Search Results

In today’s third party risk landscape, the most significant incidents often don’t originate within your organization; they come from vendors, suppliers, and partners you depend on. When that happens, your team is left responding to an event you don’t control, with limited visibility and increasing pressure from leadership and regulators. In this episode of the TPRM Exchange Podcast , host Hilary Jewhurst sits down with Sagar Sudhir Behere , Enterprise (ERM) & Third Party Risk (TPRM) Oversight Senior Manager, to explore what effective incident response looks like in a third party context. Drawing from deep experience in resilience planning and complex outsourced environments, Sagar shares practical insights on how organizations can better coordinate, communicate, and respond when vendor incidents occur. “Early response is about decision-making under uncertainty—not perfect information.” Together, they discuss the key differences between internal and third party incidents, common misconceptions around vendor visibility, and why contractual protections alone aren’t enough. The conversation also dives into how to balance speed with accuracy, manage internal stakeholder tension, and build stronger recovery and resilience practices after an incident. “Move fast with awareness. Slow down with conclusions.” Whether you’re building or maturing your TPRM program, this episode offers actionable guidance to help you improve incident response coordination and strengthen your organization’s readiness. What You’ll Learn How third-party incidents differ from internal incidents—and why that matters What information is critical in the first hours of an incident Common blind spots, including fourth-party dependencies Why contracts don’t guarantee effective incident response How to balance speed, uncertainty, and communication What defines a truly successful recovery A practical exercise to improve vendor incident readiness “You’ll learn more in one hour of a vendor scenario than months of questionnaires.” About the Guest Sagar Sudhir Behere is a recognized thought leader in Third Party Risk Management (TPRM) and Enterprise Risk Management (ERM), with decades-long years of experience implementing innovative risk frameworks across Fortune 100s, Tech, FinTech, and FAANG organizations. As Head of TPRM at Circle Internet Financial, he has built Circle’s TPRM program from the ground up, achieving industry-leading efficiency and automation, including reducing vendor risk assessment processes by over 90%. His work integrates blockchain, AI, and automation to optimize compliance, risk oversight, and operational resilience. Sagar is an active contributor to industry standards and best practices, mentoring emerging leaders in risk management. He regularly shares his expertise at global conferences and the customer advisory board, influencing how organizations worldwide approach AI, automation, and blockchain integration in risk programs. His contributions are recognized for driving original, impactful solutions that redefine efficiency, governance, and innovation in global risk management. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Most third party risk management (TPRM) programs stall not from a lack of effort, but because teams get stuck in routine: assessments proceed, documents are exchanged, and dashboards look fine. It all appears effective until someone asks a tougher question.  Is the program really getting better, or is it just running as usual?   Practitioners often recognize when nothing is broken, but the process feels stuck. The same issues repeat, third parties ask familiar questions, and teams rely on old workarounds to avoid disrupting the routine.  At this point, the program may seem mature from the outside, but inside it has settled into maintenance mode. The team is focused on keeping things running rather than questioning whether the process still fits. This gradual shift is when continuous improvement matters most.  The Risk of Operational Comfort  Repetition in TPRM programs can signal maturity or simply routine. Templates have passed audits, questionnaires seem complete, and the team knows where manual fixes are needed because they’ve seen these problems before.  Meanwhile, the organization is changing. Third parties may offer more products or assume larger roles. Cloud use grows, and data sharing is more complicated than when the program started. A third party that once handled a small task might now be responsible for a critical function.  If the program runs as originally designed, it can lose touch with the environment and rely on outdated assumptions, even as risks change.  Actions to Take: Once a year, bring together Security, Procurement, Legal, and business stakeholders for a practical discussion on how the program reflects the risks of current operations. Ask which third parties are more critical today than they were a few years ago, which parts of the process cause the most friction, and which risks feel harder to evaluate than they used to. Those answers usually reveal where the program has fallen out of alignment.  Continuous Improvement Is Not a Program Overhaul “Continuous improvement” can sound daunting, like a massive redesign or endless meetings. But small, steady steps are more practical and effective than big overhauls. Simple changes can help without overwhelming the team.  In reality, improvement is often much simpler. It’s about noticing what the program is already showing you and using that to make changes.  Most stalled programs don’t lack effort. They lack a way to learn from results. Lessons are recorded but rarely drive change. Onboarding problems persist, and third party incidents are treated as isolated incidents rather than as prompts for process improvement.  Pro tip: Review last year's most common third party findings. Clearly identify whether they led to changes in the program, such as revised questionnaires, clarified evidence requirements, enhancements to contracts, or altered monitoring priorities. If you identify no resulting changes, the takeaway is that the program needs a stronger improvement loop, not more automation.  The Feedback Loop Many Programs Overlook  TPRM programs naturally generate assessments, test results, follow up on incidents, and alerts that reveal how well the process works.  But most teams focus on completing tasks, rarely pausing to spot patterns.  Continuous improvement begins when practitioners see this data as feedback. Some controls get vague answers from third parties. Or maybe certain requirements tend to lead to frequent exceptions. Monitoring sometimes finds problems that assessments missed. These are not just third party actions; they show where the program needs to change.  Programs that adapt to these patterns become more effective over time. Updating the process with new insights is key.  Actions to Take: Once a quarter, review several completed assessments and ask a simple question... What did these reviews teach us about our process? Not only about the third parties, but about the program itself. To make these quarterly reflections easier, consider using questions like:  Which requirements caused the most confusion or pushback from third parties?  Did any part of our process slow down unnecessarily, and why?  Are there risks we failed to catch until after the assessment, and what signals did we overlook?   These questions highlight where the program needs to change and encourage real discussion.  Where Improvement Usually Starts  Improvement usually begins in three areas: assessments, governance, and risk communication.  Assessment questionnaires often grow over time as new questions are added but rarely removed. Eventually, they become hard to complete and review , without adding value. Mature programs review assessments, remove redundancies, clarify evidence needs, and focus on meaningful risk controls.  Pro tip: Identify the questions third parties struggle to answer most often. If responses are vague or copied from policy templates, the issue may not be the third parties. The question itself may need revision or a different validation approach.  Governance models need regular review. Current third party tiering may be outdated, and review schedules can become unbalanced. Regular checks help restore focus where it matters most.   Actions to Take: Review the third party inventory and ask a simple operational question. If this third party failed tomorrow, what would actually happen to the business? If the answer does not match the third party’s current risk tier or oversight level, the governance model likely needs adjustment.  Risk communication often requires improvement. Detailed reports may obscure key decisions. Sometimes, making reports clearer and simpler is the most valuable change.  Pro tip: In the next leadership report, replace one status slide with a single prompt: what third party risk decision requires attention this quarter? If that question is difficult to answer, the reporting model may need refinement.  Identifying When Your Program Has Plateaued Teams rarely admit that a program has stalled, even when clear patterns appear: repeated findings, recurring exceptions, and reviews that have become routine.  This plateau doesn’t mean failure. It just means it’s time to rethink improvement.  Instead of just checking whether the process is followed, the team should ask whether it still aligns with reality. The key is that moving from just maintaining to reflecting helps the program grow.  Actions to Take: Choose one program component each year and deliberately revisit its design. It might be third party tiering, assessment scope, monitoring strategy, or reporting. Improvement rarely appears on its own. Someone has to decide that it is time to look again.  Continuous Improvement as a Habit  The best TPRM programs aren’t always the ones with the longest questionnaires or the most detailed governance charts. They are the ones where people stay curious about how their process works and work to make it better.   They review their assumptions before they become outdated, learn from third party incidents instead of treating them as isolated events, and adjust oversight when business needs change.  Continuous improvement is a habit, not a project . Regular reflection is essential to maintaining the value of third party risk management as a practice.  When this habit becomes routine, maturity usually follows. It’s not because the framework is perfect, but because the program keeps learning.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Get to know Morgan Binder, Stripe, and a member of TPRA's Board of Directors! < Back Morgan Binder Stripe CHAIRMAN OF THE BOARD Morgan is currently part of the Third Party Risk team at Stripe and has spent the duration of her career in the risk and compliance space. Her belief in right-sized foundational governance based on benchmarks and best practices has enabled her to develop nimble enterprise, operational, and third party risk programs for financial firms. Tooling enablement has also been a major part of her experience ranging from initial selection, implementation, and ongoing administration. Morgan has a M.S. of Enterprise Risk from Boston University and a B.S. of Management from Bentley University. She is based in the greater Boston area. Next >

Get to know Vincent Scales, CVSHealth, and a member of TPRA's Board of Directors! < Back Vincent Scales CVSHealth BOARD OF DIRECTORS Vincent Scales is a third party security & risk management leader with 20 years of experience building, delivering and operating shared services and third party security & risk management programs in large enterprises, both from the perspective of the outsourcer as well as the service provider. Currently, Vincent is Lead Director, Third Party Security at CVSHealth, leading a portfolio of third party security risk management activities. He holds a Bachelor’s in Business Administration from Northern Arizona University and a Master’s in Business Administration from Arizona State University. Vincent resides in Phoenix, AZ along with his wife and their three labradoodles. Next >

Learn all about the Third Party Risk Association (TPRA), our mission, vision, and key team members. Our Story The Third Party Risk Association (TPRA) was created out of a necessity to build a community of like-minded third party risk professionals to allow for the sharing of best practices, exchanging of ideas, and influencing of an industry. Our founders are practitioners who built their own third party risk programs within their respective organizations and were looking for a vendor-agnostic community that could help them elevate their programs. When they couldn't find one, they created one . What started as a roundtable between colleagues has turned into a community of thousands of practitioners and TPRM service providers worldwide , all working towards the same goal: sharing knowledge and furthering the industry of TPRM. Our Story Our Team Board of Directors Our Partners What We Do Activities in support of this purpose include, but are not limited to... 01 Promoting Value Promoting the value that third party risk professionals and practitioners add to their organizations. 03 Sharing Knowledge Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning third party risk and its appropriate role in control, risk management, and governance. 05 Bringing People Together Bringing together third party risk professionals and practitioners from all countries to share information, experiences, tools, and techniques. 02 Providing Guidance Providing comprehensive professional, educational, and development opportunities, as well as standards and other professional practice guidance. 04 Educating Educating practitioners and other relevant audiences on best practices in third party risk. 06 Advancing the Industry Creating work groups and advisory councils dedicated to creating universal resources, offering advice, and supporting start-ups through mentorship and feedback. The organization was formed by Julie Gaiaschi and Jon Ehret on October 22, 2018 and is a 501(c)(6) not-for-profit, headquartered in Iowa. Meet the Team TPRA strives daily to promote the value that third party risk professionals and practitioners add to their organizations; educate community members and other relevant audiences on best practices in third party risk; research and disseminate information on third party risk tools and techniques; and build third party risk guidance as a community. But we couldn't do any of this without a great team. Which is why we promote a collaborative, flexible, and inclusive work culture. We value innovation and enjoy exploring new ideas. We have self-starting, mission-driven team members who aren't afraid to bring creative ideas to the table and have the passion and energy to drive those ideas to fruition. With that said, we put people at the center of everything we do and love to celebrate milestones and wins! As we continue to grow, we are always on the lookout for creative and passionate professionals who are always learning and teaching, while understanding the bigger picture. Julie Gaiaschi CEO & Co-Founder OFFICER Read More Heather Kadavy Director of Membership Success SENIOR STAFF Read More Meghan Schrader Marketing & Communications Manager SENIOR STAFF Read More Kelsey Manigly-Haney Marketing & Membership Coordinator STAFF Read More Hilary Jewhurst Senior Membership & Education Coordinator SENIOR STAFF Read More Board of Directors Morgan Binder Stripe CHAIRMAN OF THE BOARD Read More Vincent Scales CVSHealth BOARD OF DIRECTORS Read More Christopher Strazishar Corebridge Financial BOARD OF DIRECTORS Read More Courtney Turner Deere & Co BOARD OF DIRECTORS Read More Chris Phillips Lendmark Financial Services BOARD OF DIRECTORS Read More Verity Billson Experian Ltd BOARD OF DIRECTORS Read More Eric Rosendaul Citizens Bank BOARD OF DIRECTORS Read More Our Partners