As we hurtle towards the end of 2024, one thing is clear: Third Party Risk Management has never been more critical, or more complicated. From AI innovations to escalating cyber threats and ever-tightening regulations, organisations are under increasing pressure to keep pace with a landscape that feels like it’s constantly shifting beneath their feet. But how are we managing the risks, and where are we heading?
Let’s take a look back at the key developments in 2024 and peek into what’s on the horizon for 2025.
2024 Year in Review: Key Developments in TPRM?
AI: The Promise, The Perils and The Pitfalls
- Explosion of AI Tools: The marketplace is flooded with AI-driven tools claiming to revolutionise Third-Party Risk Management (TPRM). But are these tools the magic bullet we’ve been waiting for, or just another shiny object in a crowded tech space?
- Evolving Regulations: As nations race to govern AI, the regulatory landscape is getting more complex. The EU AI Act is a prime example of how authorities are trying to keep up with the technology’s rapid evolution.
- New Risks with AI: While AI has enormous potential, it's also introducing new types of risks - especially in cybersecurity. AI is being weaponised by cybercriminals and unsophisticated threat actors are using it as an open channel to launch attacks.
- AI’s application in TPRM is still immature. While the buzz is real, the tools are not yet robust enough to significantly enhance TPRM programs.
- The EU AI Act provides a useful regulatory framework that will likely influence how AI is governed worldwide, but we’re not quite there yet.
Cyber & Resilience: A Growing Concern
- Increased Investment: Organisations are pouring more resources into assessing and managing cyber and resilience risks.
- Scope Expansion: More firms are including third-party risks in their cyber resilience frameworks.
- Cyber Attacks on the Rise: Cybersecurity incidents continue to rise, and organisations across various sectors are feeling the heat.
- Cyber TPRM has stagnated in 2024. There’s been limited innovation in this space, and many organisations are still focused more on compliance than on actual risk management.
- A major blind spot: Incident response and contingency planning. These need more attention if we’re going to be ready for the next cyber attack.
Regulatory Landscape: Keeping Pace (or Not)
- Financial Services: Regulations like the EU DORA and NIS2 are demanding more stringent third-party risk assessments.
- Telecoms: The Telecom Security Act is stepping up the pressure on telecom providers.
- Cross-sector: Regulations such as CRSD, ESRS CSDDD, and the EU AI Act are extending their reach across industries.
- There’s no escaping the regulatory pressure. It’s all about accurate risk assessment and most regulations rely on foundational activities like onboarding due diligence, contracts, periodic risk assessments and ongoing oversight.
- Compliance is a journey, not a destination. It requires long-term investment, both in resources and people. Organisations with a mature TPRM approach demonstrate resilience by proactively adapting to changing demands, whereas reactive organisations often find themselves struggling to keep up.
Operating Models: Complexity Meets Budgetary Pressure
- Growing Complexity, Shrinking Resources: TPRM is becoming more complicated, but the pressure to do more with less remains.
- Leveraging External Resources: Organisations are increasingly tapping into the marketplace for talent, technology, and insights.
- Limited Talent Pool: TPRM remains a niche domain and finding the right people is a growing challenge.
- Siloed Activities: Even in mature organisations, activities are often duplicated and siloed. It’s time to consolidate.
- Market Resources: There’s a real opportunity here to leverage external resources to enhance your TPRM program without reinventing the wheel.
But - what's next? Read on for our 2025 predictions...
Predictions for 2025: What’s Next for TPRM?
As we look toward 2025, the pressure isn’t going away - if anything, it’s ramping up. Here’s what we expect to see:
AI: Growth, Governance, and Risk
- Expansion of AI in Supply Chains: Expect to see even more widespread adoption of AI in supply chain management. But with that growth comes increased scrutiny.
- The EU AI Act’s Influence: The EU AI Act, which comes into effect in May 2026, will set a regulatory baseline that’s likely to influence other countries’ approaches to AI governance.
What Does This Mean for You?
- Do you know who owns AI risk in your organisation?
- Do you have an AI policy or framework that includes third-party AI usage?
- Are you aware of which third parties in your ecosystem use AI and do you have an inventory of those relationships?
- How do you manage the AI risk that originates outside of your organisation?
Cyber & Resilience: Efficiency, Not Revolution
- No Major Leap in Cyber TPRM: While the cyber threat landscape will continue to evolve, operating models will likely focus on efficiency rather than groundbreaking innovation.
- Geopolitical Instability: Expect more cyber incidents tied to geopolitical events, with the potential to disrupt your supply chain.
- Growing Focus on Cyber Resilience: Cyber resilience will become a higher priority, but it will still be viewed through the lens of compliance rather than risk management.
What Does This Mean for You?
- Align your SOC teams, incident responders, and TPRM teams for a more cohesive approach to cyber resilience.
- Leverage threat intelligence sources to improve contextual awareness of evolving risks.
- Conduct tabletop exercises to test your incident response protocols and improve preparedness.
- Consider how AI impacts your cyber risk and adapt your operating model accordingly.
Regulations: Expect More, and Sooner
- Regulatory pressure will continue to expand across sectors - and the deadlines are closing in.
- By 2025, you’ll face multiple regulatory deadlines, including DORA (Financial Services) and PRA Operational Resilience Framework (UK).
What Does This Mean for You?
- Do you have the right teams in place to navigate these regulations? Do they have the necessary skills to meet the evolving demands?
- With DORA (January 2025) and the PRA deadline for operational resilience (March 2025) on the horizon, it’s time to get serious about compliance. Are you ready?
Operating Models: Collaboration & AI Disruption
- Expect more collaboration between Resilience and TPRM teams. We’re already seeing this trend, and it’s likely to intensify.
- Outsourcing Operational TPRM: Tactical and high-volume TPRM tasks will increasingly be outsourced, allowing internal teams to focus on managing the outputs.
- AI Disruption: AI will continue to disrupt how TPRM operating models function. Are you ready for this change?
What Does This Mean for You?
- Have you assessed your operating model to identify gaps or inefficiencies? If not, now is the time.
Consider leveraging external resources to fill the gaps in your TPRM program.
The Future of TPRM Is Complex, But Manageable
The world of Third-Party Risk Management is evolving at breakneck speed. While challenges abound - whether it’s the growing complexity of AI, the rising tide of cyber threats, or the ever-expanding regulatory landscape - organisations that stay proactive, innovative, and resourceful will be best positioned to navigate these risks.
The key is agility - being able to adapt to emerging risks, technologies, and regulations without losing sight of the core principles that have always underpinned effective risk management. As we look to 2025 and beyond, the best TPRM programs will be those that integrate, collaborate, and innovate - and are ready for whatever the future holds.
If you would like some support with your 2025 projects or TPRM requirements, get in touch with one of the team!
