Five Takeaways From EY’s New TPRM Research

On June 25th, Shared Assessments hosted another in a series of “All Committee” meetings designed to bring together members from a diverse set of TPRM interest groups to engage on a single topic. The June meeting’s focus was “From Insight to Action, What the 2025 EY Global Third-Party Risk Management Survey says about AI and third-party risk management.” EY Managing Director Rich Alber presented, after which meeting attendees separated into breakout rooms for discussion.

Change is constant in third-party risk management (TPRM), but the past few years have seen accelerated change velocities. Artificial intelligence (AI) has been a big part of that. AI is becoming an important tool to make TPRM programs more efficient while simultaneously improving risk management outcomes. At the same time, an increasing number of outsourcers recognize that AI may be an important source of additional risk when vendors do not have sufficiently mature artificial intelligence oversight capabilities within their own organizations. That risk is multiplied through today’s increasingly complex chains. Because third parties anchor supply chains, the contracts and due diligence processes that outsourcers structure with their vendors are more important today than ever.

5 Key TPRM Trends for 2025

EY recently released its annual Global Third-Party Risk Management Survey which highlights  key trends, top concerns, and notable changes in third party risk management. Here are some of the top takeaways.

1. Data analytics tops technologies currently in use.

The most widely used TPRM technology is data analytics. Nearly half of the respondents are using data analytics for use cases such as sourcing and planning, risk/control assessment facilitations, and digesting external data. Data analytics are used more consistently across TPRM program components than any other reported technology. And around a third of respondents are planning to invest even more in data analytics in the coming years. Although only a small percentage of survey respondents (8%) report having risk data and analytics deployed at scale today, that percentage is expected to soar within the next two years, when almost 40% expect scale operations.

2. AI and automation are growing in popularity.

The survey found that AI is being used most widely (46% of respondents) in the sourcing and planning TPRM functions, just a single percentage point behind the top used technology, data analytics.  And AI utility will grow significantly during the next two years. One of the main drivers of investment in AI and machine learning is to support enhanced due diligence and contract performance monitoring. Automation investment is driven in part by the desire to increase efficiency for due diligence functions amidst heightened risk management requirements.

While investment in generative AI in the next two years is expected to be lower than the broader AI category (32%), the technology is projected to grow in use by around 20-25% for most use cases. Performance monitoring, sourcing and planning, and reporting are the main functions where TPRM professionals see increasing potential for generative AI. Artificial Intelligence and Machine Learning were ranked second as a primary driver of investment in centralized TPRM programs in the latest survey.

3. Not surprisingly, Cybersecurity is the primary risk domain included in TPRM programs.

The survey reported that 58% of organizations include cybersecurity in their TPRM program, making it the most common risk focus. Considering how common cyberattacks have become in recent years and the high costs involved, that number still seems low.

Meanwhile, 28% of firms include AI risk due diligence in their programs today. Many organizations are still in the early stages of determining the best question sets and use cases to consider when evaluating AI risk.

4. Contractual terms are a growing approach to 4th and Nth-party (supply chain) risk.

Managing 4th and Nth-party risk in supply chains is a complicated but crucial component of modern TPRM. 64% of companies monitor 4th/Nth-party risk by validating a third party’s TPRM program and the risk assessment they perform on their third parties, making it the most common method.

Notably, 51% of outsourcers—a big jump up from 24% in 2022—include Nth party requirements in their contracts with third parties to ensure expectations “pass through” to subcontractors in supply chains. In the age of supply chain complexity, these contracts are growing more important, and those contract pass-through expectations will likely grow in the coming years.

5. Organizations struggle with a lack of internal coordination and communication.

As important as risk management is, TPRM programs often face internal resistance from business units that see it as a bottleneck. 83% of TPRM programs face difficulty with internal coordination and communication between the program and internal stakeholders, a top challenge.

Nearly as common, 82% of programs deal with the delays that robust TPRM practices can cause for internal relationships where timeliness matters. Business lines want to move fast, while risk management processes are perceived as taking too much time. Managing that internal conflict is a top concern for many TPRM programs.

Stay Informed and Prepared

Adaptability has always been a necessary skill in TPRM. Risk professionals must work to stay on top of changes in the risk landscape, as well as best practices for responding to them. EY’s research is a long-standing useful resource for tracking TPRM trends over time, and the survey is increasingly forward-looking to provide practitioners with a sense of what improvements peer organizations are considering. Shared Assessments’ committees are another. Committee meetings are a valuable opportunity to learn from your peers, as well as established experts in the industry. Check out the full list of Shared Assessments committees to see if one is right for you.