top of page

Search Results

726 items found for ""

Events (160)

View All

Blog Posts (33)

  • How to Determine Residual Third-Party Risk and Next Steps 

    By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder     For many, residual risk is a confusing third-party risk management (TPRM) concept, but it’s important to understand how and when residual risk is calculated and its proper utilization in your TPRM program. Residual risk is a vendor’s remaining risk after controls have been applied.  Determining a residual risk rating is important for two reasons:   First, it helps determine if you need more or different controls before beginning or continuing a vendor relationship.  For example, you might require the vendor to conduct more systems testing or implement more frequent monitoring to mitigate identified issues.   Second, it helps determine if the residual risk is acceptable.  For example, your organization may be willing to accept high residual risks if the vendor is the sole provider of a product or service crucial to meeting your goals. However, if an existing vendor has high residual risk and, after several attempts, fails to provide evidence of sufficient controls, you may decide to discontinue the relationship.     The Residual Risk Rating Process on Vendors  Let’s explore the steps to determine and assign a vendor’s residual risk rating:  Determine inherent risk: There’s always some level of risk with third-party products, services, and relationships. The specific types and amounts of those risks are typically identified during an inherent risk assessment, which considers the vendor’s raw risk, or the level of risk before any controls are applied.   Conduct due diligence:  This involves reviewing and assessing a vendor's risk management practices and controls to mitigate the identified risks and determine if they’re sufficient.   Review vendor controls:  These are systems and measures implemented to detect, prevent, or rectify unwanted events. They’re meant to mitigate the risks in vendor relationships, products, and services and provide reassurance in the risk management process.  Assign a residual risk rating:  The level of residual risk can only be determined after completing due diligence, when a subject matter expert (SME) concludes the review of the vendor's controls and offers a qualified opinion regarding their sufficiency in mitigating the risk. In other words, do the vendor’s controls lessen those risks' likelihood, occurrence, severity, or impact? Many organizations quantify residual risk with a rating or score, often using the same risk scale for determining inherent risk, such as low, moderate, or high.  Understand your risk appetite:  This is the level of risk your organization is willing to accept to pursue its goals and objectives. After determining a vendor’s residual risk, your organization will need to decide if that risk is acceptable or if you need to move on from the relationship.   Controls can't eliminate a vendor’s risks altogether. Think of it like a seatbelt in a vehicle. Wearing a seatbelt can lessen the likelihood of severe injury or death in an accident. Still, it can't prevent an accident, so additional controls are necessary, such as driving the appropriate speed limit. Most individuals recognize the risks associated with driving but are willing to take those risks with proper controls in place. That’s the concept of residual risk in a nutshell – are the controls enough to make you comfortable with the remaining risks while pursuing your objectives?    Calculating a Vendor’s Residual Risk  You need to know how to calculate a vendor’s residual risk.   As a high-level concept, residual risk can be expressed as:  Inherent Risk + Controls = Residual Risk .   To further refine that concept with a calculation, you might consider one of these formulas:  Residual Risk = Severity × Probability:  For example, a vendor accesses, processes, transmits, or stores personally identifiable information (PII). This has a high inherent information security risk because of the potential severity and probability of a data breach. The vendor has strong encryption and data de-identification controls, so if there’s a network breach, hackers won't be able to utilize much of the data, reducing the potential severity of the breach. The vendor also has regular penetration testing and proactively monitors for security events, which can lessen the probability of a breach. Here, the inherent risk is high, but the residual risk is moderate.  Residual Risk = Threats × Vulnerability:  Another vendor also accesses, processes, transmits, or stores PII, and customers can access account data through a vendor-provided mobile app. Data could be accessed through the vendor network and the customer's mobile device, expanding the attack surface and increasing the threat of a breach. A review of the controls shows the vendor doesn't utilize multi-factor authentication, which increases the vulnerability to data theft or cyberattacks. Here, the inherent risk is high and the residual risk is also high.  There are other formulas organizations use to calculate residual risk. No matter which method you choose, it’s important to document your methodology and use it consistently, so there’s continuity in the decisions made with regards to residual risk ratings.    Avoiding the Most Common Residual Risk Mistakes in Vendor Risk Management  The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities.    That’s determined by the inherent risk rating. How often risk is re-assessed, the scope and frequency of due diligence, required performance management activities and review cadence, business continuity reviews, and monitoring requirements should all be aligned to the inherent risk.    This is because controls that are only reviewed at a specific point in time may be effective initially but can become less effective or fail over time. Vendor risks are constantly changing, and external events like industry changes, regulatory updates, geopolitical developments, new technologies, or consumer behaviors are factors that can’t be influenced by a vendor's controls. A high-risk vendor with sufficient controls may have a residual risk rating of moderate, but that should never result in a decreased frequency or intensity of core risk management activities; the risks are still high regardless of the control environment.  In conclusion, residual risk ratings are best used as post due diligence data points to determine if more or different controls are necessary before you can confidently move forward with the vendor engagement and if the remaining risks are within your organization’s risk appetite.

  • TPRA Leadership Ladders: The Benefits of Understanding & Utilizing Leadership Ladders in Career Progression

    “Emily was a mid-level manager in the risk management department of a major financial institution. One day, the company faced a significant challenge: a critical vendor experienced a data breach, exposing sensitive client information. The CEO tasked Emily with leading the Third Party Risk Management (TPRM) response team to address the crisis. Emily had handled vendor assessments before, but this situation required swift and decisive action. She quickly assembled a cross-functional team, including IT, legal, compliance, and communications experts. Emily knew that transparent communication and coordinated efforts were essential. She initiated daily briefings to keep everyone informed and aligned on the response strategy. Emily also reached out to the vendor, establishing an open line of communication to understand the breach's scope and implement immediate risk mitigation measures. Recognizing the need for long-term solutions, Emily led a thorough review of the company's TPRM framework. She identified gaps and proposed enhancements, such as more stringent vendor vetting processes and continuous monitoring systems. Her proactive approach not only mitigated the immediate risk but also strengthened the organization's overall TPRM program. The successful handling of the crisis and the subsequent improvements earned Emily high praise from senior leadership. Her ability to lead under pressure and implement effective risk management strategies led to her promotion to head of the TPRM division.” This anecdote highlights how taking charge in a TPRM crisis, fostering collaboration, and driving systemic improvements can propel career growth and demonstrate essential leadership qualities.   TPRA’S LEADERSHIP LADDERS Originally developed by TPRA's Women in TPRM "Lead" work group, “Leadership Ladders” is a training activity designed for all current and aspiring leaders within the Third Party Risk Management (TPRM) industry.  Each box on the slides and ladders-style game board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity.   “ Leadership Ladders ” involves focusing on the progression of leadership skills, traits, and responsibilities at different levels within an organization.  It is a transformative experience that challenges you to evolve and grow. DIFFERENT LEADERSHIP LEVELS Entry-Level Leadership : Focuses on the initial stage, key responsibilities, and essential skills (e.g., team leadership, basic project management). Mid-Level Leadership : Covers the next stage, focusing on more complex responsibilities (e.g., departmental management, strategic planning). Senior Leadership : Involves the traits and skills needed at the senior level (e.g., executive decision-making, vision setting). Executive Leadership : Focuses on the top-tier leadership level, emphasizing overall organizational leadership and high-stakes decision-making. Each of these levels requires a new set of skills and understanding to meet its challenges, focusing on specific responsibilities and collaborative efforts.  TPRA’s “Leadership Ladders” can assist with developing those skills no matter what level of leadership you are working towards. KEY CATEGORIES UNDER THE TPRA LEADERSHIP LADDERS Core Competencies  (Communication, Collaboration, Confidence, Cultivating Relationships, Coaching) TPRM Lifecycle Budgeting HR Process Boundaries Driving Strategy & Influencing Change Navigating Executive Leadership Discussions Crucial Conversations Mentorship Public Speaking & Getting Published   LEADERSHIP LADDERS PLAY A CRUCIAL ROLE IN CAREER DEVELOPMENT FOR SEVERAL REASONS Structured Progression Clear Pathways : Leadership Ladders provide a clear roadmap for career advancement, helping individuals understand the steps required to move up within an organization. Goal Setting : They enable employees to set specific, achievable goals for their career progression, making it easier to track and measure success. Skill Development Targeted Learning : Different levels on the Leadership Ladders require different skills. By understanding these levels, individuals can focus on developing the necessary skills for their current and next roles. Continuous Improvement : Leadership Ladders encourage a mindset of continuous learning and improvement, essential for personal and professional growth. Increased Engagement and Retention Motivation : Clear pathways for advancement can increase motivation and job satisfaction, as employees see tangible opportunities for growth. Retention : Organizations with well-defined pathways to leadership often experience lower turnover rates, as employees are more likely to stay when they see potential for career advancement. Effective Succession Planning Preparation for Leadership : Leadership Ladders help organizations identify and prepare future leaders, ensuring a smooth transition when current leaders retire or move on. Consistency : They help maintain organizational continuity by ensuring that new leaders are well-prepared and aligned with the company's culture and values. Enhanced Organizational Performance Better Leadership : As employees move up the ladder, they bring enhanced skills and experience to their roles, leading to more effective leadership and improved team performance. Strategic Alignment : Leadership Ladders ensure that individuals at all levels understand and align with the organization's strategic goals, leading to more cohesive and focused efforts. Personal Growth and Fulfillment Self-Awareness : Working through the Leadership Ladders activity requires self-assessment and reflection, helping individuals understand their strengths and areas for improvement. Achievement : Successfully progressing through the Leadership Ladders activity provides a sense of accomplishment and personal fulfillment, contributing to overall well-being. Competitive Advantage Attracting Talent : Organizations known for their strong leadership development programs are more attractive to top talent. Market Positioning : Effective leadership at all levels enhances an organization's reputation and competitive positioning in the market.   In summary, Leadership Ladders is great for both individuals and organizations. It provides a structured approach to career development, promoting skill growth, increased engagement, and retention. It also can assist with facilitating effective succession planning, enhance overall performance, and contribute to personal fulfillment. For organizations, they are a key tool in building a robust leadership pipeline and maintaining a competitive edge.   CHECK IT OUT We encourage you to assess your current leadership level and work towards the next. Have fun and expand your knowledge: https://www.tprassociation.org/leadership-ladders – play TPRA’s thought-provoking Leadership Ladders game enriched with additional resources such as videos, interviews & quizzes, and whitepapers.

  • Challenges in Managing Fourth- and Nth-Party Risks and Solutions

    Managing third-party risks can be a complex task. With a changing regulatory and technological landscape, even experienced professionals find it challenging to stay on top of evolving risks. In addition to these difficulties, there are also risks associated with fourth parties – the vendors of your vendors. These additional parties can add another layer of complexity to third-party risk management (TPRM). Managing fourth and nth parties isn’t the easiest skill to master, but one that’s necessary to gain a broader understanding of your organization’s risk landscape. The good news is that there are a few best practices that can help. Once you know how to identify, assess, and manage your fourth and nth parties, your overall TPRM program will be much more effective. Challenges in Managing Fourth- and Nth-Party Risks Fourth parties are the vendors that have a direct contract with your third parties, while nth parties are essentially all the vendors of your fourth parties and beyond. As you can imagine, these degrees of separation can create many challenges when it comes to managing risk, such as: Solutions to Managing Fourth- and Nth-Party Risks When your organization has no direct relationship and no leverage to perform risk management activities, it can seem almost impossible to manage fourth- and nth-party risks. However, there are still practices to implement to mitigate the risks. The most effective strategy is to manage risk through your third parties, with whom you do have leverage. Here are five solutions to manage your fourth and nth parties: Managing fourth- and nth-party risk can be complex. While you may not have a direct relationship or contract with fourth parties, it’s crucial to ensure your third parties are transparent about their third-party relationships and have robust third-party risk management practices. Your organization needs documented evidence from your third parties of fourth-party risk assessments, due diligence, and monitoring to ensure your third parties are managing their vendors safely. This visibility will give your organization confidence in the appropriate management of fourth-party vendors.

View All

Other Pages (418)

  • Building Effective Partnerships with Third Parties & the Business: Why Current TPRM Approaches Are Failing & What Can We Do About It

    < Main Page Previous Next Building Effective Partnerships with Third Parties & the Business: Why Current TPRM Approaches Are Failing & What Can We Do About It Start Time: 3:00 PM End Time: 3:50 PM Track 1: Cultivating Sustainable Partnerships SESSION DESCRIPTION The way TPRM programs are being managed now have not changed in the past 10 years. There is a wide consensus that current practices are mainly about compliance versus actual risk management and that they are failing to provide actionable insights for the business and the third parties to act on... This leaves organizations unprepared to effectively address third party risk. In this session we will make the case for fundamentally changing TPRM with the goal of having a shot at actually managing third party risk SPEAKER(S) Nick Sanna President and Founder | FAIR Institute Nick is the President and Founder of the FAIR Institute, a research-driven not-for-profit organization dedicated to advancing the discipline of cyber and operational risk management through education, standards and collaboration. The FAIR Institute counts 16,000 members, with representation from 50% of the Fortune 1000. The Institute has been recognized by SC Media as one of the 3 most influential industry organizations of the last 30 years.

  • 2024 Virtual Conference

    TPRA 2024 Virtual Conference Beyond Compliance: Cultivating Sustainable Partnerships for Resilient Growth September 18, 2024 from 9 AM to 4 PM CT FREE TO ALL Join us for a transformative virtual conference designed for Third Party Risk Management (TPRM) professionals, hosted by the Third Party Risk Association (TPRA). "Beyond Compliance: Cultivating Sustainable Partnerships for Resilient Growth" is an essential event for industry leaders, practitioners, and stakeholders who are dedicated to advancing their TPRM strategies beyond mere compliance. REGISTER NOW About Register Sponsors Speakers Agenda WHY ATTEND In today’s dynamic business landscape, managing third-party risks is more crucial than ever. This conference will delve into innovative approaches to TPRM that not only ensure compliance but also foster sustainable and resilient partnerships. By attending, you will gain insights into best practices, emerging trends, and strategic frameworks that drive growth and resilience in your organization. KEY HIGHLIGHTS Expert-Led Sessions: Engage with thought leaders and industry experts through presentations, panel discussions, and interactive sessions. Learn from their experiences and gain actionable insights. Innovative Topics: Explore cutting-edge topics such as sustainable TPRM practices, integrating ESG (Environmental, Social, and Governance) criteria into risk management, and leveraging technology for more robust risk assessments. Interactive Q&A: Send questions during presentations via the chat function to get insight straight from our expert speakers! Connect & engage with fellow TPRM professionals from around the globe. Raffle Prizes: Opt-in to providing sponsors with your contact information for the chance to win awesome raffle prizes! WHO SHOULD ATTEND This conference is ideal for TPRM professionals, risk managers, compliance officers, procurement specialists, security professionals, auditors, and anyone involved in managing third-party risks. Whether you are looking to deepen your knowledge, stay ahead of industry trends, or network with peers, this event offers valuable opportunities for professional growth. REGISTRATION INFORMATION Join us on September 18, 2024 , from 9 AM to 4 PM CT , and take your TPRM strategies beyond compliance to cultivate sustainable partnerships and drive resilient growth! Registration is FREE to ALL . ​ Secure your spot today and be part of this pivotal event by visiting our registration page ! We look forward to welcoming you to a day of learning, networking, and innovation! ​ See below for more details on the agenda, speakers, and session topics. CONFERENCE SPONSORS APPLY TO SPONSOR CONFERENCE SPEAKERS APPLY TO SPEAK Nick Sanna President and Founder | FAIR Institute Jacqueline Cooper Senior Manager | Wipfli, LLP Jonathan Ehret Vice President, Business Enablement | Mastercard John Finizio VP, Security, Risk and Compliance | Whistic Loren Johnson Senior Director, Product Marketing | Aravo Adelani Adesida Senior Sales Director | Aravo Paul Kurtz Sr. Manager, Third Party Risk Management | First Century Bank Roxane Romulus Founding Partner, The TPRM Experts | The TPRM Experts Vincent Scales Sr. Director, Third Party Risk Management | Verizon Paul Valente CEO & Co-founder | VISO TRUST Andy Fiumefreddo Sr Manager, Third-Party Cyber Risk | American Family Insurance Aaron Kirkpatrick Chief Information Security Officer | Venminder, Inc. Nick Sanna President and Founder | FAIR Institute Jacqueline Cooper Senior Manager | Wipfli, LLP Jonathan Ehret Vice President, Business Enablement | Mastercard John Finizio VP, Security, Risk and Compliance | Whistic Loren Johnson Senior Director, Product Marketing | Aravo Adelani Adesida Senior Sales Director | Aravo Paul Kurtz Sr. Manager, Third Party Risk Management | First Century Bank Roxane Romulus Founding Partner, The TPRM Experts | The TPRM Experts Vincent Scales Sr. Director, Third Party Risk Management | Verizon Paul Valente CEO & Co-founder | VISO TRUST Andy Fiumefreddo Sr Manager, Third-Party Cyber Risk | American Family Insurance Aaron Kirkpatrick Chief Information Security Officer | Venminder, Inc. Nick Sanna President and Founder | FAIR Institute Jacqueline Cooper Senior Manager | Wipfli, LLP Jonathan Ehret Vice President, Business Enablement | Mastercard John Finizio VP, Security, Risk and Compliance | Whistic Loren Johnson Senior Director, Product Marketing | Aravo Adelani Adesida Senior Sales Director | Aravo Paul Kurtz Sr. Manager, Third Party Risk Management | First Century Bank Roxane Romulus Founding Partner, The TPRM Experts | The TPRM Experts Vincent Scales Sr. Director, Third Party Risk Management | Verizon Paul Valente CEO & Co-founder | VISO TRUST Andy Fiumefreddo Sr Manager, Third-Party Cyber Risk | American Family Insurance Aaron Kirkpatrick Chief Information Security Officer | Venminder, Inc. AGENDA All sessions are included in registration. This agenda is subject to change. Session times are in Central Time. Filter by Track Select Track Start Time: 8:55 AM End Time: 9:00 AM General Session Welcome & Kick-Off Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association (TPRA) Read More Start Time: 9:00 AM End Time: 9:50 AM Track 1: Cultivating Sustainable Partnerships Mastering Resiliency with Third-Party Partners Andy Fiumefreddo, Sr Manager, Third-Party Cyber Risk of American Family Insurance Read More Start Time: 9:00 AM End Time: 9:50 AM Track 2: Ensuring Compliant Partnerships 2024 TPRM Regulatory Roundup Adelani Adesida & Loren Johnson of Aravo Read More Start Time: 10:00 AM End Time: 10:50 AM Track 1: Cultivating Sustainable Partnerships Up In The Air: How Other Areas of Non-Cyber Risk Can Impact Your Supply Chain Jonathan Ehret, Vice President, Business Enablement for Mastercard Read More Start Time: 10:00 AM End Time: 10:50 AM Track 2: Ensuring Compliant Partnerships Using Regulatory Guidance as the Blueprint For Your TPRM Program Paul Kurtz, Sr. Manager, Third Party Risk Management of First Century Bank Read More Start Time: 11:00 AM End Time: 11:50 AM Track 1: Cultivating Sustainable Partnerships Creating Safe and Secure Third-Party Partnerships Aaron Kirkpatrick, Chief Information Security Officer of Venminder, Inc. Read More Start Time: 11:00 AM End Time: 11:50 AM Track 2: Ensuring Compliant Partnerships Managing Complexities in Types of Third Party Relationships Roxane Romulus, Founding Partner of The TPRM Experts Read More Start Time: 12:00 PM End Time: 1:00 PM General Session Lunch Lunch Break Read More Start Time: 1:00 PM End Time: 1:50 PM Track 1: Cultivating Sustainable Partnerships Beyond Questionnaires: Strategies that create lasting Partnerships John Finizio, VP, Security, Risk and Compliance for Whistic Read More Start Time: 1:00 PM End Time: 1:50 PM Track 2: Ensuring Compliant Partnerships Leading from the Front: Positioning Your TPRM Business Partners For Success Vincent Scales, Sr. Director, Third Party Risk Management for Verizon Read More Start Time: 2:00 PM End Time: 2:50 PM Track 1: Cultivating Sustainable Partnerships Discover the Secret to Comprehensive Third-Party Oversight Paul Valente, CEO & Co-founder of VISO TRUST Read More Start Time: 2:00 PM End Time: 2:50 PM Track 2: Ensuring Compliant Partnerships Best Practices for Threat and Vulnerability Response & Emergency Assessments Ed Thomas, Senior VP of ProcessUnity Read More Start Time: 3:00 PM End Time: 3:50 PM Track 1: Cultivating Sustainable Partnerships Building Effective Partnerships with Third Parties & the Business: Why Current TPRM Approaches Are Failing & What Can We Do About It Nick Sanna, President and Founder of FAIR Institute Read More Start Time: 3:00 PM End Time: 3:50 PM Track 2: Ensuring Compliant Partnerships Securing Your Future: Mastering Third-Party Frameworks Jacqueline Cooper, Senior Manager of Wipfli, LLP Read More Start Time: 3:50 PM End Time: 4:00 PM General Session Closing Speaker information coming soon! Read More

  • CERTIFICATION RENEWAL | TPRA

    TPRA Certification Renewal In order to maintain certification status, earners will be required to renew their certification ($100 for Standard, Vendor, and Non-members. $85 for Premium Members) , and to submit evidence of at least 20 Continuing Professional Education (CPE) credits on an annual basis. Using the form below, you can submit payment for your Certification Renewal. Submit Payment Please complete the below form to submit payment for your Certification Renewal. Please note: Failure to provide the payment amount accurately associated with your Membership Status may result in your Certification Status being revoked, and put your eligibility for future TPRA certifications under consideration by TPRA Staff, Certification Program Personnel, and the TPRA Board of Directors. All information in the below form will be reviewed and validated by TPRA Staff. Any discrepancies may delay your Certification Renewal. ​ TPRA reserves the right to revoke Certification Status from any person, at any time, and for any reason. I am renewing my __________________________ certification. Choose an option Please select your membership status (this will be validated prior to recieving your renewal approval). Choose an option First name Last name Email Title/Role Organization Select an item ($) * Standard, Vendor, & Non-Member - $100 Premium Member - $85 By completing and submitting this form, you attest that your answers are truthful to the extent of your ability and knowledge. Failure to provide accurate information will result in your certification status being revoked and put your eligibility for future TPRA certifications under consideration by TPRA Staff, Certification Program Personnel, and the TPRA Board of Directors. Please check the box to confirm your understanding & agreement of the above statements. Go to Checkout Thank you for submitting payment for your Certification Renewal. You will notified upon review & approval. Once approved, your Credly Badge will be reissued. ​ Please ensure you have submitted at least 20 hours of Continuing Professional Education (CPE) credits using the form below in order to be approved for renewal. Continuing Professional Education (CPE) Credits Using the form below, please submit evidence to your recipiency of CPE credits for the current year. You must complete the form for every event/training/education or otherwise instance of receiving CPE credits separately. All TPRA Certifications require 20 hours of evidence per year. ​ Please note: It is necessary that you have a Site Member Account in order to submit materials to this form and track hours. If you are already a TPRA Member, you already have a Site Member Account. If you are not a TPRA Member, please create an account by selecting " Member Log In" above. You do not need to become a TPRA Member in order to create a Site Member Account. View CPE Submitted First Name Last Name Email Title of Event/Training/Education Enter the name of the Organization that hosted this event. Was this event In-Person or Virtual? Select format Select the start date of this event. CPE Credits Earned Provide a brief description of this training/event Submit evidence to CPE credit(s) earned. Select File Submit Your content has been submitted An error occurred. Try again later

View All

Forum Posts (41)

View All
bottom of page