Third-Party Risk Management Under Pressure as Regulatory & Tech Challenges Mount, New Study Finds
INSIGHTRADARThird-Party & Supply Chain
Jul 30, 2025

Third-Party Risk Management Under Pressure as Regulatory & Tech Challenges Mount, New Study Finds

By

GRC Report Staff
Key Takeaways
  • TPRM Teams Are Understaffed and Overwhelmed: Nearly 70% of teams lack sufficient resources, with organizations actively managing risk for only 40% of their vendors.
  • Spreadsheets Still Dominate: 41% of organizations rely on spreadsheets for TPRM, while only 29% can assess risk across the full vendor lifecycle.
  • Regulatory Pressure Is Intensifying: Compliance team involvement in third-party risk has more than doubled since 2023, reflecting increased scrutiny around data privacy and operational resilience.
  • AI Adoption Is Growing, But Cautiously: While 65% are exploring AI use cases, just 14% have deployed it — up from 5% last year — with data security and governance concerns still top of mind.
  • Risk Prioritization Is Expanding: Beyond cybersecurity (85%), more organizations are tracking data privacy (79%), compliance risk (70%), and business continuity (64%) as part of their TPRM programs.
Deep Dive

In the age of sprawling digital supply chains, third-party risk management has become less of a compliance box to tick and more of a survival strategy. But according to a new 2025 study from Mitratech, many organizations are still trying to manage it all with duct tape and spreadsheets.

The report, based on input from risk, compliance, and procurement professionals around the globe, captures a sector under pressure, and not just the usual kind. Regulatory demands are tightening, artificial intelligence is knocking at the door, and many TPRM teams are being asked to do more with less. A lot less.

Nearly 70% of teams say they’re understaffed. And on average, organizations are only actively managing risk for about 40% of their vendors. That leaves a wide swath of the supply chain operating on trust, luck, or legacy contracts no one’s read since 2018.

“Modern third-party ecosystems function like living systems — they require balance, coordination, and resilience,” said Henry Umney, Managing Director of GRC Strategy at Mitratech. “This study highlights the urgent need for organizations to evolve their risk programs.”

Regulatory Red Tape and a Spreadsheet Tangle

It is clear that regulators are watching. The number of organizations reporting compliance team involvement in TPRM has more than doubled since 2023, jumping from 42% to 88% in just two years. It’s not just about cybersecurity anymore. Data privacy, operational resilience, and vendor oversight have all climbed the agenda.

At the same time, many companies are still relying on Excel to get the job done. Forty-one percent say spreadsheets are their main TPRM tool, a statistic that, in 2025, feels a bit like saying you track your financials with an abacus. Only 29% of respondents said they can assess risk across the entire vendor lifecycle. That means most firms are flying blind somewhere between onboarding and offboarding.

AI Interest Grows

Artificial intelligence is starting to break into the TPRM world, but carefully. About 65% of organizations are exploring AI use cases, and 14% are already using it, nearly triple last year’s number. But don’t expect a runaway AI revolution just yet. Data security concerns and questions around explainability are slowing things down, and rightly so.

Still, the promise is there. AI could help screen vendors faster, flag risks earlier, and ease the burden on already-stretched teams. But only if organizations take the time to build the right guardrails first.

Risk Priorities Are Expanding

Cybersecurity still tops the list of tracked risks (at 85%), but data privacy (79%), compliance risk (70%), and business continuity (64%) are quickly catching up. That’s a sign of maturity. TPRM is no longer a siloed discipline or something that only matters after a breach. It’s about resilience, continuity, and protecting the entire enterprise from the ripple effects of third-party failures.

The report closes with five familiar but urgent recommendations, such as building cross-functional governance, automate where possible, don’t wait to modernize, embrace continuous monitoring, and approach AI with intention. They may not sound flashy, but given the gaps this study exposes, they’re more like triage instructions than best practices.

The bottom line is that third-party risk isn’t getting easier, and the consequences of doing it poorly are growing. If 2024 was a warning shot, 2025 is shaping up to be a reckoning. Whether organizations choose to evolve or endure remains to be seen, but spreadsheets, staffing gaps, and siloed programs probably won’t carry them much further.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey..

Oops! Something went wrong
Third-Party & Supply Chain
Risk & Resilience
AI Governance
IT Security & Privacy
INSIGHTRADARThird-Party & Supply Chain
Aug 31, 2023
Yellow Corp. Shuts Down after 99 Years in Business, Sending Ripples Through Freight Industry and Supply Chains
INSIGHTRADARThird-Party & Supply Chain
Mar 21, 2024
FTC Releases Report on Grocery Supply Chain Disruptions
INSIGHTRADARThird-Party & Supply Chain
Nov 7, 2023
Siemens, Ericsson, and Schneider Electric Warn of Potential Supply Chain Disruption Due to Proposed EU Cybersecurity Rules