New Survey Reveals That 73% Of Institutions Have Two Or Fewer FTEs Managing Vendor Risk

Ncontracts released findings from its 2025 Third-Party Risk Management Survey, revealing the biggest trends, risks, and strategies shaping third-party risk management (TPRM).

Ncontracts’ latest report is a go-to resource for understanding where banks, credit unions, and mortgage companies stand — and how their institutions compare with their peers. Conducted between November 2024 and January 2025, more than 170 banks, credit unions, and mortgage companies across a range of asset sizes participated.

One notable finding is that most financial institutions continue to operate with a lean team. Nearly three-quarters of respondents (73%) have two or fewer full-time employees managing vendor risk, even though more than half oversee more than 300 vendors. Amid staffing challenges, two-thirds of institutions (66%) report feeling pressure to enhance their TPRM programs, with nearly half citing auditors and regulators as primary drivers.

Other key findings include:

  *   Significant Cyber Risk Exposure: 49% of financial institutions experienced a vendor-related cyber incident in the past year, with recovery times ranging from under 60 days (66%) to more than 90 days (8%).

  *   Growing AI Risk Concerns: Artificial intelligence ranks as the second-biggest TPRM risk heading into 2025, with institutions increasingly adding AI usage language to contracts and implementing specific due diligence measures.

  *   Due Diligence Remains a Challenge: Collecting and analyzing vendor documents is a top bottleneck.

  *   Strong ROI Recognition: 85% of financial institutions report moderate to high value from their TPRM programs, with benefits ranging from improved cybersecurity to enhanced vendor performance and cost control.

The survey also highlights a significant use of hybrid TPRM operating models, especially among larger institutions, where dedicated TPRM teams oversee the framework while vendor owners manage day-to-day risk and performance. This approach helps balance consistency with flexibility as vendor portfolios grow more complex.

“Financial institutions are caught in a perfect storm—managing more vendors with fewer resources while facing heightened cyber threats and regulatory scrutiny,” said Michael Berman, founder and CEO of Ncontracts. “The surge in hybrid TPRM models and dedicated risk management software adoption shows that forward-thinking institutions are responding strategically.”

Berman continued, “What’s particularly encouraging is that 85% of respondents see tangible ROI from their TPRM investments. This isn’t just about compliance anymore—robust vendor management is becoming a competitive differentiator that enhances operational resilience, strengthens cybersecurity posture, and drives cost efficiencies. As vendor AI usage accelerates and cyber incidents continue to impact nearly half of institutions, those who modernize their approach will be best positioned to mitigate risks while turning vendor relationships into strategic advantages.”

Financial institutions seeking to enhance their TPRM programs should consider several key areas, including refining their TPRM operating model for scalability. Aligning oversight frequency with actual risk, implementing specific measures for emerging risks like AI, and leveraging technology to manage growing vendor portfolios are also key.