The 2025 EY Global Third-Party Risk Management Survey reveals new approaches to managing risks from third parties in a more volatile environment.
- Risk leaders are using AI and centralization to fundamentally transform their third-party risk management functions for the future.
- Business uncertainty and cost pressures are driving efficiency imperatives for third-party risk management
A confluence of trends has shaken up the external risk environment in recent years. Global supply chains have been buffeted by repeated shocks — precipitated by the pandemic, geopolitical conflicts and climate change — drawing greater attention to the resilience of suppliers and potential third-party impacts.
The rising number of cyberattacks — the IMF estimates that losses from cyberattacks have more than doubled since the pandemic and more than quadrupled since 2017 — has increased the potential for cyber risk via third-party relationships.
Heightened regulatory scrutiny and stakeholder pressures have brought increased focus on third-party practices related to a host of compliance risks, ranging from data privacy to environmental standards.
EY survey report:
- Operational risk is the most common concern when it comes to third-party risk management (TPRM), according to a recent EY survey of 500 executives at major companies. According to the study, today’s TPRM is “is fundamentally misaligned with this new risk environment.”
- Financial, cybersecurity, privacy, and regulatory risks rounded out the top five concerns about third parties that executives cited.
- The data reflect growing corporate worries about the consequences of hiring subcontractors with negligent security or privacy practices.
- These worries have been heightened in the wake of many high-profile cyberattacks that involved supply chain or third-party compromises.
- The survey reveals that companies are changing the way they define a critical third party, an important consideration when mapping out dependencies.
- While ‘financial impact’ remains the most important criterion used to define a critical third party (43%),” the report said, “this is closely followed by ‘criticality of the business process/function,’ at 39%.
The report further says Operational and cybersecurity risks are growing while the number and complexity of third-party relationships increases .
Amy Gennarini EY Global Risk Consulting Technology Leader says
Approaches are increasingly misaligned with today’s competing demands and complex risk environment. TPRM has never been more ripe for transformation.
