Search Results

It’s time for executives to rethink the role procurement professionals hold in organizations, and this shift is critical to reducing organizational risk, boosting resilience, and increasing return on investment (ROI). While the traditional approach to procurement centered on margin impact and managing suppliers from an operational perspective, there is an evolution taking place requiring forward-thinking organizations to focus on the long-term strategy and impacts that the role is playing in today's world. This increased recognition of the vital position of procurement is seen across all industries, and according to Deloitte Insights, “CPOs are successfully navigating… complexities while delivering across a greater breadth of KPIs. Although they are still heavily focused on costs, they have expanded their value propositions to influence demand, drive innovation, and work closely with strategic suppliers and partners to foster commercial compliance, increase speed to market, accelerate M&A integration/divestiture programs, and drive continuous improvement.” Deloitte Insights There are high-stakes risks that necessitate procurement’s shift to a more holistic strategy. However, without the buy-in and support of executives, these initiatives can lose momentum and support. Why a Risk-Based Approach to Procurement? No longer can procurement departments solely serve cost-savings functions. They must also be aware of risks introduced by key suppliers and be provided with the appropriate tools and technology to proactively manage them before major losses or breaches occur. Heightened risk areas that are leading this necessary shift in procurement’s functions include: Isolated or siloed procurement functions: Traditional procurement departments were de-centralized from the larger organization and focused on transactional, short-term initiatives. Organizations that still exemplify these silos face challenges when it comes to managing risks from all angles. Driving collaboration and strategic initiatives between departments from the top down is a best practice for eliminating these silos, while still managing a daily workload of financial responsibilities. Elevated third-party risks: Third-party risks are rising, and can take the forms of cyber-attacks, supply chain delays, components shortages, sustainability challenges, and more. While the incidences of these events rise, organizations are increasingly being held accountable, and procurement plays a critical role in managing vendor relationships. A multitude of unorganized, decentralized data points: Procurement professionals deal with a huge amount of data related to personnel, financial, operational, regulatory, contractual, and more. When this type of information is stored on different platforms, inconsistent, incomplete, or managed by different teams, procurement cannot gain proper insight into potential external risks facing the organization. Transforming Chaos into Clarity As the role of procurement has evolved, procurement professionals are moving from transactional managers to strategic relationship managers, focusing on developing and managing a wide variety of data points across all aspects of their supplier relationships. In order to understand the riskiness of suppliers and third parties, procurement professionals need to wade through all of this information with efficiency and ensure alignment with both company strategies and global regulatory mandates. To do this, third-party risk management software needs to be available that provides centralization of data, full visibility, and documentation for audit trails. Procurement needs to play a key role in managing and utilizing this software in order to monitor vendor relationships and performance. In addition, it is imperative that procurement maintains healthy, collaborative internal relationships to ensure that organizational teams like IT, compliance, finance, sustainability, and others are well informed, with real-time visibility to potential risks, and are able to sustain positive working relationships with suppliers. Areas Where Executives Can Assist Procurement Without the buy-in and support from executives and key stakeholders, procurement teams will not be able to make holistic risk management improvements. While not everything will be implemented immediately, there are general aspects of agility that should be on procurement and executives’ agendas, including: Empowerment and a culture shift: Perhaps the most important area to undertake is to embrace the power that procurement holds within an organization. During years since the pandemic, CPOs and their teams protected their organizations, and executives should continue to take notice of these critical functions. Procurement should be empowered to include themselves in company strategy and products that matter, build teams to better combat emerging risks, and find ways to drive positive change. Thinking holistically: To take TPRM beyond a single function and into holistic areas for acceleration, CPOs should be empowered to focus on their collaboration and influence across job functions, not just as a spend relationship. Being involved in the entire third-party/supplier relationship management process ensures agility. This allows prioritization of suppliers who may pose a higher risk to an organization, rather than relying on a one-size-fits-all procurement strategy that may allow risks to fall through the cracks. Company strategy: By shifting a primary focus to long-term initiatives and goals, procurement professionals can gain a greater foothold in wider organizational strategy. This includes determining risk management priorities, and working with risk, legal, executive, and other teams to better manage supplier onboarding, relationships, and risks. By being in tune with company strategy and thinking of procurement activities from a risk-based approach, procurement teams step out of the shadows and into more collaborative roles. Digital transformation: A key step to take is to build scalable practices rather than one-off pilot programs. By prioritizing data cleanup and investment in TPRM tools that can build centralization and efficiency, CPOs can work with executives to see positive impacts across the organization that support overall risk management. If there are challenges with incorporating digital procurement technology into an organization, gaining executive sponsorship is a critical way to garner support and investment in the tools that will assist in procurement and supplier data. Emphasizing both short and long-term goals and wins, and how these technologies will drive organizational resiliency and agility can be critical when approaching executives. Environmental, Social, Governance (ESG) urgency: The magnitude of environmental, social, governance (ESG) regulations and compliance is reshaping how organizations manage suppliers, affecting not only procurement, but legal, compliance, risk functions, executives, and more. With concerns such as climate change, eliminating human trafficking and modern slavery from supply chains, identifying and eliminating corruption, etc. procurement must work with executives to take a driving role in ensuring that third-party vendor relationships are compliant and ethical. Shifting Company Culture for Procurement Success Maintaining healthy supplier relationships is not just about onboarding, it also must include managing risk, quality, and performance of suppliers, assuring compliance where needed, while still owning the transactional responsibilities that are at the foundation of this role. The procurement team is the bridge between the enterprise and the extended enterprise: the organization and its suppliers. No one knows suppliers as intimately as procurement. They, like no other function, can make predictive connections between their suppliers and the risks they may pose to the enterprise. In addition to mitigating risk, procurement has the unique opportunity to drive innovation for the enterprise by partnering with suppliers to identify new products, materials, capabilities, and offerings. In order to manage these responsibilities, drive efficiency, and take a risk-based approach to procurement, executives within a company need to recognize procurement’s strategic value to the organization. They must step up to establish an organization-wide culture that empowers procurement to be a driver in managing the full lifecycle of their organization’s supplier and third-party relationships. Aravo provides centralized, automated TPRM solutions to help procurement and other risk teams proactively manage risks and build resilience throughout their organizations. To learn more, speak with one of Aravo’s experts today. Author Info: Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns and contributes as an author for articles and blog posts. Hannah holds over 13 years of writing and marketing experience, with 7 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.

Artificial intelligence (AI) is everywhere, and it’s transforming the way we live and work. It’s rapidly revolutionizing industries with its potential to solve complex problems, enhance decision-making, and improve efficiency. As such, the integration of AI into many products and services offered by third-party vendors to organizations is also becoming more widespread, many times without the organization’s awareness. Understanding the Risks of Third-Party AI AI is an impressive technology, but it also comes with significant risks, especially when it’s integrated into vendor products or services. Let’s examine two of the most common risks of third-party AI usage: Data security and privacy – AI systems need a significant amount of data to function efficiently. Therefore, it’s essential to protect the data from theft and misuse. AI systems may access different types of data such as: Customer/consumer information and personal identifiable information (PII): This includes addresses, driver's licenses, passports, family members, financial or health information, social media or web use data, shopping behaviors, and more. Sensitive company data: This includes employee records, financial information, customer data, legal and compliance information, supply chain inventory, logistics, forecasting, and all types of intellectual property. Compliance and legal – It’s vital to understand there are significant legal and compliance concerns related to the use of data and other assets when they’re accessed and processed with AI. The use of AI in data processing may be subject to numerous laws and regulations, including: Health Insurance Portability and Accountability Act (HIPAA) Children's Online Privacy Protection Act (COPPA) Gramm-Leach-Bliley Act (GLBA) Electronic Communications Privacy Act (ECPA) California Consumer Privacy Act (CCPA) Numerous state privacy laws Additionally, there’s a risk of violating permissible use requirements preventing out of context, unrelated, or unfair use of data. While these are two significant risks associated with AI, they’re not the only ones. Ethical risks, including bias and fairness, require attention, as do algorithm transparency, financial risk, and intellectual property risks. As AI technology becomes more widespread, the risks associated with it are also expanding. Identifying AI Risk in Your Third-Party Vendor Portfolio You likely have third parties who are currently using AI in their products and services. If you haven't done so already, it’s important to identify these third-party vendors and assess the specific AI risks they pose to your organization and customers. It's crucial to update your third-party risk management (TPRM) framework and tools to include AI risks. However, many TPRM programs haven’t incorporated AI risks, and it’s important to address this issue now. A practical, two-prong approach can ensure you’re identifying existing third-party AI risks and building the infrastructure to properly assess and mitigate them: Getting started – Develop a short questionnaire to help identify the products and services utilizing AI. Here are three suggested questions that can provide a wealth of information: Has AI technology been used in the research, development, or production of any of your products or services? It's worth noting that different types of AI carry different levels of risk. For instance, a vendor might use image recognition for research purposes, generative AI to create a system that interacts with customers directly, such as a chatbot, or machine learning to identify fraud across a series of transactions. Are there any plans to incorporate AI in your products, services, or operations? It's crucial to consider that your third-party vendor's adoption of AI can significantly impact your organization, even if they aren't currently using it today. Do you have any policies on employee use of AI? Inquire whether your third-party vendor has any limitations or prohibitions regarding the workers' usage of AI for work-related assignments. With the increasing popularity of generative AI systems such as ChatGPT, it’s essential to understand how your vendor is supervising the utilization of such technologies among their employees, especially if the AI-based service uses the data input to train its model.   Begin with your critical and high-risk vendors and work your way down the list. This simple approach can help you determine where additional due diligence and risk reviews are needed. Updating your TPRM framework – It's not enough to identify third-party vendors with AI; you’ll also need proper tools and processes to ensure they have adequate AI risk management practices and controls, and that risks are well-managed and monitored throughout the contract. This means incorporating AI risk across your entire TPRM framework. Here are key areas to review and update: Incorporate AI-related questions in the inherent risk assessment Update vendor questionnaires to include AI-related questions Identify the types of due diligence documentation you’ll request as evidence of AI controls Review and update standard contract language to address AI risks Consider how AI will be factored into third-party performance monitoring and management Consider how AI will be factored into third-party risk monitoring Update governance documentation Evaluate stakeholder education and collaboration Note: Don’t overlook this important consideration! It’s crucial to update your TPRM processes and tools with a sense of urgency. However, it should be noted that AI isn’t yet as well understood as other established risk domains. Even experienced TPRM professionals may face unique challenges when dealing with AI, which could lead to delays, rework or, in the worst case, ineffective risk identification, assessment, and management. To help prevent these AI challenges and issues, your organization should find and work with a qualified AI subject matter expert who can guide you through the process of updating the TPRM framework. This expert can help determine the right questions to ask on a vendor risk questionnaire, identify the appropriate due diligence documents, and provide ongoing support for vendor risk reviews. If you don't have access to this expertise within your organization, you may need to engage external resources or consultants. By taking this simple approach, your organization can begin to identify vendor AI usage within your organization and start taking steps to mitigate the risks. This will leave your organization in a safer, more prepared position.

With our 2024 in-person conference just around the corner, Third Party Risk Association (TPRA) would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog focuses on the Impact of Conferences on Industry Insight & Innovation.  It highlights how these events provide a platform for professionals to engage with peers and leaders in the exchanging of research, trends, and innovative ideas. Attendees benefit from interactive sessions, panel discussions, and networking events, gaining insights that fuel forward-thinking strategies. This blog will explore how attendees can maximize these opportunities for staying updated, engaging with industry leaders, and contributing to their respective fields' growth. Embracing Technology, Trends, & Research Conferences are a conduit for collaboration on emerging risks, solving for TPRM challenges, and working together on new and innovative approaches to mitigate third party risk. These interactions not only deepen individual knowledge, but also contribute to industry growth and development by promoting innovation and shaping future techniques. Attending the Third Party Risk Madness conference will help you stay updated on the latest advancements in technology and industry trends. With 56 total sessions spread over 4 days, including three keynote speakers, 12 roundtables, and four demo sessions, you can gain insights from knowledgeable industry professionals. Participate in sessions on technology and emerging risks, engage with industry leaders during networking events and roundtable sessions, and follow up with speakers and attendees post-conference for further discussions and insights. View the full agenda > Following a conference, thank speakers and attendees for their insights, follow-up through email or social media, share thoughts on their presentations, ask about resources available, and offer to connect via coffee meetups, virtual discussions, or collaborative projects to strengthen relationships and foster knowledge sharing.  This ensures that conversation don’t stop with the conference.  That you, as a practitioner, can further develop ideas discussed at the event, and work to implement new TPRM strategies. Conference materials can be a great resource for deepening your understanding of the topics covered.  They allow you to not re-create the wheel and implement strategies and processes that have worked for others.  They can also validate mature processes your organization has in place; thereby, adding credibility to your program. Do some research before and learn about the latest research and trends that the conference may be addressing. Before attending a conference, conduct thorough research to understand the latest research findings and emerging trends. Explore publications, industry reports, and articles to understand the current landscape and find key topics, challenges, and innovations to discuss.  Bring those thoughts, ideas, and questions to the conference and actively participate in conversations during presentations and roundtables.  Also come with pain points and questions from your own program to benchmark off fellow peers in similar situations. Professional Development Conferences offer professional development opportunities to enhance attendees' skills, knowledge, and capabilities. Workshops and training sessions cover emerging technologies, best practices, and industry-specific regulations. Networking opportunities promote mentorship, knowledge sharing, and learning, allowing attendees to broaden their perspectives and gain insight from experienced professionals. Take notes during sessions to capture key insights, ideas, and strategies shared by speakers and panelists. This will help you gather key insights, ideas, and strategies that you do not want to forget. Use these notes to transform concepts into plans, driving change within your organization, and start discussions about innovative TPRM approaches.  Often times, an idea from a conference can influence your perspective on processes and activities within your organization. Use networking breaks and social events to set up connections with industry peers, potential mentors, and collaborators. As we discussed in our last blog, networking is the best way to connect with fellow attendees and collaborate with industry peers. Make sure to take advantage of opportunities such as networking events and lunchtime meetups to foster conversations that could lead to future partnerships. Conclusion Attending conferences like our very own Third Party Risk Madness provides opportunities for professional growth and networking. Attendees can stay updated on technological advancements and engage in discussions with industry leaders. Post-conference follow-ups allow for collaborations. Conference materials promote understanding, particularly in Third Party Risk Management, pushing for deeper exploration. Networking breaks allow connections with professionals, mentors, and potential collaborators, paving the way for future partnerships. Prior to attending the conference, research emerging trends to ensures active participation and meaningful contributions. Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers here. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event.

With our 2024 in-person conference just around the corner, TPRA would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog will highlight the notable benefit of NETWORKING in conference settings, including sharing industry insights & trends, building connections, and participating in collaborative forums, as well as some tips for enhancing your networking skills at conferences. Learn from industry experts: Within a networking environment like a conference, you can discuss a wide variety of topics with industry experts and peers. This allows you to gain a deeper understanding of your particular area of interest. It can also expand your horizons with new conversation topics by interacting with established and seasoned industry professionals within, or even outside of, your field. Attending conferences provides a special chance to network with peers and fellow industry professionals within an in-person setting. Engaging and participating in activities offered such as panels, roundtables, and in-house networking events provides you with valuable knowledge and understanding not regularly gained from an online setting. By simply talking to other seasoned professionals and tapping into their knowledge and expertise, you are able to gain a more in-depth understanding of new technological innovations, industry trends, and best practices. Through these interactions, you can evaluate ideas, deepen your knowledge base, and get access to expertise and information that is not typically available through conventional channels. Building meaningful connections: Professionals from various organizations, backgrounds, and positions come together at conferences, which results in the perfect setting for building deep connections. Whether it is during a special networking event, a roundtable, or even just a coffee break, conferences offer a plethora of networking opportunities. During these opportunities, you are able to build potential connections, partnerships, and collaborations by striking up conversations and exchanging contact details. These relationships grow your professional network and offer a helping hand in overcoming current challenges as chances are that someone else has already gone through what you are going through. “Networking is so important for any professional and is how TPRA was founded,” Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association, said. “I met my former partner at a TPRM-related conference.  He was a speaker and after his presentation, I went up to him to ask him questions as it relates to developing a new TPRM program. The discussion turned into benchmarking sessions over Zoom.  I then said if we have these questions, others do as well. Thus started a roundtable that turned into TPRA.  At the time, I had no idea what that conversation would lead to.  So often I hear from others how networking has led to a career opportunity, a program enhancement, or a personal opportunity.” Conference networking makes it possible to create lasting relationships that go beyond the mere exchange of business cards and LinkedIn connections. These relationships act as a bases of support, providing motivation, guidance, and useful knowledge that promotes both professional and personal development. Conference goers create the basis for collaborative projects, shared knowledge, and ongoing relationships that strengthen their careers and personal lives by dedicating time and energy to developing these connections. Exploring Collaborative Opportunities Among the main advantages of networking at conferences is the chance to explore collaborative efforts with peers and business associates. Conferences serve as a nurturing environment for creativity and cooperation, creating settings in which concepts can be exchanged, improved upon, and cooperatively carried out. You might find opportunities for collaboration on joint research projects or business ventures with other practitioners through discussions, brainstorming sessions, and informal interactions. Conference discussions have the power to push innovation, advance your industry, and leave a lasting impression. Keeping Up With Industry Trends Keeping up with industry trends and developments is crucial for professional development and organizational success in today's rapidly shifting business landscape.  Attending conferences offers networking opportunities that give you a firsthand look at the newest developments in technology, industry trends, and changes in laws and regulations. Through talks with key individuals, attending keynote discussions, and taking part in sessions specific to your industry, you can learn a great deal about the opportunities and problems that are new to your field. You can use this knowledge to position your organization and yourself for future success by preparing for changes in the market and adjusting your strategies accordingly. Here are some additional tips for enhancing your networking skills: Set Objectives: Establish your networking objectives before you go to the conference.  Think through your goals, whether they involve expanding your professional network, looking for collaborative opportunities, or learning about the latest market developments. Do Your Research: Prior to the conference, spend some time learning about the panelists, speakers, and other attendees. Learn about their professional backgrounds, accomplishments, and areas of specialization to find common ground and possible conversation starters. Don't Be Afraid To Initiate The Conversation: Instead of waiting for a professional to approach you, strike up a conversation with other attendees. During meals, breaks, or networking events, approach people and introduce yourself with confidence. Utilize networking games and activities provided by the hosting organization as a jumping off point for striking up conversations. These games are designed to encourage discussion and create a platform for attendees to interact with each other in meaningful ways, so take advantage of them. Attend The In-House Networking Events: Take advantage of the social events, receptions, and networking opportunities that are planned as part of the conference schedule. Our upcoming conference features two all-attendee network events, plus additional invite-only events for select attendees! These casual settings offer incredible opportunities to establish stronger connections, share contact details, and engage with peers. Use Social Media: Make use of social media sites like Instagram, X (formerly known as Twitter), and LinkedIn to expand your professional network outside of the conference room. Engage online with other attendees and share thoughts, pictures, and highlights from the conference. Follow Up: Follow up with people you met at the conference to stay in touch and keep the conversation going even after the event ends. Send personalized emails thanking the recipient for their time while giving ideas for future collaboration or interactions. Attending conferences provides plenty of networking opportunities, such as access to industry knowledge, opportunities to form close relationships, a look into collaboration possibilities, and staying up to date on industry developments. Participating in networking activities during conferences can help you build a larger professional network, acquire valuable insight, and establish yourself as an expert in your field. As you prepare for your next conference, take advantage of the opportunities for networking and collaboration, and don't pass up the chance to grow both yourself professionally, as well as your company's success. And where better to use your new networking skills than at TPRA’s very own Third Party Risk Madness conference! Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event. [Register Here]  Our discounted hotel room block ends on March 11th.

Blog was inspired by the January 2024 TPRA Practitioner Member roundtable facilitated by TPRA CEO Julie Gaiaschi. (To watch the full presentation, TPRA Members can visit our On-Demand meetings and navigate to the January 2024 meeting recording.) The management of third party risks has become a major priority and area of focus for companies across a variety of industries because of the constantly changing nature of business operations. Recognizing the nuances and challenges that come with this field, the Third Party Risk Association (TPRA), along with a dedicated team of TPRM practitioners and service provider organizations, worked towards creating a comprehensive guidebook that assists in navigating the creation and implementation of a comprehensive Third Party Risk Management (TPRM) program. The Development of the Guidebook TPRA’s “Third Party Risk Management 101 Guidebook” was created not as a standalone project but as a collaborative effort that included feedback from an extensive group of TPRM professionals and service providers from a diverse range of industries. Over monthly meetings spanning three years, this group discussed various subjects related to TPRM tools, topics, and trends. Each aspect of a strong TPRM program was carefully examined and discussed by TPRA’s focus group members, from clarifying best practices to anticipating emerging risks and aligning with regulatory guidelines. This comprehensive process of discussion, analysis, and synthesis is where the guidebook originated. With input from numerous stakeholders, the guidebook gradually took shape, undergoing a year-long editing process to condense the vast number of materials into a user-friendly format enhanced with graphics, insights, and real-world examples. Unveiling the Guidebook: A Deep Dive Building a TPRM program is not unlike building a house. The first step is always to make sure it’s built on a solid foundation so that it may withstand the inevitable storms to come. The TPRA guidebook gives you the tools and materials needed to begin building a successful and productive TPRM program brick by brick. The TPRM guidebook's foundation is a lifecycle approach, outlining a strategy and framework that encompasses the entire spectrum of TPRM. Let’s dive into its key phases: Navigating the Guidebook Navigating the TPRM guidebook is easy due to its informative graphics, detailed definitions, intuitive sections, and helpful resources. The implementation of this guidebook will vary depending on your organization’s size, industry, and types of third party relationships. While the guidebook provides you with standards from which to begin crafting your TPRM program, careful consideration must be paid to your organization's established risk appetite when determining how to implement said standards. Your program should be rigid enough to have established criteria for the review and mitigation of third party risk, but also flexible enough to consider the variability of third party relationships, regulations, geographic locations, and emerging risks. Accessing the Guidebook TPRA’s first draft of our Third Party Risk Management 101 Guidebook is currently available as a free, downloadable eBook to all TPRM professionals. Visit the TPRA website and complete a short form to access this body of knowledge. By downloading the guidebook, stakeholders can effortlessly delve into its contents, leveraging its insights to fortify their TPRM endeavors. Conclusion: Charting the Course Ahead The TPRM 101 Guidebook provides organizations with comprehensive guidance, tools, and resources as they navigate the complex terrain of third party risks. It enables stakeholders to navigate relationship complexities, mitigate risks and foster resilience in a dynamic environment. The guidebook is considered the golden standard for the Third Party Risk Management industry and ignites a culture of vigilance, adaptability, and continuous improvement. In the dynamic realm of business operations, where risks lurk at every turn, the TPRM guidebook emerges as a steadfast companion, illuminating the path to success amidst uncertainty and complexity. The journey of TPRM is not merely a destination but a perpetual odyssey of discovery, resilience, and excellence, and the guidebook serves as a trusted compass, guiding stakeholders towards the shores of   resilience in an ever-changing sea of risks. But the journey doesn’t end here. TPRM Practitioners are welcome to join the TPRA for free to continue their learning journey by benchmarking off their fellow peers, participating in engaging webinars and conferences, and contributing thought leadership to roundtables and future published guidance. To join, please visit www.tprassociation.org/join.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder This past year was an eventful one for the third-party risk management (TPRM) industry. New headlines seemed to appear each month that brought attention to third-party risk, whether it was a significant cybersecurity event, like the MOVEit data breach, or the ongoing discussion of the potential risks and rewards of artificial intelligence (AI). The mid-year release of the Interagency Guidance on Third-Party Relationships: Risk Management was perhaps the most obvious reminder of the increased regulatory focus on TPRM. We’re going to review some of the lessons learned from the past year’s events and look forward to some best practices for 2024. Significant TPRM Events of 2023 and Lessons for 2024 The following list of events highlights a few TPRM trends that are worth exploring in greater detail. Although we can’t predict what 2024 will bring, TPRM leaders can stay informed of these trends and determine how to implement these best practices into their programs. Release of Interagency Guidance on Third-Party Relationships: Risk Management – The OCC, FDIC, and Federal Reserve released the final guidance in June, which brought a unified approach to TPRM best practices. The guidance offers a clear framework for how an organization should manage its third-party relationships, such as identifying critical and high-risk vendors and having awareness of subcontractors that can elevate risk. MOVEit Data Breach – Thousands of organizations in the U.S. and abroad were impacted by the MOVEit data breach, either from using the software directly or being indirectly exposed to it through a third- or fourth-party vendor. The situation unfolded in June, but victims are still coming forward months later, indicating that this incident may not be resolved anytime soon. Emerging Risks of AI – As AI continues to evolve with new possibilities, many experts are reminding business leaders to acknowledge the potential risks such as data manipulation and hard-to-detect automated cyberattacks. Because AI is changing so quickly, the Biden administration even released an executive order to promote new standards for the safe and secure use of this technology. TPRM continues to be a growing topic and 2024 will no doubt bring new regulatory expectations that will influence best practices across all industries. Third-party cyberattacks and data breaches will likely continue to grow in complexity and occurrence, so it’s important to have a strategy in place to respond and limit their impact to your organization. Staying aware of new risks and industry trends will help protect your organization as we head into a new year.

By: Heather Kadavy, Sr. Membership Success Coordinator for TPRA In the ever-evolving landscape of Third Party Risk Management (TPRM), sometimes called Vendor Risk Management (VRM), staying ahead of the game is crucial. One tool that has gained recognition and attention in recent times is the SPARK Matrix™, an assessment and ranking framework. About the SPARK Matrix™ The SPARK Matrix™ includes, but is not limited to: 1.      Informed Decision-Making: One of the primary benefits of the SPARK Matrix™ is its ability to provide organizations with a benchmark for selecting VRM solutions. With the complexities of vendor-related risks growing, it is crucial to have a standardized framework for evaluating the available options. The SPARK Matrix™ facilitates informed decision-making by comparing capabilities, features, and performance across different solutions. 2.      Risk Mitigation: Effective VRM is all about identifying and mitigating risks associated with third party vendors. The SPARK Matrix™ helps organizations to understand the landscape of VRM solutions and their capabilities, allowing them to tailor their risk mitigation strategies effectively. It can be a valuable tool for staying proactive in the face of evolving risks. 3.      Regulatory Alignment: As regulations around data protection and privacy evolve, it is essential for VRM solutions to stay aligned with these changing requirements. The SPARK Matrix™ assesses the level of alignment with regulations, reducing the risk of non-compliance and associated penalties. This is particularly crucial for organizations handling sensitive data. Congratulations to Our TPRM Vendor Members Noted on the Matrix We would like to extend our warmest congratulations to TPRA's current Vendor Members who were recognized in the SPARK Matrix™: Vendor Risk Management (VRM), 2023. These companies (listed below in alphabetical order) have demonstrated their commitment to excellence and innovation in the TPRM space: Aravo Solutions: has consistently been at the forefront of TPRM innovation, offering robust solutions to manage third-party risks effectively. Ncontracts: has been a valuable partner in helping organizations streamline their vendor management processes and mitigate risks. OneTrust: is known for its comprehensive privacy, security, and third-party risk management solutions, which align with the evolving regulatory landscape. ProcessUnity: integrated risk and compliance management solutions continue to empower organizations to proactively manage vendor risks. Venminder: dedication to third party risk management has been unwavering, providing organizations with tools and expertise to enhance their TPRM programs. What Sets VRM Groups Apart? The SPARK Matrix™ is an assessment and ranking framework designed to evaluate and rank Vendor Risk Management (VRM) solutions based on numerous factors, including capabilities, features, and performance. It aims to provide organizations with a benchmark for selecting the most suitable VRM solution for their unique requirements. While the SPARK Matrix™ is a valuable resource, we want to emphasize that it does not represent a comprehensive list of all TPRM vendors in the market. Instead, it reflects those vendors who participated in the evaluation process. The TPRM landscape is diverse and continually evolving, with numerous vendors offering specialized solutions to meet the unique needs of different organizations. Therefore, it is crucial that TPRM teams look for competitive factors & differentiators when evaluating potential technology partnerships: 1.      Tailored Solutions: Exceptional VRM groups recognize that one size does not fit all. They offer tailored solutions that align with the specific needs and risk profiles of their clients. Customization and flexibility are key. End to End Vendor Lifecycle Management to enable cost optimization, operational excellence, and growth through vendor selection, contract negotiation, vendor onboarding, vendor continuous monitoring of performance and risk management. Issue & Incident Management: to enable event identification, assessment and resolution of issues or incidents with third party vendors to maintain the security, compliance, and reliability of the vendor relationships. Compliance with Laws & Regulations: to keep organizations aligned with changing regulations and ensure that vendors comply with application laws, and industry standards. [e.g., cloud computing, APIs (Application Programming Interface), RPA (robotic process automation), cognitive automation, big data analytics, blockchains, etc.] Reporting, Dashboarding & Analytics: to provide comprehensive reporting, visualization, and analytics capabilities to business owners, risk committees, executive management and/or an organization’s board of directors.  These powerful visualizations are derived by deep insights and assist leadership in making informed business decisions. 2.      Continuous Innovation: Stagnation is the enemy of progress. The best VRM groups are constantly innovating, integrating automation, AI (artificial intelligence), and emerging technologies to improve the efficiency and effectiveness of their solutions. 3.      Proactive Risk Monitoring: The ability to proactively identify and mitigate risks is a significant differentiator. VRM groups that offer real-time monitoring and alerts are better equipped to tackle the dynamic nature of vendor-related risks. 4.      Scalability and Adaptability: The ability to scale and adapt to an organization's evolving needs is another distinguishing factor. VRM groups that offer scalability and flexibility ensure that their solutions grow with the businesses they serve. TPRM Teams should take note of the Technology Excellence & Customer Impact factors that each market participant was analyzed against when designing their own TPRM Service Provider analysis components: Technology Excellence: Vendor Lifecycle Management: Ability to handle the end-to-end vendor lifecycle management process. Risk-Scoring and Assessment: Evaluate and quantify potential risks associated with vendors. Usability: Quality of a product or system in terms of how easy it is to use, learn, and navigate. Continuous Monitoring and Remediation: Actively monitor and respond to events and issues as they occur. SLA (Service level agreements) & Performance Monitoring: Outlines the level of service expected, the metrics used to measure performance, and the consequences for not meeting the agreed-upon standards. Configurability and Scalability: Ability of a system or software to be easily customized or configured and scalable to meet specific requirements without requiring extensive changes. Dashboarding, Reporting and Analytics: Insights into various aspects of the business, customer behavior, and performance. Workflow and Process Automation: Automate and streamline manual tasks and processes. Integration & Interoperability: Ease of integration with other internal modules and API-based integration with third-party data providers and partners, extent of operability with third party partners. Competition Differentiation: Set it apart from its competitors and give it a competitive advantage in the marketplace. Vision & Roadmap: To what extent does the product vision align with its buyers’ needs in terms of acquiring, satisfying, and retaining customers? Does the vision promote a strong focus on the customer and a positive customer experience? How well does the vision align with current and future customer preferences? Does the company have a clear plan in place for implementing its vision through product improvements, innovation, and partnerships within the next year? Does the company possess the necessary resources and abilities to accomplish its planned roadmap? Customer Impact Product Strategy & Performance: Evaluation of multiple aspects of product strategy and performance in terms of product availability, price to performance ratio, excellence in GTM strategy, and other product-specific parameters. Market Presence: The ability to demonstrate revenue, client base, and market growth along with a presence in various geographical regions and industry verticals. Proven Record: Evaluation of the existing client base from SMB, mid-market and large enterprise segment, growth rate, and analysis of the customer case studies. Ease of Deployment & Use: The ability to provide superior deployment experience to clients supporting flexible deployment or demonstrate superior purchase, implementation, and usage experience. Additionally, vendors’ products are analyzed to offer user-friendly UI and ownership experience. Customer Service Excellence: The ability to demonstrate vendors capability to provide a range of professional services from consulting, training, and support. Additionally, the company’s service partner strategy or system integration capability across geographical regions is also considered. Unique Value Proposition: The ability to demonstrate unique differentiators driven by ongoing industry trends, industry convergence, technology innovation, and such others. Trust the Data, Verify the Path Forward In an era where data reigns supreme, the Spark Matrix™ provides TPRM practitioners with a compass for navigating the intricate vendor landscape. The insights derived from this research empower practitioners to make informed decisions, ensuring that the partnerships they forge are not just built on trust but are also fortified by a robust verification process. Empowered by this, the practitioner is now responsible for practicing their Risk Management skills when leading their organizations forward. Resources: TPRA’s TPRM Tools List: https://www.tprassociation.org/tprm-vendor-list TPRA’s Service Provider Profiles: https://www.tprassociation.org/service-provider-profile SPARK Matrix™ Domain Link: https://quadrant-solutions.com/ SPARK Matrix™ Link to the Report (Payment Required): https://quadrant-solutions.com/market-research/spark-matrix-vendor-risk-management-vrm-q4-2023-2990 Note: SPARK Matrix™ is NOT Sponsored by TPRA.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder Most third-party risk professionals understand the importance of conducting thorough due diligence. After all, it’s essential to ensure that your potential vendors have the appropriate practices and controls to address the risks of the products and services they’ll provide to your organization. However, it’s important to remember that performing initial due diligence and signing a contract doesn't eliminate vendor risks. Due diligence only captures a snapshot in time. Vendor risks, controls, quality, and service fluctuate. To lessen the impact and severity of vendor risks on your organization, it's crucial to practice continuous monitoring – also known as ongoing monitoring. This ensures that your vendors remain in compliance with applicable laws and regulations, provide quality products and services, and address any issues effectively and promptly. What Does Continuous Monitoring on Vendors Mean? Continuous monitoring is the practice of constantly and consistently keeping your eye on your vendors and their risk and performance. You’ll need to periodically reassess their risks and validate controls throughout the contract term to verify vendor performance aligns with contractual requirements and industry standards. It's important to keep continuous monitoring risk based. This means that the frequency and rigor of monitoring is proportionate to the vendor's (and their products’ and services’) risk. A rule of thumb for reviews is annually for all critical and high-risk vendors, every 18-24 months for moderate-risk vendors, and every two to three years for low-risk vendors. Four Benefits of Vendor Continuous Monitoring Not only is continuous monitoring a best practice, but for many industries, it's a regulatory requirement. This may be your organization’s only incentive for performing continuous monitoring, but it has other important benefits, including: Decisions based on real-time data – As vendor risk is subject to change, it’s essential to gather multiple forms of data to compare and analyze. Initial due diligence can help you quickly compare two vendors, but continuous monitoring tracks changes over time in a specific vendor's risk. It offers the most comprehensive understanding of your vendors' risks and enables better organizational decision-making. Maximized productivity – To use your limited resources effectively, it’s important to clearly understand which vendors need the most attention. By identifying which vendors are a priority, you can allocate your time and resources so that pressing issues are addressed on time. Confirmed vendor value – Continuous monitoring keeps your vendor relationships productive and beneficial for your organization. This enables you to evaluate whether your vendors fulfill contractual expectations. You can then make the necessary adjustments to improve the partnership. Avoided expensive surprises. With continuous monitoring, you can identify and address potential costly situations, including regulatory violations, data breaches, and vendor instability. A proactive approach ensures your operations are efficient and mitigates the risk and expense of potential issues. How Vendor Continuous Monitoring Safeguards Your Organization It's crucial to have a clear understanding of how your organization should handle any issues that arise during vendor monitoring. It's not enough to simply recognize a problem exists, but you have to take action. Here are three significant outcomes of continuous monitoring: Identifying problems and issue management: Identified problems should be added to a formal issues log. The log should include a full description of the issue, root causes, ownership, remediation steps, and timing. Issues must be tracked and monitored until closed. Issues at risk or past due should be escalated to management to ensure proper closure. Identifying emerging risks: It's important to keep an eye on emerging risks that could affect your vendor relationship. Changes in vendor management or ownership, regulatory requirements, or even declining financial health are all examples of emerging risks. You should discuss any emerging risks with your vendor and gather additional documentation or remediation plans as needed. You may also need to perform vendor control assessments or other risk reviews. Don’t hesitate to sign up for vendor risk monitoring and alerts, such as Google Alerts, or seek help from outside risk intelligence firms that specialize in this. By taking these steps, you can ensure that emerging risks are kept in check. More frequent monitoring. If vendors have any issues or emerging risks, it's important to monitor them more frequently and rigorously. This is because problems rarely occur in isolation and can signal the presence of other potential issues or emerging risks. By keeping a close eye on problem areas, you can identify and address any problems before they become more significant or difficult to manage. Vendor risk is always changing, and continuous monitoring is an essential activity to minimize vendor risks and their potential impact on your organization and customers. By implementing a risk-based approach to continuous monitoring, your organization can identify and address issues early on before they become unmanageable. Although it may seem like a daunting task, don't view monitoring as a chore. Instead, embrace it as a valuable tool for successful third-party risk management.

TPRA recently released their Third Party Risk Management (TPRM) 101 Guidebook, a document that details the TPRM framework that all mature programs should have in place. It walks readers through all phases of the TPRM lifecycle and provide them with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community). This Guidebook is the first of its kind, with close to 150 pages of in-depth details on the TPRM Program Lifecycle, with each section breaking down one of the six lifecycle phases. Complete with definitions, notes, examples, charts, diagrams, relevant resources, and best practices all designed with the goal of ensuring successful implementation and/or enhancement of your current TPRM program. The TPRM lifecycle outlined within the guidebook includes six phases: Planning and Oversight - Provides an organization with the foundation to build upon and properly support their overall program. Pre-Contract Due Diligence - Ensures the organization performs due diligence, commensurate with the level of inherent risk, to determine if the organization should proceed with a specific third party relationship and prior to signing a contract. This phase assists with determining if a third party meets business needs in relation to the risk presented. Contract Review - Ensures the organization documents relationship expectations in an agreement that can be upheld in a court of law. It also ensures risks noted within the due diligence process can be addressed within contractual clauses. Continuous Monitoring - Requires the organization to assess third party risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met. Disengagement - Ensures the organization is able to transition away from a third party with minimal impact should the relationship end due to contract expiration or when adverse/unplanned conditions are met. Continuous Improvement - Is an ongoing activity which seeks to enhance the organization’s TPRM program as third party risk management guidance, trends, and techniques are realized. The guidebook is currently available to TPRA members only. TPRA Members are able to get their FREE copy by clicking the link below. As this is the first edition draft of the Guidebook, TPRA members can also submit relevant comments, suggested edits, proposed additions, and/or critiques for the Guidebook, using the link below. The comment period will run through Friday, October 13th. Once comments are reviewed and edits are made, the guidebook will be available for free to the entire TPRM community. The guidebook will also be the foundation for TPRA's next certification, the Third Party Risk Management Practitioner (TPRMP). This certification will be available for pre-order Fall of 2023 and launch in early 2024. To provide readers with a taste of what is included in the Guidebook, see below a small excerpt from the "Contract Review" section. "It is important for TPRM practitioners to have a seat at the table (or be involved) when REVIEWING CONTRACTS. Third party contracts typically involve clauses related to cybersecurity, data protection, regulatory compliance, and other risk areas that are critical to protecting the organization. By having a seat at the table, practitioners can provide valuable insight and guidance as subject matter experts on these topics. TPRM practitioners are responsible for proactively identifying and mitigating risks associated with their organization's third parties. Therefore, by reviewing contract clauses, practitioners can identify potential risks in cybersecurity-related contract clauses before they impact the organization, as well as work towards mitigating identified risks. TPRM Practitioners should work closely with their Legal and Procurement teams to ensure contracts align closely with their organization’s risk management strategy. Templates for cybersecurity requirements should be drafted to ensure they provide sufficient coverage of key controls, define expectations for participating in compliance monitoring activities (i.e., due diligence assessments), as well as providing evidence items upon request, and detail appropriate remedies in the event that the third party fails to meet its obligations under the agreement. See "CR 2 – Contract Clauses & Template Agreements” subsection for a detailed list of specific contract clauses you may want to include within your contracts, specifically for third parties with inherently high risks. TPRM Practitioners may also want to review redlines within specific clauses that relate to cybersecurity terms, as well as terms that would allow a practitioner to perform his/her duties (such as a “Right to Audit or Review” and/or “Termination” clause). This will ensure any changes made to these clauses remain in line with the organization’s risk appetite and control expectations. Practitioners can also ensure any high-risk findings noted during the due diligence process are noted within contractual terms. TPRM practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable. It is important to perform due diligence activities before a contract is signed. In doing so, companies can identify potential risks related to the third party’s financial stability, legal and regulatory compliance, reputation, cybersecurity intelligence, and other relevant factors. This can help companies make informed decisions about whether to enter into a contract with the third party and what contractual terms and conditions should be included to mitigate risks. Contracts should be reviewed on a regular cadence to confirm they remain in line with your organization’s risk appetite, as well as reflect any emerging risks that have been identified. If changes need to be made to bring contracts in line with current standards, then an amendment should be considered. Contract changes could also be made during the renewal process. It is important to have a clear and comprehensive contract in place at the beginning of the relationship to avoid misunderstandings and disputes later on. However, if changes need to be made to the contract, they should be made in a timely and transparent manner. The contract should include provisions for how changes will be made and how they will be communicated to all parties involved. The parties should negotiate the changes in good faith and reach an agreement that is fair and reasonable to all parties. BEST PRACTICE: TPRM practitioners should assist with the creation and review of contract clauses that relate to cybersecurity terms, as well as terms that will allow a practitioner to perform his/her duties, to ensure that the organization is protected from cybersecurity and other risks associated with third parties." TPRA also recently created a video on the Contract Review process. Click the link below to view the video and subscribe to Third Party Risk Association's YouTube channel.

Author: Heather Kadavy, TPRA's Sr. Membership Success Coordinator Whether you are a board member, shareholder, or executive management assigned to review and provide credible challenge to a report on Third Party Risk Management (TPRM) effectiveness; a TPRM Leader or member of the TPRM team conducting oversight and reporting; or business unit who owns the risk of their outsourced relationship(s), it is important that everyone understands your organization’s risk appetite and risk tolerance. This will help ensure the effectiveness of a TPRM Program and align the program to the overall Enterprise Risk Management (ERM) program. Risk Appetite is the threshold of risk that an organization is willing to assume in order to achieve a desired result or its objectives. Risk Tolerance is the acceptable deviation from the organization’s risk appetite. 1. Understand Your Organization’s Enterprise Risks. Starting at the top – executive management under the direction of the Board of Directors typically identifies key risks and emerging factors facing their organizations. While the list may vary organization by organization, typically such risks will include but not be limited to compliance risk, credit risk, environmental risk, fiduciary risk, financial risk (e.g. interest rate risk, liquidity risk), legal risk, operational risk (e.g. transactional risk, fraud risk, information security risk), third party and supply-chain risk, Environmental Social Governance (ESG) risk, reputational risk, and strategic risk. 2. Understand Your Organization’s Risk Appetite & Risk Tolerance. Typically for each risk category, key performance indicators (KPIs) and key risk indicators (KRIs) are outlined along with a risk target. On a periodic basis (typically quarterly), each business unit provides metrics for each risk category and through analysis, the organization is able to assess if the organization's operations are aligned to their risk appetite and tolerance thresholds, as well as analyze inherent and residual risks that impact the organization. Any outliers are typically discussed and managed (either via remediation plans, risk acceptances, and/or via other avenues). 3. Understand How TPRM Risk Appetite & Risk Tolerance align to ERM. Similarly, a TPRM Program will typically base their risk appetite and tolerance metrics on those of the ERM program. This ensures all departments are speaking the same language with regards to risk and very high-risk issues are escalated to the appropriate stakeholders. This also ensures TPRM activities are and remain risk based. To ensure your TPRM program is aligned with your ERM program, TPRM leaders should ensure: a. The overall TPRM program considers the full threat landscape that each outsourced relationship faces. Different third parties pose different threats that typically roll up under one of the ERM umbrella risk categories. b. Risk appetite & tolerance are known, understood, and reviewed on a regular basis. Risk appetite and tolerance may be influenced by legal, regulatory requirements, industry, corporate expectations, geography, and technology. c. The total risk associated with an outsourced party is considered as a third party may provide your organization with several products and/or services. 4. Establish TPRM Risk Metrics for managing and monitoring outsourced relationship to ensure risks are mitigated in a timely manner. Some more common metrics linked to TPRM Program can include, but not be limited to: Third parties in total, by risk tier, by classification, by geographic region/location, and by risk category. Third parties by division, department/business unit, and TPRM member Assessments past their due date Risk acceptances and or escalations Active continuous monitoring alerts Service level agreements not being met Service level agreements which do not meet corporate thresholds (e.g. RTO/RPO timelines, incident or event notification timeline requirements that do not meet corporate, legal or regulatory expectations) Contracts signed prior to TPRM completion (e.g. due diligence) Risk assessments incomplete or missing information Third Parties that represent concentration risk to the organization Emerging risks and/or threats Regulatory matters Whether an individual is reviewing risk appetite and tolerance from the bottom up (TPRM metrics to ERM risk appetite) or alternatively from the top down, the key take-away is that the two are aligned to ensure risk is treated similarly throughout the organization and high-risk items gain the visibility they deserve. If your organization does not have a documented risk appetite or tolerance levels, then review what types of risks your organization accepts (either through a risk acceptance process or by not addressing specific risks). This is the risk appetite your organization has indirectly implemented. Therefore, it is crucial for all TPRM members to understand how their role impacts this overall alignment with the organization's risk appetite.

By Heather Kadavy, CERP, CBVM CFSSP (Ret.) Today, organizations rely on the expertise of TPRM Leaders, risk subject matter experts and business lines otherwise known as the TPRM team to understand the insurance coverage carried by the third parties they engage to prepare for transferring loss as warranted. Certificates of Insurance (COI) provide first-level evidence of coverage and provide a sense of security to protect against accidents and lawsuits that are a result of the contractor’s negligence, data breach, or a faulty product, when entering or continuing a working relationship. The 4 P’s of Why To Review Certificates of Insurance Proves Third Party’s Insurance Status. The COI is a summary of an insurance policy and serves as evidence of insurance. Provides Quick Access to Data. The COI constitutes a one page express version of a larger insurance policy, which can save you hours of review work. Prepares Organization to Reduce Liability – By requesting & reviewing COI, you are in fact preparing for a loss transfer (aka Risk Transfer) to the third party’s insurer in the event something goes wrong. Protects Organization When Outsourcing. Ensuring that the third party's insurance aligns to your organization’s requirements, risk tolerance, and risk appetite when it comes to protecting against incidents could help alleviate costly litigation that would ultimately affect your bottom line. The ACORD Form template is the most common certificate of insurance used for businesses in the U.S. and was designed to standardize historical forms. However, note there could be other forms provided that may be specific to insurance purchased through a state rather than through a private insurance broker or carrier. Typically an organization will work with their insurance agent or broker when setting the organizations “bottom-line” when it comes to insurance types, limits and endorsements that they will require from different types of third parties they work with. TPRM teams should focus on building and nurturing the relationships with their insurance agents or brokers so that when they run into questions, they have a known expert partner to reach out to. If a third party is slow or hesitant in providing a COI, it could be an indicator that they are underinsured or not insured at all. A COI is a non-binding document and does not alter coverage. Agents and brokers do their best to ensure that the coverage provided on the COI is accurate because they face legal ramifications for providing false information; however, just because the COI states there is a certain type of coverage, limits, or endorsements (e.g. additional insured, waiver of subrogation, etc.) does not mean the “policy” has that exact same coverage and/or that endorsement changes hands. If the TPRM team or the organization's insurance agent or broker is concerned, they can always request the more detailed evidence – a copy of the third party’s insurance policy.

Authors: TPRA Team & Practitioner Focus Group The way in which organizations leverage third parties has evolved over the years; thereby, increasing the quantity and severity of risks posed by third parties on an organization. Parallel to this evolution is an increase in the regulations surrounding organizations and their relationships with third parties. To ensure third parties are operating securely and effectively, by adequately monitoring and mitigating risks related to the data and/or processes that have been outsourced, an organization must have in place an effective Third Party Risk Management (TPRM) program. At the end of the day, an organization’s ability to effectively detect, manage, and mitigate third party risk is reliant upon the foundation in which an organization has built their TPRM program on. Building the Foundation A TPRM program consists of six phases, which make up the TPRM Lifecycle. This article will focus on the first phase, Planning and Oversight. Program Planning and Oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This phase ensures the program can address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phases will ensure key stakeholders are aware of, support, and help implement program requirements. This phase also ensures your entire organization is on-board as the TPRM program will touch every department within your organization (from Business Owners to Legal and Information Security). Let's review the activities associated with the Planning & Oversight phase. Executive Support The success of your TPRM program depends on the support you receive from your C-Suite, as well as your Board. To gain leadership support, you must first market and sell the need for your program. To assist with this, a strong Business Case should be leveraged. A good business case should include, but not be limited to, the following components: A description of what third-party risk management is, to include definitions, to ensure the program's scope is understood. Essential program features, including leadership support, enterprise-wide implementation, the TPRM framework, budget considerations, the need for a risk committee, transparency and communication, and reporting mechanisms. Avenues for benchmarking to ensure the program leverages processes that already exist, can maintain flexibility when new risks are discovered, grows with the business, and continuously improves. Defining expected program outcomes, or the return on investment for implementing a TPRM program. Such expected outcomes may include, but not be limited to, visibility into third party risk, defining impact third parties pose to your organization, continuous monitoring of third parties to proactively mitigate risk, a reduction in residual risk through mitigation efforts, compliance with specific regulations and policies, and operational resiliency in the event of a disruption due to a third party. The Third Party Risk Association (TPRA), in conjunction with Shared Assessments, created “The Business Case for Third Party Risk Management: A Starting Point for Senior Leadership” in an ongoing effort to support the global community of TPRM practitioners. The document walks through the components above in greater detail and exists for you to leverage within your own program. Policies and Procedures Once leadership is on-board with the program's implementation, it is time to develop comprehensive TPRM program policies and procedures to establish consistent and effective TPRM practices across the organization. Your policies and procedures should align with current internal policies, pertinent regulations, and industry best practices. Gain and use input from key stakeholders throughout the organization to ensure the establishment of your policies and procedures is successful. Your organization should then review the policies and procedures annually and perform updates, if necessary, to align with best practices and respond to emerging risks. Note: Policies should note the terms and expectations of your TPRM program; whereas procedures should detail the actions required to implement your program. At a high level, policies and procedures should: Provide a purpose statement that notes the role TPRM will play within your organization. Include definitions for third party risk management terms to ensure a consistent understanding throughout your organization. List all job functions that play a key role in the implementation and management of your TPRM program, as well as the responsibilities for each. Document each stage of the TPRM lifecycle to ensure the structure and processes of your TPRM program are clear and adoptable. Make clear that third party due diligence requirements must be completed before a contract is executed. Inventory of Third Parties It is imperative that you develop and maintain an up-to-date inventory of your third parties to ensure your TPRM program has sufficient coverage of third party risks. Please keep in mind that based on your organization’s definition of a third party, your inventory may not simply be based off the contracts you have in place with other organizations. There are several sources you can leverage (such as Accounts Payable, software discovery tools, and Business Owner surveys) to better understand the third party relationships your organization has in place. All third parties, whether contracts are in place or monies are exchanged, should be noted within your inventory. You may then choose to note certain third parties as in or out of scope once you move through the TPRM process; however, you will at least be able to evidence that you reviewed all third parties in some capacity. Within this activity, you may find it beneficial to establish sub-service categories for products/services third parties provide to your organization. Categories may include, but not be limited to, Marketing Services, Professional Associations, Software Providers, Hosted Solutions, etc. This ensures you better understand how the business leverages third party products/services, as well as allows you to determine if a third party should be in or out of scope for specific due diligence activities. Once you have an established your third party inventory, you will want to collect and maintain certain data elements related to your third parties within a central repository. Establish a process to add, maintain, and remove third-party information from your inventory regularly to ensure it is always up to date. This will allow you to look across third parties for risk trends, as well as ensure due diligence efforts are conducted for each product/service provided. Organizational Risk Appetite Next, establish risk ratings for your TPRM program and ensure they are in line with your organization’s risk appetite (the risk your organization is or is not willing to accept). Developing an organizational risk appetite is important in that it allows leadership to make enterprise-wide, strategic decisions on how to effectively manage and mitigate risk. It also allows your TPRM program to define risk thresholds for activities and controls that must be in place to ensure your organization meets its business objectives and protects its confidential data. Risk ratings are used to identify the potential impact and likelihood of a third party risk occurring. Once an inventory of third parties is established, the next step is to run them through an inherent risk questionnaire (IRQ) to identify the risk before controls are assessed. This then drives the level of due diligence required for a third party. It also assists with tiering your third parties to ensure your program is risk-based. The risk identified after due diligence is performed (after controls are assessed), is the residual risk rating. This rating then further drives your continuous monitoring efforts and reassessment cycle times. Program Oversight and Governance Senior leadership, as well as Board support, are essential to ensuring your TPRM program is successful by setting the right “tone from the top.” Absent that support, an organization is unlikely to achieve consistent and timely adoption across all business and risk functions. Since third parties support all aspects of a company’s operations and revenue-generating activities, the scope of their risks mirrors every aspect of your organization. As a result, only enterprise-wide implementation will ensure a TPRM program covers all relevant business risks for a firm. In addition, it is important to implement program oversight activities, which may include the establishment of a Risk Committee. The committee should determine the thresholds for risk escalation and risk acceptance, as well as the frequency of reporting on third party risks to leadership (including the Board). Essentially, the oversight (or risk) committee takes the information gained from your TPRM program and uses it to drive risk-informed decisions. Metrics and Reporting Ensure you establish measurable, specific, and relevant metrics for your program. Metrics should guide the development and execution of your program, as well as inform stakeholders of the risk landscape related to your organization’s third parties. Reporting should be tailored to specific target audiences to ensure they make better, data-driven decisions after reviewing the information. Target groups that should receive regular TPRM program updates, can include, but not be limited to: Board – Receives updates on the TPRM program's overall health and the mitigation strategies for higher–risk third parties. Executives – Receive the risk ratings for third parties assessed and updates on risk–mitigation activities for higher–risk third parties. Risk Committee(s) - Receive risk ratings for third parties assessed and updates on risk-mitigation strategies, escalations, and risks requiring acceptance. Business/Relationship Owners - Receive updates on third party due diligence efforts and assessment outcomes. Other Key Stakeholders (such as Compliance Teams) – Receive data on specific risks posed to the organization (such as regulatory/compliance risk). TPRM Managers – Receive updates on program maturity, resource allocation, risk mitigation efforts, process exceptions, escalations, and any risks requiring business acceptance. Education and Training Transparency and communication are key when developing, implementing, and maintaining any TPRM program. All stakeholders must be familiar with TPRM program policies and procedures, as well as their role within the program. Business owners need to understand they are the owners of their third party’s risk and that the TPRM program’s role is to support their risk-based decisions related to said third party. Best practice is to develop a TPRM training and education program and tailor it to your specific business partners. At a minimum, organizational training should be held annually, as well as when a new relationship owner is established. Your education program should also include third parties, to ensure they are aware of your program’s due diligence activities, expectations, risk remediation and follow up processes, and escalation procedures. Regulatory Compliance Regulatory compliance has been a stable item on many board agendas, due to the increase in regulations related to third party oversight. There are a variety of reasons behind this focus, but the main drivers are related to the threat landscape growing in complexity, momentum of digital transformation, political and social unrest, as well as responses to the global pandemic. The regulatory risks your third parties do not address can present both reputational and financial risk for your own firm if your organization’s name comes up as purchasing services from said third party should an issue arise. As a result, regulatory agencies are mandating you to understand the risks associated with doing business with your third parties. Ensuring your third party is complying with pertinent regulations may result in a reduction of regulatory fines on your organization, ensure they are operating with integrity, and actively prevent attempts at bribery, corruption, and other threats. Budgeting Establishing basic or even aspirational objectives under a TPRM framework requires a realistic alignment with available budgets to support risk operations. For example, if a TPRM framework requires diligence for all higher inherent risk third parties before and after a contract is signed, then the budget should be commensurate with activities in support of achieving this objective. Budget considerations can include, but not be limited to: Resources – Current and future employees and/or contractors. Operations – Any cost associated with daily tasks and running the business. Maturity Model – Process enhancements required and what resources are needed to get to the next level of maturity. Travel – Costs associated with onsite visits and training. Training – Fees for conferences, training, and certifications to ensure maintenance of knowledgeable & skilled professionals that are appraised of risk trends. Tools – Budget for TPRM program tools. Consider estimating cost savings a tool(s) will bring by automating certain processes. TPRM is a non-revenue generating discipline; therefore, it is a good idea to also quantify your program’s value by emphasizing what could occur if the program is not established. Also, provide a financial impact questionnaire as proof of the program’s financial impact and/or savings from mitigation of risk. Conclusion Your TPRM program will touch every department within your organization. As such, it is necessary to ensure alignment and support across the enterprise. As you establish your TPRM program, it is important to thoughtfully and strategically implement the above activities to ensure your program can successfully meet its business objectives and effectively mitigate third party risk.