A major global survey released this week on 17 March 2026 has exposed a startling reality for the financial services sector. Despite years of preparation for DORA and other digital resilience mandates a vast majority of firms are still struggling with the basics of Third Party Risk Management TPRM.

The 2026 Global TPRM Survey which gathered insights from over 850 risk professionals reveals that while the volume of third party relationships is exploding the internal capacity to manage them has stalled.

The Spreadsheet Tax

One of the most damning findings from the past seven days is the continued reliance on manual tools. The data shows that 63 percent of TPRM programmes are still being managed by teams of only one or two people. More importantly firms still using spreadsheets for their vendor risk are 82 percent more likely to receive negative findings during regulatory examinations than those using dedicated software.

This is being described by industry analysts as the Spreadsheet Tax. It is no longer just an efficiency issue it is a direct regulatory liability.

From Risk to Dependency

The survey highlights a critical shift in how we define a third party. In 2026 leading organisations are moving away from simple risk assessments and toward Enterprise Dependency Mapping.

This means looking beyond the direct vendor to understand the Nth party ecosystem. Only 18 percent of programmes are currently fully integrated with Enterprise Risk Management ERM which means for most companies the left hand does not know what the right hand is paying for. This lack of integration creates a massive blind spot when a sub processor further down the chain experiences a service outage or a data breach.

The Confidence Crisis in Data

Perhaps the most worrying statistic from the last week is that only 15 percent of risk leaders express high confidence in the data underpinning their TPRM programmes. With the European Banking Authority now deploying automated scripts to check the quality of regulatory filings having low confidence in your data is a high stakes gamble.

The Brooklyn Edge

For companies like Brooklyn Solutions this news is a double edged sword. It proves that the market for automated intelligent vendor management is larger than ever but it also shows that the competition is no longer just other software companies it is the status quo of manual processes.

The winners in 2026 will not be the firms that simply collect more data but the ones that can turn that data into what the report calls actionable resilience. This involves moving from periodic check box audits to continuous monitoring of vendor obligations and performance.

The Message for the Board 2026 is the year that TPRM moved from the back office to the boardroom. If your risk strategy cannot scale with your vendor list you are not just inefficient you are vulnerable.