Crowe 2025 TPRM Benchmark Study

People: Structure TPRM for success

• Centralized teams, expanding demands. Despite managing hundreds or thousands of third parties, most organizations continue to operate with relatively small, centralized TPRM teams. Only 38% of participants currently employ a staffing ratio of at least one dedicated TPRM resource to 100 actively managed third parties, which is commonly seen as a resourcing best practice. This percentage suggests that TPRM resourcing has largely plateaued, even as third-party populations, risk domains, and regulatory expectations continue to expand. Such an imbalance is increasingly forcing organizations to prioritize efficiency, automation, and outsourcing to maintain appropriate coverage.
• Internal collaboration. More than half of respondents identified collaboration between internal TPRM stakeholders and subject-matter experts (SMEs) as a significant pain point in third-party risk programs. While most organizations maintain dedicated TPRM resources, they also depend heavily on cross-functional teams, such as information security, finance, and compliance, to inform risk decisions. When roles, responsibilities, and escalation paths are not clearly defined, this collaborative model can introduce inconsistency in risk outcomes and result in duplicated effort as programs scale.
• Outsourcing practices. Roughly 38% of organizations surveyed reported outsourcing some form of TPRM activities. Of those that outsource, participants most heavily use external resources for assessments (56%), third-party oversight (56%), and ongoing monitoring (33%). These numbers reflect a growing reliance on external support to maintain assessment throughput and ongoing monitoring coverage without materially increasing internal headcount.

• Assessing AI risk within the third-party population. Organizations are beginning to formally incorporate AI-specific risk considerations into their TPRM processes. Approximately 63% of respondents reported that they assess third parties for AI or machine learning-related risks, either through dedicated questionnaire content, targeted follow-up questions, or other validation mechanisms. This trend points to an emerging shift toward treating AI as a distinct risk domain, which requires clear scoping, governance alignment, and integration into existing due diligence and ongoing monitoring processes.
• Assessment depth tailoring. Assessment length increases as third-party risk levels move from low to critical or high risk. Study results revealed that 84% of respondents use some form of risk-based assessment tailoring, which reflects growing maturity in balancing process efficiency with regulatory defensibility, particularly for low-risk vendors.
• Third-party risk tiering. The benchmark study showed that more organizations rely on third-party-level risk tiering rather than engagement-level tiering. Of the respondents, 67% tier third parties at the third-party level, compared to 30% that only tier at the engagement level, with several noting that they apply tiering to potentially both, depending on risk domain or tooling constraints. Methodologies were consistent across organizations with attributes such as scoring-based, weighted questionnaires or domain-level flags that aggregate into an overall inherent risk rating.

• AI enablement. Survey responses showed that AI adoption within TPRM programs remains limited; 71% of respondents indicated they have not yet adopted AI tools to directly support their TPRM function. This level of adoption lags broader AI use across industries, as financial services organizations tend to adopt emerging technologies more cautiously due to regulatory oversight, data governance requirements, and model risk considerations. Separately, 46% of organizations reported plans to introduce AI-enabled technologies or data feeds within the next three years, which reflects a growing interest in improving efficiency and strengthening risk identification and monitoring. Because AI tools and use cases have expanded rapidly since the survey period, subsequent discussions suggest this figure might understate current interest in near-term adoption.
• Data feeds. Respondents (88% of participants) reported negative news as the most commonly monitored risk domain of those organizations that use data feeds to educate their programs on a continual basis. This domain overtook 2024’s top two monitored domains of cybersecurity ratings and financial health, now used by 82% and 76% of organizations, respectively. This shift highlights growing emphasis on external risk intelligence that can surface emerging issues between formal reassessments.
• Technology investments. Respondents indicated that over the next 12 months, they expect new technology investments and the expansion of monitored risk domains to be the primary drivers of increased TPRM budgets. This expectation reinforces the role of technology – including emerging AI capabilities – as a force multiplier that supports scale and consistency rather than a standalone solution.