Third-party risk management – Success or failure?

The BlueVoyant State of Supply Chain Defense has been published and it highlights some worrying trends. While investment in third-party risk management (TPRM) continues to rise, its effectiveness is being questioned. A common problem is a lack of organisational commitment. It is not the first report around risk management to call out organisational issues.

Joel Molinoff, Global Head of Third-Party Risk Management at BlueVoyant, said, “As the attack surface expands, an effective third-party risk management program is more important than ever.

“For six years now, the goal of this report has been to raise awareness and understanding on building a successful third-party risk program. While there are bright spots from this year’s survey, there is still more work to be done to ensure we can start closing this gap between program maturity and organizational commitment.” 

This is the sixth time the company has conducted this report (gated copy can be found here). What is surprising is that while TPRM is showing signs of maturity, it is still struggling to get the support it needs. That lack of buy-in and trust from the business comes as 97% of respondents report negative impacts from supply chain problems. That’s up 81% from 2024, raising more questions as to why it isn’t getting support.

The rise of risk as part of cybersecurity

Over the last six years, there has been more and more interest in using risk modelling to understand cybersecurity risk. That makes sense. Risk is what the main boards understand and something they factor into most decision-making processes. Therefore, using risk to understand cybersecurity is a natural move.

One of the big challenges for IT is managing the number of third parties that it works with. It cannot do everything itself, so it now relies on third parties for everything from security management to running its infrastructure. Many of those companies have privileged access to an organisation. When they have a security breach, so do their customers.

The June 2020 SolarWinds breach was, for many, the moment that put supply chain TPRM on the radar for security teams. Since then, supply chain attacks have increased, making TPRM a critical part of the security tool set.

SAP suffered a major supply chain breach in early September 2025, impacting a major manufacturer. Salesforce customers were impacted by the Salesloft-Drift integration breach, which saw hundreds of Salesforce customers breached.

What are the problems facing TPRM?

Looking back over the six years of the State of the Supply Chain Defence report, BlueVoyant says it sees signs of maturity. But it cautions that saying, “program maturity does not guarantee effectiveness.”

To understand that, it’s important to look at some of the issues that the report raises. For example, 60% of organisations cite internal resistance as a top barrier to program maturity and effectiveness. Compounding that is that many organisations are only building TPRM programmes to check a compliance box.

According to the report, only 16% of respondents identified risk reduction as a primary program driver. Instead, they are motivated more by cyber insurance requirements, contractual obligations, and board mandates. These are not about security but about compliance.

Interestingly, the report does not draw a comparison between the costs of failing to meet compliance and the cost of a breach. However, it does say that, “while meeting minimum compliance requirements is critical, meaningfully reducing risk would lead to the same or better compliance result.

“Compliance is step one, not necessarily the end goal. The fact that 96% of respondents experienced a cyber incident at one of their suppliers underscores the need to focus on actual risk reduction.”

Maybe next year it will consider the costs of both and do a comparison of the impact of compliance failure vs breach.

Financial Services no longer sets the gold standard

One of the surprises in this report is that Financial Services, one of the most heavily regulated industries, is no longer setting the gold standard for TPRM. There are several possibilities for this. One is the lack of regular briefings to senior leaders. The report says regular means monthly or better.

Another reason is the ownership of the TPRM strategy. In Financial Services, it is the finance department. For every other industry looked at in this report, it is owned by the IT and cybersecurity teams.

One concern across the majority of verticals is internal resistance to change. For Financial Services, Healthcare and Pharmaceutical, Manufacturing and Defence, it is the biggest challenge. For Energy and Utilities, and Retail, it is the second biggest problem.

Collaboration is the biggest challenge for Retail, and Energy and Utilities. For Financial Services, Healthcare and Pharmaceutical, and Manufacturing, it is their second biggest issue, while for Defence, it ranks third. Collaboration with third-party suppliers throughout the remediation phase is critical. Without it, organisations will struggle to secure their environments.

Other challenges include tool sprawl and poor integration of TPRM tools into other GRC and major tools. Without more being done here, there is a problem with showing the effectiveness of TRPM programmes. Reliable and trusted reports will help overcome resistance as they will show targets being met and ROI goals achieved.

To set the gold standard, Defence has focused on executive engagement and working with suppliers. 30% say that they brief leadership regularly. 47% collaborate with vendors every step of the way to resolve problems. That hasn’t stopped breaches but it has brought them down. It also speaks to a high level of maturity in the TPRM processes. Other industries need to do more to reach that maturity.

What are the key tools

Across the different industries, there is a range of tools organisations are using. For most, TPRM is not seen as a separate tool but as a module in a GRC platform. For some TPRM tools, that is how they are delivered.

But some cybersecurity vendors moving into the TPRM market are taking a different approach. They are building Risk Operations Centre platforms solely focused on risk and cybersecurity. What is unclear is how they will then integrate their tools with third-party GRC platforms. This is all part of observability, something which is a key to achieving maturity.

Another tool that is cited as part of TPRM is the Software Bill of Materials (SBOM). However, despite its ability to highlight risk, it is not universally used, or even highly used. In Manufacturing 36% regularly use SBOM. In Financial Services, Healthcare and Pharmaceuticals that drops to 35%, while 28% use it in Energy and Utilities. Surprisingly, Retail and Defence do not highlight it as a major tool.

On-site assessments are also a commonly used approach, but there is little detail in this report as to how they are conducted. There are also risk questionnaires used across some industries. What those are and how they are fed into TPRM tools is unclear. Such documents are notoriously inaccurate, and it’s a surprise that they are part of the tools.

The use of external tools and even companies doing penetration testing also appears to have increased. It’s a welcome acceptance that organisations cannot do security solely in-house.

Enterprise Times: What does this mean?

Third-party risk management has grown quickly over the last six years. Supply chain risk has been a major driver of that, along with numerous breaches. There are two disappointing things in this report. The lack of maturity and the high levels of internal resistance to change.

Getting to the former requires better processes and commitment, and that is impacted by the latter. It’s interesting that a major measure of failure to improve maturity is the frequency of meetings to explain risk.

While frequency is an important method of engaging people, a more important factor is the quality of that engagement. Nobody wants more reports; what they do want are key performance indicators that show improvements and success. It would have been interesting to get an insight into what information those who engage regularly are providing.

Perhaps the biggest positive from this report is the increase in engagement with third parties. This is critical because organisations need to know that their vendors are looking to reduce risk. That an increasing number of industries now work with vendors from incident to solution is exceptionally positive. However, that is still below 50%. It needs to improve and improve quickly.

There are interesting differences across countries and regions in this report. How much of that is driven by compliance is unclear. Perhaps that is something that BlueVoyant will talk more about next year.

The post Third-party risk management – Success or failure? appeared first on Enterprise Times.