With the new year fast approaching, organizations are beginning to plan for 2025 and draft budgets to help these plans come to fruition. Managing risk was central last year in both planning and budgeting – and there is no sign that that trend is slowing down. Because of new laws, managing an organization’s risk increasingly means mitigating the risks of doing business with other organizations. If you operate a business, a weak point in a vendor’s or partner’s security posture might as well be a weakness in your security. Your partners’ security and transparency problems are now yours, thanks to new regulations. Concerns about geopolitics and its effect on supply chains also mean risk management may be an even bigger consideration next year.
For these reasons, the way organizations practice third-party risk management (TPRM) is rapidly evolving. Last year was a big one when it came to managing third-party risks. Still, organizations will likely find that 2025 will require the same laser focus on business resilience, sustainability, and transparency.
With this in mind, here are seven predictions for how third-party risk management will evolve and change in 2025:
1. Predictive and Comparative Reporting and Accelerated Assessment and Documentation Workflows Will Become Possible Thanks to AI
AI made its presence felt in TPRM last year, and there is every reason to believe it will play a critical role in 2025 and beyond as organizations better understand their AI deployment over time and use the technology to automate risk assessments, improve their decision-making, and spot any problems faster.
Large Language Models (LLMs) and other AI-driven systems are poised to help businesses monitor third-party risk in real-time by analyzing large datasets and identifying patterns that could signal emerging risks. These technologies will also give organizations new capabilities to examine supporting evidence and find any contradictions between assessment responses and documentation.
However, AI will only prove successful if it is underpinned by strong data security, transparency, and governance policies. Its deployment will be held back if these are lacking. Last year, for example, only 5% of companies said they actively used AI in their TPRM programs because of a lack of governance. However, these numbers are likely to change significantly in 2025 as businesses adapt and grow comfortable using AI to automate tasks and reporting.
2. New Regulations Will Coordinate Requirements and Drive Elevated Due Diligence
Around the world, governments and regulators are expected to strengthen third-party risk management requirements, especially around data privacy, ESG (environmental, social, and governance), and business resilience. Cross-border businesses will face more complex compliance challenges, which may be partially alleviated by efforts to harmonize and streamline global rules to simplify compliance.
Companies must more rigorously assess third-party suppliers and other partners, focusing on resilience and environmental impact. In America, DORA (Digital Operational Resilience Act) may serve as a model in the development of operational resilience standards in the financial sector, aligning with the efforts of the Office of the Comptroller of the Currency. The rise of ESG mandates like the EU CSRD and CSDDD will require businesses to closely evaluate their partners’ sustainability practices, such as carbon emissions, labor practices, and ethical sourcing.
3. Geopolitics Will Prompt Organizations to Assess Concentration and Resilience Risks
Political instability in the Middle East, East Africa, the South China Sea, and Ukraine is driving companies to monitor their extended ecosystems more closely. Organizations are intensifying their analysis of ultimate business owners (UBOs) and key individuals to better anticipate disruptions and avoid the risk of sanctions. Additionally, they are expanding vendor firmographic data to gain insight into regional and technological concentration risks, aiming to minimize potential downtime.
4. Third-Party Risk Ownership Becomes Embedded into Business Culture
Historically, IT security teams led TPRM programs because of the focus on IT infrastructure risks. However, as cyber threats grow and new risks emerge, TPRM must shift toward a more collaborative, enterprise-wide approach. TPRM will likely become the purview of enterprise risk teams to better integrate it with broader business processes. Procurement teams will also play a larger role, as sourcing, due diligence, and vendor offboarding are increasingly critical to managing risk effectively across the organization. This represents a major change to the way risk is mitigated today.
5. A Consolidated Board Perspective Will Require Centralized GRC and TPRM Risk Reporting
As third-party risk management (TPRM) becomes more deeply integrated with enterprise risk management, it will expand into broader governance, risk management, and compliance (GRC) functions. Boards and senior management will increasingly demand consolidated, business-impact-focused views of internal or external risks. To prepare, organizations should develop and report on unified key risk indicators accessible to both business and non-technical stakeholders, allowing for clearer insights into risk exposure and impact across the enterprise.
6. Risk Aggregation Improves Focus on Business Resilience
As third-party cybersecurity incidents remain widespread—and are likely to keep proliferating–businesses need to evaluate the collective risk posed by their entire third-party ecosystem. Recognizing how interconnected risks can affect multiple suppliers will be essential for keeping supply chains resilient.
Organizations can address this issue by adopting continuous, aggregate monitoring across risk domains—such as cyber, operational, reputational, ESG, and financial— —to quickly detect shifts in third-party risk profiles. Real-time data will enable faster, more effective responses to threats, enhancing overall business resilience.
7. The Inflection Point for Third-Party Data Breaches
In the past several years, the number of third-party cybersecurity incidents has grown significantly, jumping from 21% of companies reporting such an incident in 2021 to more than 60% reporting the same in 2024. The breaches have also increased in severity, with millions of people affected. We can expect cybercriminals to double down on these efforts in 2025, targeting third parties that support high-profile and sensitive industries such as healthcare providers, financial services companies, educational institutions, state governments, and manufacturers.
Looking to the Future
The pace of change in how organizations manage third-party risk is speeding up. The heightened focus on business resilience, the rollout of new AI programs, and new regulations will make TPRM programs more dynamic and effective.
By embracing innovations and staying in front of fast-changing trends, organizations can manage third-party risks effectively — even in a shifting landscape of business partnerships and regulatory requirements.
