies now report on third-party ESG risks, too.
Top priorities include compliance with local regulations, corporate responsibility, and stakeholder expectations.
Illustration: Veridion / Data: EY
However, the number of companies that proactively tackle these ESG risks is significantly lower.
For instance, EY found that only 32% are implementing clauses that require external parties to comply with their ESG policies and regulations.
We can, therefore, assume that even fewer are implementing other best practices, such as offering ESG training and incentive programs.
Illustration: Veridion / Data: EY
Michael Giarrusso, EY Americas FSO Third Party Risk Leader, mentions that companies should make more effort to embed their ESG goals and policies into their TPRM strategies.
That’s the only way to ensure that third parties align with organizational ESG goals.
Illustration: Veridion / Data: EY
Embedding ESG includes periodically assessing external parties against all three ESG dimensions, as well as working with them to improve their performance.
The 2023 Deloitte survey also showed that most TPRM professionals view geopolitics as a significant challenge in managing third-party relationships.
In fact, they consider it the top challenge, preceding even multi-year inflationary trends and currency fluctuations.
Illustration: Veridion / Data: Deloitte
We should highlight that the survey was conducted between February and April 2023, only a short time after several significant global events took place, including the Russian invasion of Ukraine and the U.S.-China chip war export controls.
These events might have influenced the respondents’ opinions, but not without a good reason.
For instance, LexisNexis described how the war in Ukraine and the ensuing sanctions significantly increased the third-party risks for companies.
Source: LexisNexis
As seen above, companies can face fines if they’re found to work with sanctioned entities.
At the same time, not doing business with them can be just as risky, as many organizations depend on them to deliver their products and services.
Severing ties threatens to put many out of business.
And as if that isn’t enough, any breach of sanctions can further trigger backlash from investors and consumers and damage a company’s reputation.
With such a wide range of risks, it’s no wonder TPRM professionals are so concerned about geopolitical events.
To manage them effectively, companies should regularly monitor global developments and adapt their third-party strategies accordingly.
By now, you probably understand the direction in which TPRM is evolving.
Its value is increasingly recognized, but budgets and practices don’t always keep pace.
For instance, even with progress in adopting some best practices, like centralized models, many organizations still fall short in areas like risk-based segmentation and ESG integration.
The key takeaway is that TPRM has come a long way, but still has further to go.
Our advice? Implement best TPRM practices from the start.
That way, you’ll immediately position your organization for resilience, trust, and long-term success.
