The ProcessUnity State of Third-Party Risk Assessments 2026 report, produced with the Ponemon Institute, analyzes a persistent "maturity gap" in global Third-Party Risk Management (TPRM).
Based on a survey of 1,465 practitioners, the data reveals that while many organizations believe their programs are mature, their operational outcomes tell a different story. Organizations report experiencing an average of 12 third-party breaches per year, indicating that risk is a recurring operational reality. This is especially prevalent in Financial Services, where 90% of organizations suffered at least one third-party breach in the past 12 months.
Several bottlenecks contribute to this lack of effectiveness. Assessments are often too slow, with 64% of large organizations reporting that cycles take longer than four months. These processes are also labor-intensive, as 63% of assessments require more than 40 hours of internal team effort. A primary cause of these delays is a reliance on manual tools; two-thirds of organizations still use spreadsheets to manage assessments. Consequently, coverage remains limited, with organizations assessing only 36% of their total vendor population on average. Furthermore, remediation is frequently deferred to prioritize onboarding speed, as only 16% of organizations complete 90% or more of remediation activities before a vendor is officially brought into the environment.
The report also identifies fourth-party risk as a major blind spot, with 58% of organizations failing to assess subcontractor relationships entirely. To address these challenges, the study notes a growing interest in Artificial Intelligence, with 44% of organizations already adopting AI to improve efficiency and free staff for higher-value work. Ultimately, the report concludes that organizations must shift their focus from process completion to outcome-driven metrics—such as reduced breach frequency and faster remediation—to close the maturity gap and protect their business ecosystems.
