Commissioned by RiskRecon

• Welcome
• Questions
• Results
• Methodology

How Mature Is Your Third-Party Risk Management Practice?

Enterprise risk is on the rise for all firms across all sectors and geographies in large part due the increased reliance on third parties. And while companies have limited or no control over how third parties secure their technology infrastructure, applications, or data, they are fully responsible for any cybersecurity incidents that occur because of those relationships. This makes third-party risk management (TPRM) a critical investment for any organization, and companies with mature TPRM programs experience fewer challenges and more beneficial business outcomes.

Is your organization prepared to successfully manage third-party risk? Take our short self-assessment to find out.

The assessment will yield customized results and recommendations based on your responses and should take no more than 2 minutes to complete. Results are confidential and will not be shared publicly.

Start

Does your organization currently use a risk rating platform as part of its third-party risk management capability? (Select one.)

Note: For the purpose of this survey, risk rating platforms are typically used to augment third-party assessment questionnaires, get a point-in-time snapshot of a firm’s external security posture, and monitor third parties for changes over time.

Yes

No, but we plan to

No, and we do not have any plans to

1 of 4

How well do the following statements describe your organization’s third-party risk management efforts? (Select one per row.)

Does not describe my organization at all

Slightly describes my organization

Moderately describes my organization

Mostly describes my organization

Completely describes my organization

Don’t know

My organization effectively detects security issues and monitors them for indicators of inherent risk, like the presence of personally identifiable information (PII).

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization effectively prioritizes risk issues in a matrix, so we can target the most important ones and don’t waste time making unnecessary fixes.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization effectively fine-tunes its risk policies to help us focus on the right security criteria.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization effectively shares findings with vendors to address issues.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

2 of 4

How well do the following statements describe your organization’s third-party risk management efforts? (Select one per row.)

Does not describe my organization at all

Slightly describes my organization

Moderately describes my organization

Mostly describes my organization

Completely describes my organization

Don’t know

My organization provides vendors access to detailed analysis for every issue, including recommended remediation steps.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization has an aggregated cyber risk rating for every third-party service provider and vendor based on the assessment of their cyber environment.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization receives alerts on issues exceeding risk thresholds, not just a general listing of all issues uncovered.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization has access to downloadable detailed reports on all uncovered vulnerabilities.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

3 of 4

How well do the following statements describe your organization’s third-party risk management efforts? (Select one per row.)

Does not describe my organization at all

Slightly describes my organization

Moderately describes my organization

Mostly describes my organization

Completely describes my organization

Don’t know

My organization effectively benchmarks third-party service providers and vendors against standardized compliance frameworks and among one another.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

Actionable risk plans are easily shared with third-party service providers and vendors.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

My organization uses vendor risk ratings to regularly prioritize vendors for further assessment and mitigation actions based on risk.

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

4 of 4

Results Overview

Your firm:

Novice Intermediate Leader

Chart Placeholder

Your Maturity Score:

Your maturity result:

To better understand what your maturity result means and receive recommendations on how to improve your TPRM practice going forward, please click below to register.

View your detailed results

---

Recommendations

See my recommendations

Novice

Your overall score of puts you in the percentile and means your TPRM maturity is only at the beginning stage — like 22% of companies surveyed. Our study reveals that organizations with lower TPRM maturity tend to have more siloed program operations, making business alignment difficult. In turn, their practices are more reactive and operationally focused on immediate problems vs. a program that is more integrated with the rest of the business and its strategic initiatives.

Given this position, Novices tend to be laser-focused on building alignment by concentrating on strategic risk while overlooking and underinvesting for third-party risk. This is a mistake. According to our study, more than half of security and risk decision-makers are worried that poor third-party risk management would lead to slow ecosystem growth, operational inefficiencies, additional costs for third-party risk management, delayed timelines, and greater regulatory scrutiny. These challenges and others can be exasperating for those without a risk ratings solution or those that have one but don’t effectively use it.

To begin making improvements to your TPRM program, consider the following recommendations:

• Bring security, procurement, and legal to the table. Document key roles and responsibilities for all stakeholders at each stage of the vendor lifecycle. An effective TPRM program can’t be achieved in silos. TPRM programs often reside within one business function, with limited inputs from the rest of the business. Cyber risk ratings create an opportunity to remove these silos by giving stakeholders data to consider at key decision points.
• Create your single system of record. Increasing third-party ecosystem visibility is a key step in building TPRM maturity. This includes moving away from spreadsheets or multiple systems to a single platform where you can continuously monitor security performance data, manage evidence and vendor questionnaires, and collaborate on remediation tasks. Document internal processes for onboarding vendors in your system of record going forward.
• Establish vendor tiers by criticality. To begin managing a TPRM program at scale, organizations must categorize their vendors by how critical the products/services are to the business. Collaborate with internal stakeholders to group vendors by criticality. This grouping will help your team begin to customize security questionnaire requirements and define tailored risk tolerances to efficiently track and evaluate third parties. 

Intermediate

Your overall score of puts you in the percentile and means your TPRM maturity is in the middle stage — like 54% of companies surveyed. Our study demonstrates that organizations with intermediate TPRM maturity exhibit a heightened focus on structured risk assessment processes. They understand that by implementing robust risk assessment methodologies, they can effectively identify, prioritize, and mitigate risks associated with third-party relationships. This strategic approach not only safeguards their operations but also their business.

Given this position, intermediates are starting to invest more in key risk areas such as third-party risk as they understand the consequences of underfunding it. According to our study, more than half of security and risk decision-makers are worried that poor third-party risk management would lead to slow ecosystem growth, operational inefficiencies, additional costs for third-party risk management, delayed timelines, and greater regulatory scrutiny. These challenges and others can be exasperating for those without a risk ratings solution or those that have one but don’t effectively use it.

To take the next steps with your TPRM program, consider the following recommendations:

• Adopt standards-led questionnaires. Third-party security questionnaires are notoriously inefficient, with too many questions and no means to automatically validate responses. Reduce your questionnaire footprint by aligning questions with security controls and requirements in an established framework. Use the framework to articulate specific evidence or a performance metric that the cyber risk rating tool can validate about your third party to reduce redundant, inefficient questions.
• Define risk tolerances for vendors by criticality. TPRM teams can't chase every vendor for every issue. Instead, define tolerances for acceptable risks that allow your team to prioritize remediation activities by vendor criticality, rather than the issue severity rating alone.
• Integrate TPRM with GRC. As the TPRM team works with third parties to remediate or accept risk, this information must be shared with a central GRC team who can assess and monitor the state of internal controls and track potential risks or issues from third parties against business and regulatory requirements. This includes documenting a process for escalating third-party risk to internal decision-makers in cases where a third party disagrees on risk findings or expected remediations.

Leader

Congratulations, your overall score of puts you in the percentile and means that you are a TPRM leader! Only 24% of companies surveyed in our study had an advanced level of maturity. The study reveals that organizations with higher TPRM maturity have programs that are more aligned with their business strategy. This allows them take more proactive measures than Novices do to operationalize cybersecurity risk ratings for their organization. As a result, they have more successful TPRM programs with fewer challenges and more beneficial business outcomes.

Given this position, leaders are laser-focused on advancing their TPRM programs by increasing investments that mitigate third-party risk. According to our study, more than half of security and risk decision-makers are worried that poor third-party risk management would lead to slow ecosystem growth (a significant concern among TPRM leaders), operational inefficiencies, additional costs for third-party risk management, delayed timelines, and greater regulatory scrutiny. These challenges and others can be exasperating for those without a risk ratings solution or those that have one but don’t effectively use it.

Consider the following recommendations as you look to further enhance your TPRM capabilities:

• Supplement cyber risk ratings with other indicators of third-party risk. Cybersecurity ratings are a big piece of the third-party risk puzzle, but they’re not the only risk domain to consider. TPRM leaders combine cyber ratings data with business context information (e.g., privacy, mergers and acquisitions, financial performance, regulatory intelligence, etc.) to provide deeper insight into partnering decisions.
• Incorporate benchmarks into strategic planning. Whether for self-assessment or tracking third-party performance, leverage peer cybersecurity ratings benchmarks as a strategic tool for defining security requirements, identifying program gaps, and building budgets for internal risk mitigation initiatives.
• Add visibility to your existing security operations via cyber ratings data. Cyber risk ratings are more than a score — they're built on a variety of data sources that discover and attribute domain assets. This data can augment existing exposure management and security monitoring tools used in internal security operations, providing additional visibility or corroboration of findings in other tools.

---

Next Steps

Read the research

For a deeper look, read the May 2024 Forrester Thought Leadership Paper, Risk Ratings Platforms Deliver Critical Third-Party Risk Protection, commissioned by RiskRecon, a Mastercard company. This study found that high maturity in TPRM is linked to greater risk prevention and better business outcomes.

Ready to get started?

Get complimentary access to the RiskRecon cyber risk ratings portal today and discover actionable insights to fortify your organization's approach to third-party risk management like never before. Get started now.

COOKIE ACCEPTANCE IS REQUIRED TO SEE DETAILED PERSONALIZED RESULTS

Accept Cookies

Methodology And Disclaimers

Methodology

In this study, Forrester conducted an online survey of 507 full-time practitioners and those who are at the manager level or above at global organizations in North America, Europe, Latin America, and Asia Pacific to evaluate the state of third-party risk management and use of risk ratings solutions. The study was completed in January 2024.

Disclaimers

Although great care has been taken to ensure the accuracy and completeness of this assessment, RiskRecon and Forrester are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein.

Accept Cookies

Decline

Close

This website uses cookies to deliver functionality and enhance your experience. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.