Search Results

Many third-party risk management (TPRM) programs today have reached a level of operational maturity. They have defined processes, lifecycle coverage, and established workflows for intake, due diligence, and monitoring. But a critical question remains: Is your program actually improving—or just maintaining the status quo? In this episode of the TPRM Exchange Podcast , Hilary , Senior Membership & Education Coordinator at TPRA, speaks with Keith Frantz, Director of Vendor Management at Prosper Marketplace, to explore the difference between maturity and true progress, emphasizing that strong programs continuously evolve alongside changing risks, technologies, and business needs. “If it’s a check-the-box exercise, you have room for improvement.” From identifying signs of stagnation to adapting for emerging risks like AI, this conversation highlights practical ways practitioners can refine assessments, strengthen monitoring, and deliver more meaningful insights to the business. What You’ll Learn Why maturity doesn’t equal improvement Signs your TPRM program may be stagnant How to modernize risk assessments and evidence standards The growing impact of AI and emerging risk domains How better reporting and monitoring drive stronger decisions Why collaboration across procurement, legal, and the business is critical Key Takeaway “Collaboration, communication, and education—that’s what makes a program successful.” About the Guest Keith Frantz, Prosper Marketplace Graduate of Baylor University, worked in Financial Industry for over 20 years under numerous umbrellas. While in the mortgage industry, I worked primarily in default and risk management providing oversight for mortgage servicers. After moving to risk and vendor management, I have built and matured several programs at different companies and now oversee Procurement, Third Party Risk, and Internal Controls for Prosper Marketplace. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

It's impossible to ignore what's happening in the world these days. Headlines are nonstop, commentary is everywhere, and every update appears urgent. Many news stories are meant to grab attention or push an agenda, but not all deserve equal focus. For third party risk management (TPRM) teams, the main challenge isn't just keeping up with the news. It's figuring out what actually matters. With so much information available, the important part is connecting outside events to your key third parties, suppliers, and services, and then deciding if you need to take action. Geopolitical issues do not always arrive as dramatic, obvious events, although sometimes they do. War breaks out. Military tensions escalate. Governments impose sudden restrictions. Just as often, the impact shows up through day-to-day operations. A third party can look perfectly fine in a due diligence review and still carry real exposure because of where it operates, what it relies on, and how those dependencies are structured Geography as a Starting Point, Not the Full Picture In many TPRM programs, geography is treated as a separate risk factor. Teams look at where a third party is based, where it operates, and which laws apply. Geography sets the foundation and shapes the legal, regulatory, and business environment for that third party .  Geopolitical risk changes how we think about geography . A place that once seemed stable can quickly become difficult to operate in if sanctions shift, governments add new rules, or broader instability starts to impact business. When Stability Shifts Without Warning  A region that seemed stable can change quickly. Conflict, political decisions, or new regulations can alter operating conditions with little notice. Third parties and key suppliers that looked safe yesterday might need attention today, even if the third party itself hasn't changed.  That's the challenge so many TPRM teams face right now.  The issue isn’t just that instability happens. It’s how fast it can impact critical third parties and their sub-servicers, even when you have strong due diligence and monitoring in place.  A third party in a country that has been stable in the past can still face problems because of its dependencies. Subcontractors, infrastructure providers, logistics networks, and supply chains can all bring risk. Changes in regulations and cross-border rules can also affect how services are delivered.  The impact doesn’t have to be local to be real . It often shows up as disruptions, delays, or changes in how services operate.  Programs that solely depend on periodic reassessment will feel those impacts first. By the time the next review comes around, the situation might already be affecting operations.  The Impacts of Geopolitical Events  When things change, the impact rarely stays in just one area. It usually affects several risk areas at once.  Operational disruption as service delivery slows or degrades  Compliance pressure as sanctions, restrictions, or regulatory expectations change  Dependency exposure as subcontractors and providers are affected  Concentration risk when multiple services rely on the same region or provider  Geography is only the starting point. The real impact comes from how it influences the rest of your third party ecosystem.  What Deserves your Attention  This is where context and nuance matter. The event that gets the most attention isn’t always the one with the biggest impact on your operations. A major event somewhere in the world might not affect your third parties, but a quieter regulatory or policy change could have immediate effects on your operations, data, supply chain, or service delivery.  The practical question is simple: Does this event connect to a specific third party, supplier, service, location, dependency, or requirement that matters right now? If you’re not sure, that’s where you should start looking.  Where the Real Exposure Sits  Organizations will often gather information about dependencies during due diligence, but that’s not the same as thoroughly assessing those dependencies. It also doesn’t mean the third party has examined its own third parties, providers, or sub-servicers as closely.  The question is not always whether the third party itself is in an unstable region. Sometimes the third party looks fine, its geography looks fine, and the real issue sits deeper in the chain. Sub-servicers, supply chains, and infrastructure can be affected long before the direct third party shows visible signs of strain.  Where Monitoring May Fall Short Many people use headline alerts, news aggregators, and general monitoring tools. These might help you stay informed, but more often create a lot of noise without much guidance.  They tell you what’s happening, but not whether it matters for your third party environment.  Where Risk Intelligence and Alert Services Add Value  Risk intelligence services are more effective because they are designed to connect outside events to your third party group.  Different services offer different capabilities. Some focus on company-level monitoring and alert you when a specific third party is affected. Others track geopolitical and regulatory developments across regions. Some provide visibility into supply chains and downstream dependencies, including subcontractors and infrastructure providers. Others focus on cyber or operational disruption tied to external events.  Most programs depend on a combination of these capabilities.  The real value comes from how well alerts are linked to your actual risks.   A useful alert doesn’t just report that something happened in a region. It shows how that event connects to specific third parties, services, or dependencies.  What This Looks Like in Practice  A geopolitical alert might show up as:  A sanctions update affecting a region where a critical supplier operates  A regulatory change affecting data transfer requirements where a third party processes data  A conflict disrupting a logistics route tied to a supplier  A government restriction affecting infrastructure used by a subcontractor  These alerts don’t need to be escalated right away on their own. They need context.  The first step is to check if the alert connects to a third party, service, or dependency that is important to your business.  If it does, the response can stay focused:  confirm whether the third party is directly affected  assess service continuity and contingency plans  check downstream providers and subcontractors  validate whether regulatory obligations have changed  document whether escalation or monitoring is needed  The goal isn’t to react to every alert. It’s to quickly figure out what matters and what steps to take next.  Making it Operational  Managing geopolitical risk in TPRM comes down to three things: knowing which events are relevant to your specific third parties and dependencies, monitoring with tools that connect external developments to your actual environment, and having a program that can move from information to action. These elements reinforce each other, and all three need to be in place.  Taking these actions can help.  Map exposure clearly.  Know where your critical third parties operate, what they depend on, and which services are most important  Be able to report quickly.  When something changes, you should be able to quickly identify affected third parties, including downstream dependencies.  Define triggers for action.  Decide what kinds of changes require outreach, reassessment, or escalation  Assign ownership.  Assign someone to review developments and decide on next steps  Keep responses proportionate.  Not every development needs action, but the next steps should be clear when action is required.  Conclusion   Geopolitical risk is not going away, and the amount of information around it will only continue to grow. Most of that information will be noise. The difference for TPRM teams is whether they can filter it quickly and focus on what actually affects their third party ecosystem.  That is the real work. Not tracking everything, but knowing what matters, when it matters, and what to do about it. When a TPRM program is built that way, it does not need to predict every disruption. It is already positioned to respond when it counts.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

In today’s third party risk landscape, the most significant incidents often don’t originate within your organization; they come from vendors, suppliers, and partners you depend on. When that happens, your team is left responding to an event you don’t control, with limited visibility and increasing pressure from leadership and regulators. In this episode of the TPRM Exchange Podcast , host Hilary Jewhurst sits down with Sagar Sudhir Behere , Enterprise (ERM) & Third Party Risk (TPRM) Oversight Senior Manager, to explore what effective incident response looks like in a third party context. Drawing from deep experience in resilience planning and complex outsourced environments, Sagar shares practical insights on how organizations can better coordinate, communicate, and respond when vendor incidents occur. “Early response is about decision-making under uncertainty—not perfect information.” Together, they discuss the key differences between internal and third party incidents, common misconceptions around vendor visibility, and why contractual protections alone aren’t enough. The conversation also dives into how to balance speed with accuracy, manage internal stakeholder tension, and build stronger recovery and resilience practices after an incident. “Move fast with awareness. Slow down with conclusions.” Whether you’re building or maturing your TPRM program, this episode offers actionable guidance to help you improve incident response coordination and strengthen your organization’s readiness. What You’ll Learn How third-party incidents differ from internal incidents—and why that matters What information is critical in the first hours of an incident Common blind spots, including fourth-party dependencies Why contracts don’t guarantee effective incident response How to balance speed, uncertainty, and communication What defines a truly successful recovery A practical exercise to improve vendor incident readiness “You’ll learn more in one hour of a vendor scenario than months of questionnaires.” About the Guest Sagar Sudhir Behere is a recognized thought leader in Third Party Risk Management (TPRM) and Enterprise Risk Management (ERM), with decades-long years of experience implementing innovative risk frameworks across Fortune 100s, Tech, FinTech, and FAANG organizations. As Head of TPRM at Circle Internet Financial, he has built Circle’s TPRM program from the ground up, achieving industry-leading efficiency and automation, including reducing vendor risk assessment processes by over 90%. His work integrates blockchain, AI, and automation to optimize compliance, risk oversight, and operational resilience. Sagar is an active contributor to industry standards and best practices, mentoring emerging leaders in risk management. He regularly shares his expertise at global conferences and the customer advisory board, influencing how organizations worldwide approach AI, automation, and blockchain integration in risk programs. His contributions are recognized for driving original, impactful solutions that redefine efficiency, governance, and innovation in global risk management. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

Learn about and register for events outside of the TPRA that are applicable to TPRM. Vendor-Hosted Events The TPRA promotes the industry of third party risk, which includes events conducted by other third party risk-related groups and organizations. Check back here regularly to see our list of vendor-hosted events. If you would like to promote your next third party risk-specific event, please complete the form below . Disclaimer: TPRA does not endorse or sponsor the products/services of one particular organization; however, we do communicate training opportunities for the benefit of the community. Filter by Organization Select Organization Filter by Event Type Select Event Type Filter Download DRI International Webinar Fusion Risk Management Sponsored Webinar: Advancing Resilience Testing with AI: From Static Tabletop Exercises to Data-Driven Scenario Intelligence Tuesday, April 14, 2026 2:00 PM EDT Register Exiger Webinar Webinar Series: From Risk Awareness to Supply Chain Advantage Thursday, April 16, 2026 10:00 AM GMT Register Drata Inc. Webinar Aligning EU AI Act, ISO Standards & AI Governance for Scalable Compliance Thursday, April 23, 2026 2:00 PM BST Register Cloud Security Alliance (CSA) Virtual Conference Agentic AI Security Summit 2026 Wednesday, April 29, 2026 11:00 AM EDT Register Cloud Security Alliance (CSA) Virtual Conference Cloud Threats & Vulnerabilities Summit 2026 Wednesday, May 20, 2026 11:00 AM EDT Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk Europe Wednesday, June 3, 2026 London, UK CeFPro’s 14th Annual Vendor & Third Party Risk Europe, taking place 3–4 June 2026 in the City of London, brings together senior risk leaders and industry experts to examine the evolving third-party risk landscape. The event will explore regulatory expectations, operational resilience, critical third-party oversight, and effective exit strategies, providing practical insight into how organisations are strengthening vendor risk frameworks in an increasingly complex environment. Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk USA Tuesday, June 9, 2026 Ease, New York CeFPro’s Vendor & Third Party Risk USA, taking place 9–10 June 2026 at Ease, New York, convenes senior risk leaders and industry experts to explore the evolving third-party risk landscape in the U.S. market. The event will focus on regulatory expectations, operational resilience, oversight of critical third parties, and effective exit strategies, offering practical insight to strengthen vendor and third-party risk management frameworks. Register Cloud Security Alliance (CSA) Virtual Conference NHI & Identity Summit 2026 Wednesday, June 24, 2026 11:00 AM EDT Register Exiger Webinar Human Rights in The Supply Chain: From Obligation to Operational Discipline Thursday, July 16, 2026 London | 6:00 PM GMT Register Global Resilience Federation (GRF) In-Person Conference 9th Annual Summit on Security & Third-Party Risk Wednesday, October 21, 2026 Orlando, FL Networking and Education on Critical Third-Party and Cybersecurity Issues, for Mutual Resilience The conference features dozens of speakers on third-party risk management, cloud security, emerging cybersecurity threats, and AI/machine learning threat mitigation and management. Attendees will gain an understanding of how some of the largest and most sophisticated organizations in the world are managing risk, and leave the conference better armed to defend their company, regardless of its size or the status of its risk mitigation program. Register Submit an External Event TPRA Practitioner Members can submit upcoming events they'd like displayed on this page using the form below. Some events may also be shared via our monthly events emails and/or quarterly newsletter. TPRA does not post on-demand/recorded events to this page. TPRA Vendor Members can submit their upcoming events through the Vendor Member Submissions form . Submitter Information First name* Last name* Email* Event Information Event Title* Event Host* Event Type* Event Description* Event Date* Event Time (please include time zone)* Link to learn more and/or register for the event* Anything else we should know? Submit

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Friday, April 10, 2026 1:00 – 5:00 PM CT SaaS Certificate Training Register > Monday, April 20, 2026 Various 2026 In-Person Conference Register > Tuesday, April 28, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Register > Wednesday, May 13, 2026 9:00 AM to 4:00 PM CT Q2 Demo Day Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

Watch Women in TPRM recordings of past monthly meetings. Hear insights from women leaders and practitioners driving change in third party risk management. Meetings WNTPRM On-Demand Meetings Tuesday, March 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, February 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, January 20, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, December 16, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, November 18, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, September 16, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video LOAD MORE