Search Results

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Navigating Ownership, Oversight, and Expertise in the Age of Artificial Intelligence  As artificial intelligence (AI) adoption accelerates across industries, organizations are grappling with a new challenge: where should AI risk management, and specifically AI-related Third Party Risk Management (TPRM), live within the enterprise?  While some organizations assign ownership to existing structures like IT, model risk management, or cybersecurity, others manage AI/TPRM through risk committees or distributed governance models.  However, as AI becomes embedded in everything from third party software to operational decision making, defining accountability and expertise is more critical than ever.  This blog explores the current state of organizational ownership of AI/TPRM, the challenges of fragmented accountability, and the evolving landscape of AI risk governance.  The Current Reality: Distributed Ownership, Fragmented Accountability  Most organizations are still in the early stages of formalizing how AI and third party risk intersect. The result is a patchwork of ownership that reflects historical structures rather than emerging needs.  Common Models of AI/TPRM Ownership:  Model Typical Owner Strengths Challenges IT Ownership CIO or Head of IT Deep technical knowledge; integration visibility Focused on enablement over risk; limited governance scope Cybersecurity Ownership CISO or Security Team Expertise in data protection, privacy and threat management May overlook model bias, ethics and performance risk Model Risk Management (MRM) CRO, Enterprise Risk or Finance Familiar with validation frameworks and model governance Not all AI tools qualify as “models”; hard to scale across third parties. Enterprise Risk Management Chief Risk Officer Holistic view of risk across functions May lack the technical fluency needed to assess AI-specific risks Governance Committee or AI Council Cross Functional Groups Encourages shared accountability Decision-making can be slow; unclear escalation or ownership paths In practice, AI/TPRM often lives everywhere and nowhere at all.   This distributed reality makes it difficult to establish clear accountability, consistent controls, or effective monitoring.   The Expertise Dilemma: Interest, Enthusiasm, and Illusion  AI governance has quickly attracted attention across business functions.  Within most organizations, there are three groups emerging:  The Interested:  Professional who wants to understand AI’s risk and opportunities but lack hands-on experience.  The Aspiring Expert:  Individual who follows AI trends and participates in governance conversations but may not yet grasp the nuances of model architecture or data provenance.  The Actual Experts:  Technologist, data scientist, and risk professionals who understand both the technical and ethical implications of AI.  The challenge is not a shortage of passion, it's a shortage of true multidisciplinary expertise.  AI/TPRM sits at the intersection of technology, ethics, and compliance, few individuals or departments are fluent in all three.  To close this gap, organizations must create intentional learning pathways and collaborative governance structures that balance subject matter expertise with enterprise risk accountability. Governance in Practice: Moving Towards a Federated Model  A leading practice emerging across industries is a federated governance model for AI and TPRM. This structure combines distributed ownership with centralized oversight.  Key Features of a Federated Model  Central Oversight Body  – An AI Risk or Governance Committee that sets policy standards, and reporting expectations.   Functional Ownership – Each business or function (e.g., IT, Cyber, Risk, Legal, Procurement, etc.) owns execution of AI/TPRM controls relevant to their domain.  Integration with TPRM – Third party due diligence processes are expanded to include AI-specific assessment covering model transparency, ethical design, data sourcing, and bias testing.  Continuous Monitoring – Establish ongoing oversight for AI-enabled third party tools, especially for evolving and retraining models.  This model encourages shared responsibility while ensuring decisions align with enterprise-level risk appetite and ethical standards.   A Practical Path Forward  Organizations can begin clarifying AI/TPRM ownership with the following steps:  Map Current Ownership – Identify where AI activities and risk currently reside(within IT, Cyber, Risk or elsewhere).  Establish an AI Governance Charter – Define roles, responsibilities, and decision rights for all AI-related risk activities, including third party AI vendors.  Integration of AI Risk into TPRM Frameworks – Update third party due diligence questionnaires/assessments and monitoring processes to include AI use, transparency, and data ethics.  Create a Skills Development Roadmap – Offer training that bridges the technical, operational and ethical dimension of AI risk.  Promote Transparency and Communication – Encourage open dialogue between those who “build”, those who “buy”, and those who “govern” AI.  Where AI/TPRM “lives” is not a static question, it's a reflection of how mature an organization is in managing emerging risk. Ownership will likely evolve over time, shifting from isolated functions to integrated governance models.   Ultimately, the goal isn’t to decide whether IT, Cyber, or Risk “owns” AI. It's to ensure that someone is accountable,  that the process is transparent, and decisions are made responsibly.  AI will continue to reshape third party risk management. Those who establish clarity of ownership today will be better equipped to manage the risks and seize the opportunities of tomorrow.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In many Third Party Risk Management (TPRM) programs, contracts and service-level agreements (SLAs) are signed, filed, and then forgotten. That is, until a renewal deadline sneaks up, or a vendor fails to meet a critical performance standard, whereby no one can prove whether the vendor was or wasn’t held accountable.  If that sounds familiar, you’re not alone.  Contract and SLA management are two of the most underrated yet high-impact areas for TPRM automation. And the good news? You don’t need a massive system overhaul to start reaping the benefits.  Why Contract & SLA Monitoring Matters in TPRM  Contracts contain the DNA of your third party relationships. They note:  What services are being delivered  What controls are expected  When the agreement expires or renews  What happens if something goes wrong  If this information lives in static PDFs or folders, and relies on someone to remember key dates or terms, you’re exposing your organization to real risk. Such risks include, but are not limited to:  Missed renewals that may auto-renew unfavorable terms  SLA violations that go undetected and un-remediated  Unenforced obligations that weaken your risk posture  Automation can help solve this problem. And it doesn’t have to be complex.  What You Can Automate  Here are several key elements of contract and SLA management you can automate today:    1. Key Date Reminders  Renewal and termination notice deadlines  Compliance documentation expiry (e.g., updated SOC 2 required every 12 months)  Review cycles (e.g., quarterly performance check-ins)  Automation example:  Auto-alerts at 90/60/30 days before renewal, with owner assignment and status tracking.     2. Obligation Tracking  Ensure third parties deliver required evidence (e.g., updated pen test results)  Auto-track performance standards (e.g., response times, uptime, ticket resolution)  Flag when obligations aren’t met  Automation example:  Use automated tools to extract obligations from contracts and load them into a tracker that flags upcoming deliverables.     3. SLA Monitoring Integration  Link with operational data (e.g., help desk platforms, uptime monitors) to auto-validate whether SLA commitments are being met.  Set automated thresholds for escalation if a third party exceeds a defined limit (e.g., >3 late response tickets in a month).  Automation example:  When help desk tickets tied to a third party cross a certain age threshold, an alert is triggered to the TPRM team.  Real-World Example: Automating Renewal Notifications in a Mid-Sized Bank  A regional U.S. bank had thousands of third parties with contracts stored across multiple departments. Renewal dates were tracked in spreadsheets, and deadlines were frequently missed, resulting in automatic renewals that locked the organization into poor terms.  “We didn’t realize how often we were defaulting to auto-renewal until we missed our shot at renegotiating a major payment vendor,” the TPRM manager shared.   The team implemented a contract tracker tied to their TPRM tool that extracted and logged:  Contract expiration dates  Required notice periods  Assigned contract owners  Automated alerts were triggered on 90, 60, and 30 days before key dates, with color-coded status dashboards.  Impact:   100% of critical third party renewals reviewed on time  Saved ~$300K through renegotiated terms in Year 1  Improved coordination with Legal and Procurement  Getting Started: Tools You Can Use  You don’t need a custom platform to get going. Some automation options include:  GRC/TPRM platforms  with contract modules   Contract lifecycle tools  (e.g., Ironclad, LinkSquares, DocuSign CLM)  Workflows in MS365 or Google Workspace  using reminders and task lists  Low-code platforms like Airtable or Monday.com for custom trackers    Key Takeaways:  Contracts are a goldmine of risk and performance data. Don't let them sit untouched.  Automating reminders and tracking obligations keep your third parties accountable and your TPRM program compliant.  Start small: even a shared tracker with auto-reminders can reduce missed deadlines and drive savings.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Safe Security has redefined cyber risk measurement and management with its real-time, data-driven approach that empowers enterprise leaders, regulators, and cyber insurance carriers to understand cyber risk in an aggregated yet granular manner. < Back Safe Security Wednesday, February 18, 2026 1:00 - 1:25 PM CT TPRM Platform Globe Mail Search Search Search SAFE TPRM is the industry’s only AI-powered third-party risk management solution designed to address the growing challenges of managing third-party risks. It provides businesses with advanced capabilities, including outside-in security ratings, questionnaire-based assessments, zero-trust principles, and inside-out scans. Through SAFE One’s unified platform, enterprises can achieve a holistic and dynamic understanding of their supply chain risk posture. This platform delivers actionable, dollar-driven insights that help organizations prioritize and mitigate risks effectively while scaling their TPRM programs seamlessly. Presenter(s) Ram Vemula Head of Partnerships Product Management leader with extensive experience in delivering strong business growth through disruptive product innovations, innovative go-to-market strategies and building strong ecosystem partnerships. Ram Vemula is currently leading product development of Third-Party Risk Management capabilities and establishing technology partnerships with various partners in the risk management and cybersecurity domains. Experienced across all aspects of product management and business development: market-driven requirements and competitive analysis with focus on commercial structure, pre-sales,… Show More Previous Next

Join us for "Demo Days," where leading TPRM Service Providers showcase their solutions through 25-minute product demos tailored for TPRM practitioners. TPRM Tool Demo Days The Third Party Risk Association (TPRA) invites you to attend our quarterly "Demo Days, " an exclusive opportunity for TPRM practitioners to explore innovative solutions from leading TPRM Service Providers. During these interactive sessions, vendors will deliver 25-minute product demos , showcasing their tools, technologies, and services designed to address the complex challenges of third party risk management programs. These virtual events allow practitioners to: Gain insights into the latest TPRM innovations. Connect directly with service providers to ask questions. Compare tools and platforms to determine the best fit for their organization. Don't miss this opportunity to stay ahead in the evolving landscape of third party risk management. New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Tool Types Below you can find brief descriptions of the TPRM tools that will be showcased during these events. TPRM Platform A software system designed to manage Third-Party Risk Management (TPRM) programs, which involves identifying, assessing, mitigating, and monitoring risks associated with external companies that an organization works with. Risk Ratings/Intelligence Tool A system or software application used to evaluate and quantify the potential likelihood and severity of risks associated with a particular incident or investment, typically assigning a numerical rating to each risk to facilitate prioritization and decision-making within risk management processes. GRC Platform A software tool that tracks, monitors, and manages governance, risk, and compliance activities at the enterprise level. This tool usually encompasses more than one risk-related department and encourages risk management at the highest level for an organization. TPRM Services An organization that assists with the implementation of TPRM programs and/or the completion of due diligence activities. TPRM Service providers can determine the maturity of your program and enhance operational capabilities. Register for Upcoming Demo Days New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Wednesday, February 18, 2026 at 3:00:00 PM UTC 6 hours Q1 Demo Day Read All Wednesday, May 13, 2026 at 2:00:00 PM UTC 6 hours Q2 Demo Day Read All Wednesday, August 19, 2026 at 2:00:00 PM UTC 6 hours Q3 Demo Day Read All Wednesday, October 21, 2026 at 2:00:00 PM UTC 6 hours Q4 Demo Day Read All NOTE: TPRM Service Providers and their employees, affiliates, parent companies, etc. NOT participating in a demo are not allowed to register based on conflict of interest. Demo Day Agenda Please note that the below may feature presenters for multiple Demo Days. Demo Day times are subject to change depending on the number of demos per day. All scheduled times are in Central Time. Filter by Quarter Select Quarter Filter by Tool Type Select Tool Type Date: Wednesday, February 18, 2026 Time: 9:00 - 9:25 AM CT TPRM Platform Certa’s Third Party OS is the digital backbone for managing your third party relationships across all risk domains and lifecycle stages. Read More Date: Wednesday, February 18, 2026 Time: 9:30 - 9:55 AM CT TPRM Platform Sayari is the transparency company built to provide immediate worldwide visibility into the relationships between businesses and individuals. Read More Date: Wednesday, February 18, 2026 Time: 10:00 - 10:25 AM CT TPRM Platform Coverbase automates 90% of third-party risk management using AI. Read More Date: Wednesday, February 18, 2026 Time: 10:30 - 10:55 AM CT TPRM Platform Bitsight Third Party Risk Management is an end-to-end solution that includes continuous, data-driven, validated cyber risk insights and automated vendor assessment capabilities. Read More Date: Wednesday, February 18, 2026 Time: 11:00 - 11:25 AM CT TPRM Platform ProcessUnity Third-Party Risk Management protects companies and their brands by reducing risk from third parties, vendors and suppliers. Read More Date: Wednesday, February 18, 2026 Time: 11:30 - 11:55 AM CT Risk Ratings/Intelligence Supply Wisdom provides real-time, continuous risk intelligence across third parties and locations to help enterprises proactively manage operational, compliance, financial, cyber, location, ESG and Nth party risks. Read More Date: Wednesday, February 18, 2026 Time: 12:00 - 12:55 PM CT Lunch Read More Date: Wednesday, February 18, 2026 Time: 1:00 - 1:25 PM CT TPRM Platform Safe Security has redefined cyber risk measurement and management with its real-time, data-driven approach that empowers enterprise leaders, regulators, and cyber insurance carriers to understand cyber risk in an aggregated yet granular manner. Read More Date: Wednesday, February 18, 2026 Time: 1:30 - 1:55 PM CT TPRM Platform DocuBark is an AI enabled TPRM due diligence platform that parses through vendor documents and scores a vendor's security posture. Read More Date: Wednesday, February 18, 2026 Time: 3:00 - 3:25 PM CT TPRM Platform Read More Date: Wednesday, February 18, 2026 Time: 3:30 - 3:55 PM CT TPRM Platform Read More LOAD MORE Lookbooks Interested in presenting a product demo? Please complete our Sponsor Information Form to start the process or contact Heather Kadavy, TPRA's Senior Membership Success Coordinator, at heather.kadavy@tprassociation.org to learn how to get involved!

Certa’s Third Party OS is the digital backbone for managing your third party relationships across all risk domains and lifecycle stages. < Back Certa Wednesday, February 18, 2026 9:00 - 9:25 AM CT TPRM Platform Globe Mail Search Search Search Certa is the leading Third Party Risk Management (TPRM) solution. With our comprehensive Third Party Operating System (Third Party OS), Certa lets you manage risk across all third party types, all risk domains, all in one OS. Certa leverages AI across the third party lifecycle—automating onboarding, risk analysis, compliance, and monitoring. Our no-code workflows, AI-driven decisioning, and real-time data integrations help you adapt to evolving regulations and business needs. With full-spectrum risk coverage, Certa delivers due diligence 80% faster, driving smarter and more efficient third party management for global enterprises. Certa leverages AI across the third party lifecycle—automating onboarding, risk analysis, compliance, and monitoring. With Certa, enterprises can manage risk across all third party types, all risk domains, all in one OS. Presenter(s) Previous Next