Is Your FI Behind on TPRM? Benchmark Your Program Against Peers

Financial institutions (FIs) are facing growing vendor risk challenges, from managing hundreds of third parties with limited resources to keeping up with evolving cyber and AI risks.  

Those are just some of the findings from The Ncontracts 2025 Third-Party Risk Management Survey. The report features insights from banks, credit unions, and mortgage companies with assets from under $1 billion to $10 billion-plus.  

Whether you are involved in risk compliance, vendor management, or operations, and regardless of whether you work at a bank, credit union, fintech, or mortgage company, the insights shared will help you benchmark your practices, learn from peers, and evolve your TPRM program.  

Here are some of the key highlights from the survey. 

On-Demand Webinar: Survey Insights: How Financial Institutions Are Navigating Vendor Management  

Vendor sprawl is real 

Institutions of all sizes manage many vendors. Over one-third of financial FIs with assets over $10 billion have over 1,000 vendors, while another third manages between 500 and 1,000. Nearly half of smaller institutions (under $1 billion in assets) oversee 100 to 300 vendors, and about 20% track fewer than 100. Additionally, 63% of institutions with $1 billion to $10 billion in assets manage 100 to 500 vendors. 

While fewer vendors may seem more manageable, a handful of critical vendors can generate a year’s worth of work and due diligence. This is especially true as the definition of “vendor” expands to include fintechs and other partnerships that allow for a flexible plug-and-play approach. 

As FIs increasingly depend on external services — including fourth, fifth, and nth parties — their vendor oversight must also increase. 

Actionable Insight: As you reach the 300-plus vendors, your risks and workload will quickly scale. Review your processes and tools to ensure quality vendor management as you grow. 

Watch On Demand: Mastering Vendor Tiering Webinar  

Most FIs have lean TPRM teams 

The data underscored what many FIs already know: TPRM programs are running lean.  

Fifty-six percent of FIs under $1 billion in assets only have one or two people managing their TPRM programs, while nearly a third say they don’t have a full-time employee (FTE) to manage it. In other words, TPRM is often a part-time job spread layered into someone’s — or multiple team members’ — already-full plates.  

The trend also applies to mid-sized institutions, with 72% relying on only one or two FTEs to manage hundreds of vendor contracts, System and Organizational Controls (SOC) reports, risk assessments, renewals, terminations, and other tasks.  

Actionable Insight: FIs manage a complex web of operational, cyber, and compliance risks with limited team resources. Implement automated tools to streamline processes, making it easier to handle the workload. The good news is that 85% of FIs use a dedicated TPRM software platform or a module inside an enterprise risk management (ERM) platform to manage third-party risk. platform to manage third-party risk.  

Additionally, ensure your team is on board and understands the importance of TPRM. A clear tone from the top helps allocate necessary resources. Housing TPRM in your institution’s risk management department also helps to bridge communication and collaboration between frontline operations and the board. One credit union noted, “The better I do at uncovering/reporting vendor concerns, the more attention TPRM gets.”  

Related: Creating a Vendor Board Package 

TPRM programs are maturing, but there’s room for improvement

There is no one-size-fits-all approach to TPRM, but where your FI’s operating model sits on the spectrum (centralized, decentralized, hybrid, or outsourced) reveals your risk culture, resources, and maturity level.  

Operating model types include:  

• Centralized: One team handles all aspects of vendor management, including due diligence and ongoing monitoring. It offers a streamlined process but can create bottlenecks if the team is under-resourced or key personnel are unavailable. 
• Decentralized: No single team is responsible for vendor management; risks are scattered across various departments. It can be flexible and responsive initially but often leads to confusion and a lack of accountability, especially during crises. 
• Hybrid: This model combines elements of centralized and decentralized models and balances scalability with accountability. It allows for greater efficiency without losing control over vendor management. 

Hybrid and centralized models make up the majority of all institutions’ models. Sixty-seven percent of large institutions use a hybrid model, while 58% of small institutions use centralized models. As FIs continue to grow and scale their TPRM programs, the hybrid model is the gold standard, as it lets a central team handle governance while individual departments manage vendor performance.   

While 90% of FIs have established TPRM programs, the maturity levels vary.  

Only about one-fourth of all institutions have fully integrated TPRM into their broader risk management framework with continuous monitoring and updates. Another 23% have “managed” programs, which are fully established but not optimized. Most FIs see their program as “implemented” but needing improvement. 

While most FIs admit they need work, there is an optimistic trend among FIs with less than a billion dollars. They focus on vendor risk management, with 40% of their TPRM programs implemented and another 30% managed. Despite having smaller teams and fewer resources, small institutions are making progress. 

Another focus area is metrics, which measure a program’s health, stability, and effectiveness. Only 26% of FIs say their metrics are fully defined and operational, suggesting they either lack solid metrics or are still working to define them.  

Building effective metrics is challenging; it goes beyond counting vendors or reports and requires tracking performance trends and overall value. However, 30% of institutions either have no metrics or are still unsure about defining them, creating a gap that leads to a lack of visibility.  

Actionable Insight: Simply having a TPRM program is not enough—optimization is crucial. Start by reevaluating the risk management lifecycle and identifying where your FI can improve, such as critical vendor risk ratings, vendor risk assessments, roles and responsibilities, or employee training programs. 

When it comes to metrics, awareness is the first step toward improvement. Start with small, meaningful key performance indicators (KPIs) to measure and track progress over time. 

Related: Learn all the key aspects of vendor management with the Nstitute Certified Vendor Management Professional Training (NCVMP) program.  

Dynamic risk calls for more due diligence

Due diligence is a critical but time-consuming part of the TPRM process. Getting the proper documents from vendors and analyzing vendor reports are among the top challenges FIs face. Tailoring due diligence documents for each vendor is also mentioned, underscoring the importance of automation and process improvements.  

Nearly half of all institutions’ vendor risk assessment schedule depends on the risk type, suggesting they use dynamic risk management (DRM). This proactive, flexible approach enables FIs to identify, assess, and mitigate risks in real time.  

However, more than a third of all FIs reevaluate annually. While this traditional risk management approach is ideal for low-risk areas or FIs with limited resources, DRM enables FIs to reduce their risk exposure proactively.  

Actionable Insight: The larger your vendor portfolio, the more often due diligence should occur. With limited time and resources, teams frequently get buried in paperwork, chase down documents, and rely on super-level reviews that miss key risks.  

Ncontracts’ TPRM Control Assessments combine AI-powered evaluation with expert human review to help your FI gain deeper insights, strengthen oversight, and efficiently reduce risk exposure.  

Cybersecurity and AI risks continue

Fifty percent of FIs cited cyber threats as their primary TPRM concern, which isn’t surprising given that nearly half (49%) of surveyed FIs experienced a low or moderate-impact third-party cyber incident in the past year. These incidents resulted in delayed loan closings, operational workarounds, civil suits, service delays, and time away from strategic work.  

Vendor AI usage is also a significant concern. Most FIs monitor vendor AI usage – only 34% of institutions under $1 billion and 15% of those above $10 billion in assets report no monitoring efforts.  

FIs mainly rely on two key methods for managing vendor AI risks: adding usage language to the contract and collecting vendor documentation—both of which are strong risk controls.  

Actionable Insight: Cyber and AI will remain among regulators’ top concerns in 2025 and beyond. To maximize your TPRM program, ensure your operating model is scalable and your oversight is aligned with actual risks. Leveraging technology to manage vendor growth and gain a strategic edge is also key.  

Related: A Guide to Emerging Risks in Banking for 2025 

Want more insights and best practices from our 2025 Third-Party Risk Management Survey?