Setting The Record Straight On The Third-Party Risk Management Market

Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing. Despite predictions in the early days of the pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that’s great news because, unlike in the years following the Great Recession, firms aren’t pulling back on security and risk investment.

What’s In A Name? Is It TRPM Or IT VRM?

To-may-to, to-mah-to, right? Not exactly. Here’s some context on third-party risk nomenclature. Financial services use “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare references “business associates” to align with HIPAA, and manufacturing commonly uses “supplier.” Everyone else gravitates to the term “vendor,” because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards.

Forrester uses “third party” to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it’s not an employee, then it’s a third party.

The TPRM Market Is Not “One Size Fits All”

There are several types of vendors that support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, third-party risk is more than a cybersecurity rating or a due diligence tool. Forrester defines this category as:

Platforms that identify, assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding.

When it comes to managing risk and compliance of third-party entities, there’s no shortage of options. The new report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities:

  1. Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity.
  2. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM.
  3. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics.
  4. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements.

Each segment contains vendors that will be a good fit for different types of buyers.

Read the full Now Tech report for a closer look at the four functionality segments and deeper insight into the TPRM platform market. And look out for a more detailed evaluation of vendors in this space in the upcoming The Forrester Wave™: Third-Party Risk Management Platforms, Q2 2022.

(written with Isabelle Raposo, research associate)

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest news.