2025 TPRM Trends

Supply chain security is becoming one of the most critical and complex challenges. Part of this ecosystem is TPRM — an area that, in my experience, too often exists only on paper. Even after years of research, countless frameworks, and increased regulatory focus, it’s clear that we’re assessing compliance rather than managing risk.

Findings

The 2025 TPRM ecosystem is under growing pressure — with more complexity, new regulations, and rising cyber threats — yet it remains under-resourced and fragmented.

1️⃣ Understaffed & Underprepared

Two-thirds of TPRM programs are understaffed, and teams manage only 40% of vendors on average.

56% of organizations cite lack of resources as the main barrier to program growth.

Only 25% describe their programs as highly coordinated across departments.

2️⃣ The Regulatory

Regulatory oversight has intensified dramatically:

Compliance team involvement in TPRM surged from 42% in 2023 to 88% in 2025.

55% of organizations increased scrutiny of third parties due to new data protection and resilience regulations.

3️⃣ Cybersecurity

85% of TPRM programs track cybersecurity risks, but diversification is growing:

79% monitor data privacy

70% compliance

64% business continuity

Yet 65% of organizations lack confidence in incident response readiness, and 41% still rely on spreadsheets for risk assessments.

4️⃣ Manual Methods

Despite rising complexity, many organizations still use spreadsheets and static questionnaires as their main TPRM tools.

Only 29% can assess risk across the full vendor lifecycle.

65% admit they’re not confident in incident response readiness.

5️⃣ AI

65% of organizations are exploring AI use cases; only 14% are using it actively.

Data security (32%) and bias or hallucination (19%) are the top AI concerns.

The percentage of companies without an AI strategy dropped from 49% to just 12%, signaling readiness for adoption with caution.

Recommendations

1️⃣ Build cross-functional governance across Risk, Compliance, Procurement, and IT.

2️⃣ Operationalize AI carefully.

3️⃣ Use smart automation.

4️⃣ Integrate compliance frameworks directly into due diligence workflows.

5️⃣ Adopt a multi-tiered risk assessment model.

As someone who works with multiple organizations, I’ve seen this story repeat for years — from the Ponemon Institute’s “Cost of Third-Party Risk” to today’s Mitratech report. The message remains the same: We don’t manage risk — we manage spreadsheets. TPRM is a compliance exercise, not a risk management process. Organizations gather policies and certificates, but rarely verify real security maturity. Even worse, they treat questionnaires as proof, not as conversation starters.

Link

Author: Sebastian Burgemejster