Search Results

Many third-party risk management (TPRM) programs today have reached a level of operational maturity. They have defined processes, lifecycle coverage, and established workflows for intake, due diligence, and monitoring. But a critical question remains: Is your program actually improving—or just maintaining the status quo? In this episode of the TPRM Exchange Podcast , Hilary , Senior Membership & Education Coordinator at TPRA, speaks with Keith Frantz, Director of Vendor Management at Prosper Marketplace, to explore the difference between maturity and true progress, emphasizing that strong programs continuously evolve alongside changing risks, technologies, and business needs. “If it’s a check-the-box exercise, you have room for improvement.” From identifying signs of stagnation to adapting for emerging risks like AI, this conversation highlights practical ways practitioners can refine assessments, strengthen monitoring, and deliver more meaningful insights to the business. What You’ll Learn Why maturity doesn’t equal improvement Signs your TPRM program may be stagnant How to modernize risk assessments and evidence standards The growing impact of AI and emerging risk domains How better reporting and monitoring drive stronger decisions Why collaboration across procurement, legal, and the business is critical Key Takeaway “Collaboration, communication, and education—that’s what makes a program successful.” About the Guest Keith Frantz, Prosper Marketplace Graduate of Baylor University, worked in Financial Industry for over 20 years under numerous umbrellas. While in the mortgage industry, I worked primarily in default and risk management providing oversight for mortgage servicers. After moving to risk and vendor management, I have built and matured several programs at different companies and now oversee Procurement, Third Party Risk, and Internal Controls for Prosper Marketplace. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

It's impossible to ignore what's happening in the world these days. Headlines are nonstop, commentary is everywhere, and every update appears urgent. Many news stories are meant to grab attention or push an agenda, but not all deserve equal focus. For third party risk management (TPRM) teams, the main challenge isn't just keeping up with the news. It's figuring out what actually matters. With so much information available, the important part is connecting outside events to your key third parties, suppliers, and services, and then deciding if you need to take action. Geopolitical issues do not always arrive as dramatic, obvious events, although sometimes they do. War breaks out. Military tensions escalate. Governments impose sudden restrictions. Just as often, the impact shows up through day-to-day operations. A third party can look perfectly fine in a due diligence review and still carry real exposure because of where it operates, what it relies on, and how those dependencies are structured Geography as a Starting Point, Not the Full Picture In many TPRM programs, geography is treated as a separate risk factor. Teams look at where a third party is based, where it operates, and which laws apply. Geography sets the foundation and shapes the legal, regulatory, and business environment for that third party .  Geopolitical risk changes how we think about geography . A place that once seemed stable can quickly become difficult to operate in if sanctions shift, governments add new rules, or broader instability starts to impact business. When Stability Shifts Without Warning  A region that seemed stable can change quickly. Conflict, political decisions, or new regulations can alter operating conditions with little notice. Third parties and key suppliers that looked safe yesterday might need attention today, even if the third party itself hasn't changed.  That's the challenge so many TPRM teams face right now.  The issue isn’t just that instability happens. It’s how fast it can impact critical third parties and their sub-servicers, even when you have strong due diligence and monitoring in place.  A third party in a country that has been stable in the past can still face problems because of its dependencies. Subcontractors, infrastructure providers, logistics networks, and supply chains can all bring risk. Changes in regulations and cross-border rules can also affect how services are delivered.  The impact doesn’t have to be local to be real . It often shows up as disruptions, delays, or changes in how services operate.  Programs that solely depend on periodic reassessment will feel those impacts first. By the time the next review comes around, the situation might already be affecting operations.  The Impacts of Geopolitical Events  When things change, the impact rarely stays in just one area. It usually affects several risk areas at once.  Operational disruption as service delivery slows or degrades  Compliance pressure as sanctions, restrictions, or regulatory expectations change  Dependency exposure as subcontractors and providers are affected  Concentration risk when multiple services rely on the same region or provider  Geography is only the starting point. The real impact comes from how it influences the rest of your third party ecosystem.  What Deserves your Attention  This is where context and nuance matter. The event that gets the most attention isn’t always the one with the biggest impact on your operations. A major event somewhere in the world might not affect your third parties, but a quieter regulatory or policy change could have immediate effects on your operations, data, supply chain, or service delivery.  The practical question is simple: Does this event connect to a specific third party, supplier, service, location, dependency, or requirement that matters right now? If you’re not sure, that’s where you should start looking.  Where the Real Exposure Sits  Organizations will often gather information about dependencies during due diligence, but that’s not the same as thoroughly assessing those dependencies. It also doesn’t mean the third party has examined its own third parties, providers, or sub-servicers as closely.  The question is not always whether the third party itself is in an unstable region. Sometimes the third party looks fine, its geography looks fine, and the real issue sits deeper in the chain. Sub-servicers, supply chains, and infrastructure can be affected long before the direct third party shows visible signs of strain.  Where Monitoring May Fall Short Many people use headline alerts, news aggregators, and general monitoring tools. These might help you stay informed, but more often create a lot of noise without much guidance.  They tell you what’s happening, but not whether it matters for your third party environment.  Where Risk Intelligence and Alert Services Add Value  Risk intelligence services are more effective because they are designed to connect outside events to your third party group.  Different services offer different capabilities. Some focus on company-level monitoring and alert you when a specific third party is affected. Others track geopolitical and regulatory developments across regions. Some provide visibility into supply chains and downstream dependencies, including subcontractors and infrastructure providers. Others focus on cyber or operational disruption tied to external events.  Most programs depend on a combination of these capabilities.  The real value comes from how well alerts are linked to your actual risks.   A useful alert doesn’t just report that something happened in a region. It shows how that event connects to specific third parties, services, or dependencies.  What This Looks Like in Practice  A geopolitical alert might show up as:  A sanctions update affecting a region where a critical supplier operates  A regulatory change affecting data transfer requirements where a third party processes data  A conflict disrupting a logistics route tied to a supplier  A government restriction affecting infrastructure used by a subcontractor  These alerts don’t need to be escalated right away on their own. They need context.  The first step is to check if the alert connects to a third party, service, or dependency that is important to your business.  If it does, the response can stay focused:  confirm whether the third party is directly affected  assess service continuity and contingency plans  check downstream providers and subcontractors  validate whether regulatory obligations have changed  document whether escalation or monitoring is needed  The goal isn’t to react to every alert. It’s to quickly figure out what matters and what steps to take next.  Making it Operational  Managing geopolitical risk in TPRM comes down to three things: knowing which events are relevant to your specific third parties and dependencies, monitoring with tools that connect external developments to your actual environment, and having a program that can move from information to action. These elements reinforce each other, and all three need to be in place.  Taking these actions can help.  Map exposure clearly.  Know where your critical third parties operate, what they depend on, and which services are most important  Be able to report quickly.  When something changes, you should be able to quickly identify affected third parties, including downstream dependencies.  Define triggers for action.  Decide what kinds of changes require outreach, reassessment, or escalation  Assign ownership.  Assign someone to review developments and decide on next steps  Keep responses proportionate.  Not every development needs action, but the next steps should be clear when action is required.  Conclusion   Geopolitical risk is not going away, and the amount of information around it will only continue to grow. Most of that information will be noise. The difference for TPRM teams is whether they can filter it quickly and focus on what actually affects their third party ecosystem.  That is the real work. Not tracking everything, but knowing what matters, when it matters, and what to do about it. When a TPRM program is built that way, it does not need to predict every disruption. It is already positioned to respond when it counts.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

In today’s third party risk landscape, the most significant incidents often don’t originate within your organization; they come from vendors, suppliers, and partners you depend on. When that happens, your team is left responding to an event you don’t control, with limited visibility and increasing pressure from leadership and regulators. In this episode of the TPRM Exchange Podcast , host Hilary Jewhurst sits down with Sagar Sudhir Behere , Enterprise (ERM) & Third Party Risk (TPRM) Oversight Senior Manager, to explore what effective incident response looks like in a third party context. Drawing from deep experience in resilience planning and complex outsourced environments, Sagar shares practical insights on how organizations can better coordinate, communicate, and respond when vendor incidents occur. “Early response is about decision-making under uncertainty—not perfect information.” Together, they discuss the key differences between internal and third party incidents, common misconceptions around vendor visibility, and why contractual protections alone aren’t enough. The conversation also dives into how to balance speed with accuracy, manage internal stakeholder tension, and build stronger recovery and resilience practices after an incident. “Move fast with awareness. Slow down with conclusions.” Whether you’re building or maturing your TPRM program, this episode offers actionable guidance to help you improve incident response coordination and strengthen your organization’s readiness. What You’ll Learn How third-party incidents differ from internal incidents—and why that matters What information is critical in the first hours of an incident Common blind spots, including fourth-party dependencies Why contracts don’t guarantee effective incident response How to balance speed, uncertainty, and communication What defines a truly successful recovery A practical exercise to improve vendor incident readiness “You’ll learn more in one hour of a vendor scenario than months of questionnaires.” About the Guest Sagar Sudhir Behere is a recognized thought leader in Third Party Risk Management (TPRM) and Enterprise Risk Management (ERM), with decades-long years of experience implementing innovative risk frameworks across Fortune 100s, Tech, FinTech, and FAANG organizations. As Head of TPRM at Circle Internet Financial, he has built Circle’s TPRM program from the ground up, achieving industry-leading efficiency and automation, including reducing vendor risk assessment processes by over 90%. His work integrates blockchain, AI, and automation to optimize compliance, risk oversight, and operational resilience. Sagar is an active contributor to industry standards and best practices, mentoring emerging leaders in risk management. He regularly shares his expertise at global conferences and the customer advisory board, influencing how organizations worldwide approach AI, automation, and blockchain integration in risk programs. His contributions are recognized for driving original, impactful solutions that redefine efficiency, governance, and innovation in global risk management. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

Learn more about OneTrust, a TPRA Partner Member, through this comprehension profile, including a bio, product functionality, contact info, and more. < Main Page < Previous Next > OneTrust TPRM Platform Partner Member CONTACT INFORMATION sales@onetrust.com Want to learn more? Watch this online demo ! OneTrust empowers you to collect, govern, and use data with complete visibility and control. We help you streamline risk management, enforce compliance, and optimize data strategies for innovation — all while meeting regulatory and customer demands. Learn more at OneTrust.com . TOP PRODUCT FUNCTIONALITY CATEGORIES Consent and Preferences Privacy Automation Third-party Management Tech Risk and Compliance Data Governance AI Governance RESOURCES FROM THIS VENDOR MEMBER Are you ready for DORA compliance? VENDOR MEMBER RESOURCE | March 18, 2025 Understanding and implementing APRA's CPS 230 Standard VENDOR MEMBER RESOURCE | March 18, 2025 Rise above risk: Third-party management in technology VENDOR MEMBER RESOURCE | March 18, 2025 Load More EVENTS FROM THIS VENDOR MEMBER NEWS & UPDATES ADDITIONAL OPPORTUNITIES Previous Next

Learn about Kelsey Theroux, Third Party Risk Analyst for , and TPRA's WNTPRM June 2025 Leader Spotlight. < See All < Previous Next > Kelsey Theroux Third Party Risk Analyst Biography Kelsey Theroux is a third-party risk professional with a strong background in compliance, due diligence, and operational resilience. She began her career in member-facing roles within the banking industry, where she developed a deep appreciation for the systems that uphold trust, accountability, and regulatory integrity. Her early experience in frontline operations naturally progressed into roles focused on backline operations and quality assurance. This foundation eventually led her into risk management, where she has led comprehensive third-party assessments and contributed to building scalable, centralized third-party risk programs. Currently between roles, Kelsey is taking this time to intentionally deepen her expertise in third-party risk, staying engaged with evolving frameworks, tools, and best practices. She believes effective risk management is not just about meeting regulatory requirements, it’s about fostering trust, supporting business continuity, and driving smarter, more resilient partnerships. Beyond her professional work, Kelsey is an active advocate for public health and community causes. She brings that same sense of purpose and dedication to everything she does, whether she’s strengthening an organization’s risk posture or helping drive change in her community. Leadership Characteristics Initiative-Driven, Collaborative, Detail-Oriented, Process Improvement, Strategic Thinker, Resilient, Adaptable, Educator and Mentor, Mission-Oriented. Leadership Challenges "When I stepped into third-party risk management, I faced the challenge of inheriting a program that was outdated and ineffective, all while having limited prior experience in the field. Drawing on my expertise in operations and operational efficiency, I approached the situation with confidence, focusing on streamlining processes and implementing effective strategies. By taking the time to learn the intricacies of third-party risk, I was able to apply my leadership skills to modernize the program, bringing it back up to date and making it more efficient. Through dedication and strategic improvements, I transformed the program into a functional, well-structured framework that aligns with current standards and the organization’s operational needs." Key Take-a-ways "One of the aspects I appreciate most about third-party risk management is the opportunity to dissect processes and uncover gaps. By pulling apart the due diligence of a third party, I can identify areas where vulnerabilities exist, not just within the vendor relationship but across the broader organization. This analytical approach strengthens risk management and presents opportunities to enhance efficiency in other operational areas. Addressing these gaps leads to a more resilient and well-structured framework." Fun Fact "I have been dancing since I was two years old, and it has been an incredible journey. From attending a performing and visual arts high school to competing in dance competitions, every step led to an exciting opportunity to earn a bronze medal as an Olympian in Modern and Jazz Dance. Competing for a spot on the USA dance team was a thrilling experience, and dance has always been a source of joy, discipline, and creativity in my life."

Learn more about Aprovall, a TPRA Advocate, through this comprehension profile, including a bio, product functionality, contact info, and more. < Main Page < Previous Next > Aprovall TPRM Platform Advocate CONTACT INFORMATION https://www.aprovall.com/en/book-a-demo/ Aprovall is a European TPRM platform that centralizes third-party governance, risk, and compliance (TPGRC) across the full third-party lifecycle. From evaluation and onboarding to ongoing monitoring and offboarding, Aprovall gives procurement, compliance, legal, and risk teams a single system of record for managing third-party relationships. Trusted by 1,800+ public sector organizations and leading private companies across Europe. Recognized by Gartner in the 2025 Market Guide for Third-Party Management Technology. Organizations using Aprovall reduce administrative time by 25%, save 9 days monthly on third-party processing, and improve supplier response rates by 30%. Show More TOP PRODUCT FUNCTIONALITY CATEGORIES Centralized Third-Party Database (Single System of Record) Third-Party Onboarding & Lifecycle Management Risk Assessment & Tiering Compliance & Regulatory Requirement Tracking Cross-Functional Workflow Automation Supplier Portal & Self-Service Continuous Monitoring & Risk Intelligence Audit Trail & Reporting Document Collection & Management ESG & CSR Due Diligence RESOURCES FROM THIS VENDOR MEMBER TPRM Organizational Silos: How to Break Down Barriers VENDOR MEMBER RESOURCE | March 6, 2026 Load More EVENTS FROM THIS VENDOR MEMBER NEWS & UPDATES ADDITIONAL OPPORTUNITIES Previous Next