Third-party risk management company ProcessUnity today released its State of Third-Party Risk Assessments 2026 report in partnership with the Ponemon Institute. Based on responses from 1,465 third-party risk leaders and practitioners worldwide, the study reveals a widening gap between confidence in third-party risk management (TPRM) program effectiveness and real-world results.
While respondents claim a high degree of confidence in their assessment processes to reduce breach risk, they reported their organizations average of 12 third-party breaches or security incidents per year highlighting third-party risk as a persistent and material operational challenge.
Although many respondents report established assessment processes, policies, and frameworks, the data suggests that many equate the presence of a program with effective assessments. Despite this belief, most surveyed organizations apply no metrics to evaluate whether those programs actually reduce risk. Frequent breaches, prolonged assessment timelines, slow vendor responses, incomplete remediation, and limited visibility highlighted in this study indicate that effective TPRM maturity remains elusive. The disconnect is particularly pronounced in the financial services and technology/software sectors, where organizations report strong confidence in their TPRM programs while experiencing some of the longest assessment timelines and highest breach exposure (90% of financial services organizations and 85% of technology and software companies reported third-party breaches in 2025).
CCI Publisher Sarah Hadden interviews Scott West at ProcessUnity regarding the research study’s findings. Watch the full interview here.
The findings expose systemic weaknesses that continue to undermine third-party risk programs across organizations worldwide. The following highlights illustrate where programs break down in practice, with the full set of findings detailed in the complete report.
- Manual program execution remains the norm, slowing assessment cycles and requiring human resources. Nearly two-thirds of organizations still utilize spreadsheets and homegrown or IT-built tools as part of their assessment management and tracking.
- Delayed vendor responses slow down risk decisions. 60% of organizations report vendor response timelines range from four months to more than 12 months.
- Non-response remains a persistent barrier. 27% of vendors fail to respond to assessments at all, leaving critical gaps in portfolio visibility.
- AI adoption emerges as a major accelerator. 50% of organizations reported adopting AI to support third-party risk assessments, and 21% plan to adopt AI in the near future.
“This research shows that many third-party risk programs still lack maturity and fall short on outcomes. Organizations of all sizes invest in TPRM, but that effort doesn’t always translate into efficient, effective assessments or consistent risk reduction,” said Scott West, Vice President of Product Marketing at ProcessUnity. “We invite TPRM leaders and practitioners to use this research to benchmark their programs and build plans to improve measurement, speed, scalability, and visibility to manage third-party risk more effectively.”
The research translates these findings into a blueprint for scaling third-party risk assessments. Organizations can improve outcomes by evolving from periodic reviews to continuous oversight, applying inherent risk to prioritize vendors that introduce the greatest exposure, enforcing accountability for response and remediation, and extending visibility beyond direct vendors to include downstream dependencies and concentration risk. In addition, accelerating AI adoption now enables resource-constrained TPRM teams to reduce manual effort while increasing speed, consistency, and insight across the assessment lifecycle.
“Our research is dedicated to helping organizations improve oversight as third-party ecosystems expand,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “These findings show why scalable execution and measurable outcomes are essential. We surveyed third-party risk leaders and practitioners globally to examine how organizations assess vendors in practice and where modernization is most needed.”
Detailed findings in the report explore assessment timelines, tooling reliance, budget ownership, fourth-party risk, industry and company-size breakouts, and more.
