Search Results

Maintaining a compliant third-party risk management (TPRM) program involves active collaboration between multiple stakeholders. Compliance isn’t just an objective but a shared responsibility throughout your organization, from senior management and the board of directors to the business lines and vendor owners. Vendors themselves also have a responsibility to comply with TPRM policies and regulations, so it’s crucial to develop a strategy that involves effective collaboration.   In this blog, you’ll learn some tips on collaborating with your vendors to achieve compliance in your TPRM program. You’ll also learn some next steps to take when a vendor is creating challenges in your compliance efforts.  How to Achieve Third-Party Risk Management Compliance Through Vendor Collaboration  TPRM program compliance involves more than just reacting to specific laws and regulations. It's about being proactive and considering internal policies, rules, and industry best practices that are designed to maintain effective TPRM programs. Below are some proactive strategies to collaborate with your vendor and achieve TPRM program compliance across multiple expectations and standards:   Set a culture of compliance – In order to effectively set expectations for your vendors' compliance, it’s advisable to first establish your organization's values and practices for your TPRM program. Organizations should communicate priorities internally to foster a culture of compliance that’s clearly understood and endorsed by all stakeholders. Once this culture has been established, it can be more effectively conveyed to your vendors, leading to smoother collaboration and program compliance.  Follow up on due diligence –   Compliance issues are usually identified during the due diligence process as you collect and review the vendor's documentation. Follow up on any issues that were found and ask for clarification or more information as needed. In some cases, the vendor may have additional documentation that can verify its compliance with your expectations.  Negotiate a compliant contract –   Make sure to include contract provisions that require both parties to comply with applicable laws and regulations. These provisions could relate to areas such as data protection, privacy, and breach notification requirements. Contract provisions could also outline any internal compliance requirements set by your organization, such as following your corporate policies or industry standards.  Communicate early and often  – Don’t assume that your vendor is staying updated on changing regulatory expectations and industry standards. New state privacy laws continue to emerge, and cybersecurity standards are revised to address new vulnerabilities, so it's essential to frequently communicate your expectations to ensure the vendor is aware of relevant changes and is updating their processes as needed. This ongoing communication is key to building a collaborative partnership.  Work together on remediation –   Just like compliance should involve vendor collaboration, so should remediation plans. Whenever there are issues with compliance, work with the vendor to develop a remediation plan that’s actionable, effective, and time bound. Vendors may be more responsive to requests for improvement if they collaborate on the remediation plan and can identify any roadblocks to success.  Addressing Challenges With Vendor Compliance  It’s not uncommon to face compliance challenges with vendors who might have different strategic goals and priorities. Some vendors may choose to do the bare minimum in compliance and only meet applicable laws and regulations. Here are some suggestions for handling a vendor that isn’t collaborative in your compliance efforts:  Talk with the vendor – First, sit down and have a conversation with the vendor about any issues to better understand their perspective. There may be a misunderstanding about a certain requirement, or they may not have the resources to meet your expectations. These conversations can help clarify your compliance goals and determine if you and the vendor can work toward an improvement plan.  Document issues and progress – Make sure to document any compliance issues and improvement plans, along with a time frame for remediation. It’s important to track any progress made on the compliance issue and regularly follow up with the vendor for updates until the issue is resolved.  Increase monitoring – In addition to documenting the compliance issue, you may need to increase your ongoing monitoring activities with the vendor. Depending on the issue, this may include more frequent reviews of the vendor’s financial health, business continuity risk, security testing, or negative news.   Move forward with the exit strategy  – If the vendor isn’t following the requirements to an extent that’s too severe and beyond your risk tolerance, you may need to think about ending the relationship. Evaluate your plan for ending the relationship and start talking to the right people to make sure your organization can end the vendor relationship securely. Following through with your plan to end the relationship might take more time and resources, but it could be a worthwhile effort to keep your TPRM program in compliance.  Collaborating with your vendors through due diligence, careful contract negotiations, and remediation plans can be an effective strategy for TPRM program compliance. When you build a culture of compliance that extends to your vendors, your organization’s TPRM program can achieve many benefits, such as satisfying regulators and following your internal standards.

Written by Supply Wisdom It's important to remember that the primary objective of these regulatory bodies is to ensure that you are effectively protecting your business and your customers from unnecessary third-party risks. This approach aligns closely with third-party risk management best practices. Key Regulatory Bodies and Their Guidance Office of the Comptroller of the Currency (OCC) The OCC's 2013-29 Bulletin outlines essential principles for third-party risk management. Key areas of concern include: Planning: Ensure you have a comprehensive plan to manage third-party relationships. Due Diligence: Evaluate vendors against your organization’s risk tolerance before onboarding. Contractual Expectations and Enforcement: Define and enforce your expectations to limit liability. Ongoing Monitoring: Continuously monitor vendor performance and maintain accountability. Roles and Responsibilities: Assign clear roles and responsibilities within a structured framework. Reporting: Track and document third-party relationships for reporting and analysis. Transitioning: Develop contingency plans for service disruptions and transitions. Auditing: Utilize objective evaluations to assess your processes and tools. Consumer Financial Protection Bureau (CFPB) The CFPB emphasizes protecting consumer interests, with guidelines ensuring that financial institutions manage risks effectively to avoid consumer harm. Federal Deposit Insurance Corporation (FDIC) The FDIC's risk management guidance focuses on maintaining the stability of the financial system. It requires banks to implement robust third-party risk management practices. Federal Financial Institutions Examination Council (FFIEC) The FFIEC provides a framework for financial institutions to assess and manage third-party risks, ensuring compliance and safeguarding operations. Joint EU Supervisory Authorities , including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority oversee the operational resilience of EU financial sector. Together, these authorities oversee the Digital Operational Resilience Act (DORA), which mandates that firms: Maintain Strong IT Systems: Ensure systems are resilient against cyber threats. Regular Testing: Conduct regular tests to assess the effectiveness of their IT security measures. Incident Reporting: Implement procedures for reporting significant cyber incidents. Third-Party Risk Management: Extend risk management practices to third-party Information and Communications Technology (ICT) service providers. Implementing Effective Third-Party Risk Management The scrutiny of the financial services industry, as well as many other industries, continues to increase. It's not enough to simply have a supplier monitoring tool; you must have an effective risk management process, framework, and reporting structure to manage third party vendors throughout their lifecycle. About Supply Wisdom: Supply Wisdom provides real-time alerts and insights to help companies track and mitigate supplier- and location-based risks. Our comprehensive solution supports TPRM processes, including streamlined compliance with regulatory requirements. Contact us for more information or to get started with a free trial. Let us help you develop robust strategies and plans for third-party oversight within your organization.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder     For many, residual risk is a confusing third-party risk management (TPRM) concept, but it’s important to understand how and when residual risk is calculated and its proper utilization in your TPRM program. Residual risk is a vendor’s remaining risk after controls have been applied.  Determining a residual risk rating is important for two reasons:   First, it helps determine if you need more or different controls before beginning or continuing a vendor relationship.  For example, you might require the vendor to conduct more systems testing or implement more frequent monitoring to mitigate identified issues.   Second, it helps determine if the residual risk is acceptable.  For example, your organization may be willing to accept high residual risks if the vendor is the sole provider of a product or service crucial to meeting your goals. However, if an existing vendor has high residual risk and, after several attempts, fails to provide evidence of sufficient controls, you may decide to discontinue the relationship.     The Residual Risk Rating Process on Vendors  Let’s explore the steps to determine and assign a vendor’s residual risk rating:  Determine inherent risk: There’s always some level of risk with third-party products, services, and relationships. The specific types and amounts of those risks are typically identified during an inherent risk assessment, which considers the vendor’s raw risk, or the level of risk before any controls are applied.   Conduct due diligence:  This involves reviewing and assessing a vendor's risk management practices and controls to mitigate the identified risks and determine if they’re sufficient.   Review vendor controls:  These are systems and measures implemented to detect, prevent, or rectify unwanted events. They’re meant to mitigate the risks in vendor relationships, products, and services and provide reassurance in the risk management process.  Assign a residual risk rating:  The level of residual risk can only be determined after completing due diligence, when a subject matter expert (SME) concludes the review of the vendor's controls and offers a qualified opinion regarding their sufficiency in mitigating the risk. In other words, do the vendor’s controls lessen those risks' likelihood, occurrence, severity, or impact? Many organizations quantify residual risk with a rating or score, often using the same risk scale for determining inherent risk, such as low, moderate, or high.  Understand your risk appetite:  This is the level of risk your organization is willing to accept to pursue its goals and objectives. After determining a vendor’s residual risk, your organization will need to decide if that risk is acceptable or if you need to move on from the relationship.   Controls can't eliminate a vendor’s risks altogether. Think of it like a seatbelt in a vehicle. Wearing a seatbelt can lessen the likelihood of severe injury or death in an accident. Still, it can't prevent an accident, so additional controls are necessary, such as driving the appropriate speed limit. Most individuals recognize the risks associated with driving but are willing to take those risks with proper controls in place. That’s the concept of residual risk in a nutshell – are the controls enough to make you comfortable with the remaining risks while pursuing your objectives?    Calculating a Vendor’s Residual Risk  You need to know how to calculate a vendor’s residual risk.   As a high-level concept, residual risk can be expressed as:  Inherent Risk + Controls = Residual Risk .   To further refine that concept with a calculation, you might consider one of these formulas:  Residual Risk = Severity × Probability:  For example, a vendor accesses, processes, transmits, or stores personally identifiable information (PII). This has a high inherent information security risk because of the potential severity and probability of a data breach. The vendor has strong encryption and data de-identification controls, so if there’s a network breach, hackers won't be able to utilize much of the data, reducing the potential severity of the breach. The vendor also has regular penetration testing and proactively monitors for security events, which can lessen the probability of a breach. Here, the inherent risk is high, but the residual risk is moderate.  Residual Risk = Threats × Vulnerability:  Another vendor also accesses, processes, transmits, or stores PII, and customers can access account data through a vendor-provided mobile app. Data could be accessed through the vendor network and the customer's mobile device, expanding the attack surface and increasing the threat of a breach. A review of the controls shows the vendor doesn't utilize multi-factor authentication, which increases the vulnerability to data theft or cyberattacks. Here, the inherent risk is high and the residual risk is also high.  There are other formulas organizations use to calculate residual risk. No matter which method you choose, it’s important to document your methodology and use it consistently, so there’s continuity in the decisions made with regards to residual risk ratings.    Avoiding the Most Common Residual Risk Mistakes in Vendor Risk Management  The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities.    That’s determined by the inherent risk rating. How often risk is re-assessed, the scope and frequency of due diligence, required performance management activities and review cadence, business continuity reviews, and monitoring requirements should all be aligned to the inherent risk.    This is because controls that are only reviewed at a specific point in time may be effective initially but can become less effective or fail over time. Vendor risks are constantly changing, and external events like industry changes, regulatory updates, geopolitical developments, new technologies, or consumer behaviors are factors that can’t be influenced by a vendor's controls. A high-risk vendor with sufficient controls may have a residual risk rating of moderate, but that should never result in a decreased frequency or intensity of core risk management activities; the risks are still high regardless of the control environment.  In conclusion, residual risk ratings are best used as post due diligence data points to determine if more or different controls are necessary before you can confidently move forward with the vendor engagement and if the remaining risks are within your organization’s risk appetite.

DEMO Q4 Demo Day Wednesday, October 21, 2026 Date & Time Wednesday, October 21, 2026 at 2:00:00 PM UTC Intended Audience TPRM Practitioners Duration 6 hours CPE Credits 0 Fee Free Register Event Description The Third Party Risk Association (TPRA) invites you to attend " Demo… Show More SPEAKER(S) INFORMATION CPE CREDIT To learn about the organizations presenting on this day, please visit our Demo Days page at www.tprassociation.org/demo-days/ . About These Events Join the Third Party Risk Association (TPRA) for "Demo Days," where leading TPRM Service Providers showcase their solutions through 25-minute product demos tailored for TPRM practitioners. Explore cutting-edge tools, engage with vendors, and enhance your risk management strategies. Who Should Attend All TPRM practitioners, including TPRA Practitioner Members and non-members, are invited to these events. Employees of TPRM service provider organizations are not permitted to attend product demos unless they are affiliated with the organization presenting. Cancellations In the event that this session would need to be canceled, you will be contacted and invited to register for the rescheduled event. Questions & Concerns For more information regarding administrative policies such as complaints, please contact us at info@tprassociation.org . No CPE credits are provided for this event type.

LIVE WEBINAR Roundtable: Strengthening Risk Terms and Third Party Accountability Thursday, October 8, 2026 Date & Time Thursday, October 8, 2026 at 3:00:00 PM UTC Intended Audience All TPRM Professionals Duration 1 hr CPE Credits 1 Fee Free Register Event Description Join us on October 8, 2026, from 10 to 11… Show More SPEAKER(S) INFORMATION CPE CREDIT FACILITATED BY Julie Gaiaschi CEO & Co-Founder | Third Party Risk Association (TPRA) Julie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 15 years of technology and information security risk experience, with the last 10 years specializing in third party risk identification and mitigation techniques. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs. In 2021, Julie was awarded " CEO of the Year " by Women in Governance, Risk, and Compliance. Prior to co-founding the TPRA, Julie consulted on third party risk for a large bank. She also developed and led a large health payer organization’s Third Party Security program. There, she established and executed the third party risk assessment process, which included integration into the Procurement process. Prior to her role as the leader over Third Party Security, Julie was a Senior IT Auditor. Julie resides in Iowa with her husband and two girls. She enjoys traveling and cooking. About These Meetings Monthly Member Meetings are held every second Thursday of the month. Join us for relevant and informative roundtables, panels, and/or presentations on TPRM topics and pain points our members noted within the 2025 end-of-year survey. Who Should Attend All TPRM professionals are invited to these events, including TPRA Practitioner Members, TPRA Vendor Members, and Non-members. Cancellations In the event that this session would need to be canceled, you will be contacted and invited to register for the rescheduled event. Questions & Concerns For more information regarding administrative policies such as complaints, please contact us at info@tprassociation.org . TPRA Members are eligible to receive 0.5 CPE credits for every 30 minutes of the LIVE meeting that they attend. (Ex. Attend for 30 minutes = 0.5 CPE credits. Attend for 1 hour = 1 CPE credits). CPE Credit will be issued upon completion of the post-event survey. Please allow at least one week following the event to receive your CPE certificate.

DEMO Q2 Demo Day Wednesday, May 13, 2026 Date & Time Wednesday, May 13, 2026 at 2:00:00 PM UTC Intended Audience TPRM Practitioners Duration 6 hours CPE Credits 0 Fee Free Register Event Description The Third Party Risk Association (TPRA) invites you to attend " Demo… Show More SPEAKER(S) INFORMATION CPE CREDIT To learn about the organizations presenting on this day, please visit our Demo Days page at www.tprassociation.org/demo-days/ . About These Events Join the Third Party Risk Association (TPRA) for "Demo Days," where leading TPRM Service Providers showcase their solutions through 25-minute product demos tailored for TPRM practitioners. Explore cutting-edge tools, engage with vendors, and enhance your risk management strategies. Who Should Attend All TPRM practitioners, including TPRA Practitioner Members and non-members, are invited to these events. Employees of TPRM service provider organizations are not permitted to attend product demos unless they are affiliated with the organization presenting. Cancellations In the event that this session would need to be canceled, you will be contacted and invited to register for the rescheduled event. Questions & Concerns For more information regarding administrative policies such as complaints, please contact us at info@tprassociation.org . No CPE credits are provided for this event type.