Search Results

Written by Supply Wisdom It's important to remember that the primary objective of these regulatory bodies is to ensure that you are effectively protecting your business and your customers from unnecessary third-party risks. This approach aligns closely with third-party risk management best practices. Key Regulatory Bodies and Their Guidance Office of the Comptroller of the Currency (OCC) The OCC's 2013-29 Bulletin outlines essential principles for third-party risk management. Key areas of concern include: Planning: Ensure you have a comprehensive plan to manage third-party relationships. Due Diligence: Evaluate vendors against your organization’s risk tolerance before onboarding. Contractual Expectations and Enforcement: Define and enforce your expectations to limit liability. Ongoing Monitoring: Continuously monitor vendor performance and maintain accountability. Roles and Responsibilities: Assign clear roles and responsibilities within a structured framework. Reporting: Track and document third-party relationships for reporting and analysis. Transitioning: Develop contingency plans for service disruptions and transitions. Auditing: Utilize objective evaluations to assess your processes and tools. Consumer Financial Protection Bureau (CFPB) The CFPB emphasizes protecting consumer interests, with guidelines ensuring that financial institutions manage risks effectively to avoid consumer harm. Federal Deposit Insurance Corporation (FDIC) The FDIC's risk management guidance focuses on maintaining the stability of the financial system. It requires banks to implement robust third-party risk management practices. Federal Financial Institutions Examination Council (FFIEC) The FFIEC provides a framework for financial institutions to assess and manage third-party risks, ensuring compliance and safeguarding operations. Joint EU Supervisory Authorities , including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority oversee the operational resilience of EU financial sector. Together, these authorities oversee the Digital Operational Resilience Act (DORA), which mandates that firms: Maintain Strong IT Systems: Ensure systems are resilient against cyber threats. Regular Testing: Conduct regular tests to assess the effectiveness of their IT security measures. Incident Reporting: Implement procedures for reporting significant cyber incidents. Third-Party Risk Management: Extend risk management practices to third-party Information and Communications Technology (ICT) service providers. Implementing Effective Third-Party Risk Management The scrutiny of the financial services industry, as well as many other industries, continues to increase. It's not enough to simply have a supplier monitoring tool; you must have an effective risk management process, framework, and reporting structure to manage third party vendors throughout their lifecycle. About Supply Wisdom: Supply Wisdom provides real-time alerts and insights to help companies track and mitigate supplier- and location-based risks. Our comprehensive solution supports TPRM processes, including streamlined compliance with regulatory requirements. Contact us for more information or to get started with a free trial. Let us help you develop robust strategies and plans for third-party oversight within your organization.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder     For many, residual risk is a confusing third-party risk management (TPRM) concept, but it’s important to understand how and when residual risk is calculated and its proper utilization in your TPRM program. Residual risk is a vendor’s remaining risk after controls have been applied.  Determining a residual risk rating is important for two reasons:   First, it helps determine if you need more or different controls before beginning or continuing a vendor relationship.  For example, you might require the vendor to conduct more systems testing or implement more frequent monitoring to mitigate identified issues.   Second, it helps determine if the residual risk is acceptable.  For example, your organization may be willing to accept high residual risks if the vendor is the sole provider of a product or service crucial to meeting your goals. However, if an existing vendor has high residual risk and, after several attempts, fails to provide evidence of sufficient controls, you may decide to discontinue the relationship.     The Residual Risk Rating Process on Vendors  Let’s explore the steps to determine and assign a vendor’s residual risk rating:  Determine inherent risk: There’s always some level of risk with third-party products, services, and relationships. The specific types and amounts of those risks are typically identified during an inherent risk assessment, which considers the vendor’s raw risk, or the level of risk before any controls are applied.   Conduct due diligence:  This involves reviewing and assessing a vendor's risk management practices and controls to mitigate the identified risks and determine if they’re sufficient.   Review vendor controls:  These are systems and measures implemented to detect, prevent, or rectify unwanted events. They’re meant to mitigate the risks in vendor relationships, products, and services and provide reassurance in the risk management process.  Assign a residual risk rating:  The level of residual risk can only be determined after completing due diligence, when a subject matter expert (SME) concludes the review of the vendor's controls and offers a qualified opinion regarding their sufficiency in mitigating the risk. In other words, do the vendor’s controls lessen those risks' likelihood, occurrence, severity, or impact? Many organizations quantify residual risk with a rating or score, often using the same risk scale for determining inherent risk, such as low, moderate, or high.  Understand your risk appetite:  This is the level of risk your organization is willing to accept to pursue its goals and objectives. After determining a vendor’s residual risk, your organization will need to decide if that risk is acceptable or if you need to move on from the relationship.   Controls can't eliminate a vendor’s risks altogether. Think of it like a seatbelt in a vehicle. Wearing a seatbelt can lessen the likelihood of severe injury or death in an accident. Still, it can't prevent an accident, so additional controls are necessary, such as driving the appropriate speed limit. Most individuals recognize the risks associated with driving but are willing to take those risks with proper controls in place. That’s the concept of residual risk in a nutshell – are the controls enough to make you comfortable with the remaining risks while pursuing your objectives?    Calculating a Vendor’s Residual Risk  You need to know how to calculate a vendor’s residual risk.   As a high-level concept, residual risk can be expressed as:  Inherent Risk + Controls = Residual Risk .   To further refine that concept with a calculation, you might consider one of these formulas:  Residual Risk = Severity × Probability:  For example, a vendor accesses, processes, transmits, or stores personally identifiable information (PII). This has a high inherent information security risk because of the potential severity and probability of a data breach. The vendor has strong encryption and data de-identification controls, so if there’s a network breach, hackers won't be able to utilize much of the data, reducing the potential severity of the breach. The vendor also has regular penetration testing and proactively monitors for security events, which can lessen the probability of a breach. Here, the inherent risk is high, but the residual risk is moderate.  Residual Risk = Threats × Vulnerability:  Another vendor also accesses, processes, transmits, or stores PII, and customers can access account data through a vendor-provided mobile app. Data could be accessed through the vendor network and the customer's mobile device, expanding the attack surface and increasing the threat of a breach. A review of the controls shows the vendor doesn't utilize multi-factor authentication, which increases the vulnerability to data theft or cyberattacks. Here, the inherent risk is high and the residual risk is also high.  There are other formulas organizations use to calculate residual risk. No matter which method you choose, it’s important to document your methodology and use it consistently, so there’s continuity in the decisions made with regards to residual risk ratings.    Avoiding the Most Common Residual Risk Mistakes in Vendor Risk Management  The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities.    That’s determined by the inherent risk rating. How often risk is re-assessed, the scope and frequency of due diligence, required performance management activities and review cadence, business continuity reviews, and monitoring requirements should all be aligned to the inherent risk.    This is because controls that are only reviewed at a specific point in time may be effective initially but can become less effective or fail over time. Vendor risks are constantly changing, and external events like industry changes, regulatory updates, geopolitical developments, new technologies, or consumer behaviors are factors that can’t be influenced by a vendor's controls. A high-risk vendor with sufficient controls may have a residual risk rating of moderate, but that should never result in a decreased frequency or intensity of core risk management activities; the risks are still high regardless of the control environment.  In conclusion, residual risk ratings are best used as post due diligence data points to determine if more or different controls are necessary before you can confidently move forward with the vendor engagement and if the remaining risks are within your organization’s risk appetite.

“Emily was a mid-level manager in the risk management department of a major financial institution. One day, the company faced a significant challenge: a critical vendor experienced a data breach, exposing sensitive client information. The CEO tasked Emily with leading the Third Party Risk Management (TPRM) response team to address the crisis. Emily had handled vendor assessments before, but this situation required swift and decisive action. She quickly assembled a cross-functional team, including IT, legal, compliance, and communications experts. Emily knew that transparent communication and coordinated efforts were essential. She initiated daily briefings to keep everyone informed and aligned on the response strategy. Emily also reached out to the vendor, establishing an open line of communication to understand the breach's scope and implement immediate risk mitigation measures. Recognizing the need for long-term solutions, Emily led a thorough review of the company's TPRM framework. She identified gaps and proposed enhancements, such as more stringent vendor vetting processes and continuous monitoring systems. Her proactive approach not only mitigated the immediate risk but also strengthened the organization's overall TPRM program. The successful handling of the crisis and the subsequent improvements earned Emily high praise from senior leadership. Her ability to lead under pressure and implement effective risk management strategies led to her promotion to head of the TPRM division.” This anecdote highlights how taking charge in a TPRM crisis, fostering collaboration, and driving systemic improvements can propel career growth and demonstrate essential leadership qualities.   TPRA’S LEADERSHIP LADDERS Originally developed by TPRA's Women in TPRM "Lead" work group, “Leadership Ladders” is a training activity designed for all current and aspiring leaders within the Third Party Risk Management (TPRM) industry.  Each box on the slides and ladders-style game board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity.   “ Leadership Ladders ” involves focusing on the progression of leadership skills, traits, and responsibilities at different levels within an organization.  It is a transformative experience that challenges you to evolve and grow. DIFFERENT LEADERSHIP LEVELS Entry-Level Leadership : Focuses on the initial stage, key responsibilities, and essential skills (e.g., team leadership, basic project management). Mid-Level Leadership : Covers the next stage, focusing on more complex responsibilities (e.g., departmental management, strategic planning). Senior Leadership : Involves the traits and skills needed at the senior level (e.g., executive decision-making, vision setting). Executive Leadership : Focuses on the top-tier leadership level, emphasizing overall organizational leadership and high-stakes decision-making. Each of these levels requires a new set of skills and understanding to meet its challenges, focusing on specific responsibilities and collaborative efforts.  TPRA’s “Leadership Ladders” can assist with developing those skills no matter what level of leadership you are working towards. KEY CATEGORIES UNDER THE TPRA LEADERSHIP LADDERS Core Competencies  (Communication, Collaboration, Confidence, Cultivating Relationships, Coaching) TPRM Lifecycle Budgeting HR Process Boundaries Driving Strategy & Influencing Change Navigating Executive Leadership Discussions Crucial Conversations Mentorship Public Speaking & Getting Published   LEADERSHIP LADDERS PLAY A CRUCIAL ROLE IN CAREER DEVELOPMENT FOR SEVERAL REASONS Structured Progression Clear Pathways : Leadership Ladders provide a clear roadmap for career advancement, helping individuals understand the steps required to move up within an organization. Goal Setting : They enable employees to set specific, achievable goals for their career progression, making it easier to track and measure success. Skill Development Targeted Learning : Different levels on the Leadership Ladders require different skills. By understanding these levels, individuals can focus on developing the necessary skills for their current and next roles. Continuous Improvement : Leadership Ladders encourage a mindset of continuous learning and improvement, essential for personal and professional growth. Increased Engagement and Retention Motivation : Clear pathways for advancement can increase motivation and job satisfaction, as employees see tangible opportunities for growth. Retention : Organizations with well-defined pathways to leadership often experience lower turnover rates, as employees are more likely to stay when they see potential for career advancement. Effective Succession Planning Preparation for Leadership : Leadership Ladders help organizations identify and prepare future leaders, ensuring a smooth transition when current leaders retire or move on. Consistency : They help maintain organizational continuity by ensuring that new leaders are well-prepared and aligned with the company's culture and values. Enhanced Organizational Performance Better Leadership : As employees move up the ladder, they bring enhanced skills and experience to their roles, leading to more effective leadership and improved team performance. Strategic Alignment : Leadership Ladders ensure that individuals at all levels understand and align with the organization's strategic goals, leading to more cohesive and focused efforts. Personal Growth and Fulfillment Self-Awareness : Working through the Leadership Ladders activity requires self-assessment and reflection, helping individuals understand their strengths and areas for improvement. Achievement : Successfully progressing through the Leadership Ladders activity provides a sense of accomplishment and personal fulfillment, contributing to overall well-being. Competitive Advantage Attracting Talent : Organizations known for their strong leadership development programs are more attractive to top talent. Market Positioning : Effective leadership at all levels enhances an organization's reputation and competitive positioning in the market.   In summary, Leadership Ladders is great for both individuals and organizations. It provides a structured approach to career development, promoting skill growth, increased engagement, and retention. It also can assist with facilitating effective succession planning, enhance overall performance, and contribute to personal fulfillment. For organizations, they are a key tool in building a robust leadership pipeline and maintaining a competitive edge.   CHECK IT OUT We encourage you to assess your current leadership level and work towards the next. Have fun and expand your knowledge: https://www.tprassociation.org/leadership-ladders – play TPRA’s thought-provoking Leadership Ladders game enriched with additional resources such as videos, interviews & quizzes, and whitepapers.

Managing third-party risks can be a complex task. With a changing regulatory and technological landscape, even experienced professionals find it challenging to stay on top of evolving risks. In addition to these difficulties, there are also risks associated with fourth parties – the vendors of your vendors. These additional parties can add another layer of complexity to third-party risk management (TPRM). Managing fourth and nth parties isn’t the easiest skill to master, but one that’s necessary to gain a broader understanding of your organization’s risk landscape. The good news is that there are a few best practices that can help. Once you know how to identify, assess, and manage your fourth and nth parties, your overall TPRM program will be much more effective.   Challenges in Managing Fourth- and Nth-Party Risks Fourth parties are the vendors that have a direct contract with your third parties, while nth parties are essentially all the vendors of your fourth parties and beyond. As you can imagine, these degrees of separation can create many challenges when it comes to managing risk, such as: No choice With few exceptions, your organization generally can’t choose your fourth or nth parties. In some cases, your third parties may have a different risk appetite than your organization regarding a particular vendor. This might create a situation where you decline working with a third party because of its vendor inventory. No direct relationship Your organization has no direct relationship with fourth and nth parties, which means you likely can’t perform TPRM practices, like risk assessments, due diligence, and ongoing monitoring. These practices must instead be performed by your third parties. Organizations often have little to no influence on how nth parties respond. No contract Since your organization doesn’t have a direct relationship with a fourth or nth party, there’s no contract to protect the organization from risk. Without a contract, there’s also no leverage to manage fourth parties’ performance or set any expectations around service level agreements (SLAs) and data breach notifications. No due diligence   Managing fourth- and nth-party risks is especially challenging when you don’t have the ability to perform due diligence. Fourth and nth parties typically don’t provide documentation unless an organization has a direct contract. Your organization may have a high-level view of nth-party risks, but many details will still be unknown.   Solutions to Managing Fourth- and Nth-Party Risks When your organization has no direct relationship and no leverage to perform risk management activities, it can seem almost impossible to manage fourth- and nth-party risks. However, there are still practices to implement to mitigate the risks. The most effective strategy is to manage risk through your third parties, with whom you do have leverage. Here are five solutions to manage your fourth and nth parties: 1. Require Transparency Third parties should be required to disclose which of their vendors have an impact on your organization. These vendors might access sensitive information or be essential to your third party’s operations. Your organization should essentially identify your third party’s critical vendors. Fortunately, these critical vendors will be listed in the third party’s SOC report. Focusing on critical fourth parties is a much easier solution than trying to create a complete list of every fourth and nth party. 2. Review TPRM practices Since you can’t manage fourth- or nth-party risk directly, it’s important for your third parties to have effective TPRM practices in place. When reviewing due diligence and monitoring your own third parties, you’ll need to evaluate how they manage their vendors’ risk. Make sure your third parties are performing their TPRM activities effectively and consistently. 3. Leverage contracts When onboarding a new vendor, there are a few ways to use the third-party contract to manage fourth-party risk and beyond. Consider adding contractual provisions that obligate third parties to manage their vendors through SLAs, data breach notifications, and a right to audit. This will ensure third parties are following the same TPRM best practices as your organization. 4. Manage any issues Suppose you discover your third party doesn't assess their vendors, verify controls, or monitor risks. When issues arise, communicate with the third party and amend the contract, if possible, to require stronger TPRM practices. Any issues should be documented through remediation and reported to senior management and the board. 5. Reconsider the relationship There will always be some level of fourth-party risk in third-party relationships, so your organization needs to determine for itself what’s acceptable. Depending on your organization’s risk appetite, strategic goals, and other factors, you may decide it’s best to reconsider the third-party relationship. This can mean either selecting a different third party during onboarding or proceeding with your exit strategy if you’ve signed the contract. Managing fourth- and nth-party risk can be complex. While you may not have a direct relationship or contract with fourth parties, it’s crucial to ensure your third parties are transparent about their third-party relationships and have robust third-party risk management practices. Your organization needs documented evidence from your third parties of fourth-party risk assessments, due diligence, and monitoring to ensure your third parties are managing their vendors safely. This visibility will give your organization confidence in the appropriate management of fourth-party vendors.

It’s time for executives to rethink the role procurement professionals hold in organizations, and this shift is critical to reducing organizational risk, boosting resilience, and increasing return on investment (ROI). While the traditional approach to procurement centered on margin impact and managing suppliers from an operational perspective, there is an evolution taking place requiring forward-thinking organizations to focus on the long-term strategy and impacts that the role is playing in today's world.  This increased recognition of the vital position of procurement is seen across all industries, and according to Deloitte Insights ,  “CPOs are successfully navigating… complexities while delivering across a greater breadth of KPIs. Although they are still heavily focused on costs, they have expanded their value propositions to influence demand, drive innovation, and work closely with strategic suppliers and partners to foster commercial compliance, increase speed to market, accelerate M&A integration/divestiture programs, and drive continuous improvement.” Deloitte Insights  There are high-stakes risks that necessitate procurement’s shift to a more holistic strategy. However, without the buy-in and support of executives, these initiatives can lose momentum and support.  Why a Risk-Based Approach to Procurement?  No longer can procurement departments solely serve cost-savings functions. They must also be aware of risks introduced by key suppliers and be provided with the appropriate tools and technology to proactively manage them before major losses or breaches occur.   Heightened risk areas that are leading this necessary shift in procurement’s functions include:  Isolated or siloed procurement functions:  Traditional procurement departments were de-centralized from the larger organization and focused on transactional, short-term initiatives. Organizations that still exemplify these silos face challenges when it comes to managing risks from all angles. Driving collaboration and strategic initiatives between departments from the top down is a best practice for eliminating these silos, while still managing a daily workload of financial responsibilities.   Elevated third-party risks:  Third-party risks are rising, and can take the forms of cyber-attacks, supply chain delays, components shortages, sustainability challenges, and more. While the incidences of these events rise, organizations are increasingly being held accountable, and procurement plays a critical role in managing vendor relationships.   A multitude of unorganized, decentralized data points:  Procurement professionals deal with a huge amount of data related to personnel, financial, operational, regulatory, contractual, and more. When this type of information is stored on different platforms, inconsistent, incomplete, or managed by different teams, procurement cannot gain proper insight into potential external risks facing the organization.  Transforming Chaos into Clarity  As the role of procurement has evolved, procurement professionals are moving from transactional managers to strategic relationship managers, focusing on developing and managing a wide variety of data points across all aspects of their supplier relationships.    In order to understand the riskiness of suppliers and third parties, procurement professionals need to wade through all of this information with efficiency and ensure alignment with both company strategies and global regulatory mandates. To do this, third-party risk management software needs to be available that provides centralization of data, full visibility, and documentation for audit trails. Procurement needs to play a key role in managing and utilizing this software in order to monitor vendor relationships and performance.  In addition, it is imperative that procurement maintains healthy, collaborative internal relationships to ensure that organizational teams like IT, compliance, finance, sustainability, and others are well informed, with real-time visibility to potential risks, and are able to sustain positive working relationships with suppliers.  Areas Where Executives Can Assist Procurement  Without the buy-in and support from executives and key stakeholders, procurement teams will not be able to make holistic risk management improvements. While not everything will be implemented immediately, there are general aspects of agility that should be on procurement and executives’ agendas, including:  Empowerment and a culture shift:    Perhaps the most important area to undertake is to embrace the power that procurement holds within an organization. During years since the pandemic, CPOs and their teams protected their organizations, and executives should continue to take notice of these critical functions. Procurement should be empowered to include themselves in company strategy and products that matter, build teams to better combat emerging risks, and find ways to drive positive change.  Thinking holistically:    To take TPRM beyond a single function and into holistic areas for acceleration, CPOs should be empowered to focus on their collaboration and influence across job functions, not just as a spend relationship. Being involved in the entire third-party/supplier relationship management process ensures agility. This allows prioritization of suppliers who may pose a higher risk to an organization, rather than relying on a one-size-fits-all procurement strategy that may allow risks to fall through the cracks.   Company strategy:    By shifting a primary focus to long-term initiatives and goals, procurement professionals can gain a greater foothold in wider organizational strategy. This includes determining risk management priorities, and working with risk, legal, executive, and other teams to better manage supplier onboarding, relationships, and risks. By being in tune with company strategy and thinking of procurement activities from a risk-based approach, procurement teams step out of the shadows and into more collaborative roles.  Digital transformation:    A key step to take is to   build scalable practices rather than one-off pilot programs. By prioritizing data cleanup and investment in TPRM tools  that can build centralization and efficiency, CPOs can work with executives to see positive impacts across the organization that support overall risk management.   If there are challenges with incorporating digital procurement technology into an organization, gaining executive sponsorship is a critical way to garner support and investment in the tools that will assist in procurement and supplier data. Emphasizing both short and long-term goals and wins, and how these technologies will drive organizational resiliency and agility can be critical when approaching executives.  Environmental, Social, Governance (ESG) urgency:    The magnitude of environmental, social, governance (ESG) regulations and compliance is reshaping how organizations manage suppliers, affecting not only procurement, but legal, compliance, risk functions, executives, and more. With concerns such as climate change, eliminating human trafficking and modern slavery from supply chains, identifying and eliminating corruption, etc. procurement must work with executives to take a driving role in ensuring that third-party vendor relationships are compliant and ethical.   Shifting Company Culture for Procurement Success  Maintaining healthy supplier relationships is not just about onboarding, it also must include managing risk, quality, and performance of suppliers, assuring compliance where needed, while still owning the transactional responsibilities that are at the foundation of this role.   The procurement team is the bridge between the enterprise and the extended enterprise: the organization and its suppliers. No one knows suppliers as intimately as procurement. They, like no other function, can make predictive connections between their suppliers and the risks they may pose to the enterprise. In addition to mitigating risk, procurement has the unique opportunity to drive innovation for the enterprise by partnering with suppliers to identify new products, materials, capabilities, and offerings.   In order to manage these responsibilities, drive efficiency, and take a risk-based approach to procurement, executives within a company need to recognize procurement’s strategic value to the organization. They must step up to establish an organization-wide culture that empowers procurement to be a driver in managing the full lifecycle of their organization’s supplier and third-party relationships.  Aravo  provides centralized, automated TPRM solutions to help procurement and other risk teams proactively manage risks and build resilience throughout their organizations. To learn more, speak with one of Aravo’s experts today.       Author Info:   Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions , the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns and contributes as an author for articles and blog posts.   Hannah holds over 13 years of writing and marketing experience, with 7 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.

As 2025 winds down, one thing is clear: risk has be come borderless.  Third party risk, supply chain risk, cyber risk, and compliance risk no longer live in separate silos, they're converging into a single, fast-moving current that touches every part of the enterprise.  For third party risk management (TPRM), supply chain risk management (SCRM), cyber, procurement, privacy, finance, and compliance teams alike, 2025 delivered a mix of wake-up calls and opportunities. As we head into 2026, the “state of the industry” is best summed up as: interconnected, complex and constantly tested .  The Expanding Webs of Dependency  Organizations rely on more third parties than ever before, often hundreds or thousands. But those third parties, in turn, rely on their own network of sub-vendors and service providers. The result? A risk ecosystem that’s far deeper than most teams can see.  In a blog from Supply Wisdom , one of their “Top 10 Predictions for TPRM in 2025” was the rise of Nth party accountability (e.g., risk of sub-vendors & deeper tiers) becoming a business/regulatory priority. They further noted that organizations are shifting from static third party risk assessments to real-time/continuous monitoring of third parties and their locations.   According to AuditBoard’s TPRM Trends for 2025 report, “growing dependency on third parties – intensified by AI adoption – has expanded not only the number of vendors but the array of related risks.”  In other words, we’re not just managing third party risk anymore, we are managing ecosystem risk. And that ecosystem often extends three, four, even five tiers deep.  Implication for 2026: TPRM and procurement must move beyond static third party lists for true supply chain visibility. Continuous monitoring and Nth-party mapping are no longer “nice to haves,” they are the new foundation of resilience.  Supply-Chain Risk is the New Normal  “Supply chain disruptions are no longer rare – they’re the new normal,” warned Willis Towers Watson in its Global Supply Chain Risk Report 2025.  From geopolitical tensions and shipping disruptions to raw-material shortages and climate events, 2025 reminded us that a supplier’s risk is our own.  The Organization for Economic Co-Operation & Development (OECD)  recently cautioned that aggressive reshoring efforts, while intended to strengthen supply chains, could reduce global trade and GDP by up to 12% in some regions. That means even “localization” has global consequences.    What this means for SCRM & TPRM teams :  Collaboration between supply chain and cyber risk teams is essential.  Third Party onboarding should include resilience indicators such as alternate sourcing, regional exposure, and operational continuity.  Organizations should scenario-test by performing table-top exercises: What happens if a key supplier is hit by a regional conflict or climate event?  The Cyber Visibility Gap  While awareness of supply-chain cyber risk surged in 2025, action is still lagging. SecurityScorecard’s 2025 Supply Chain Cybersecurity Trends report  found that 88% of organizations are concerned about supply-chain cyber risk, yet 79% say less than half of their Nth party suppliers are covered by a cybersecurity program.  That gap is where incidents happen.  And they did.  Several 2025, cyber events, ransomware attacks targeting software providers and managed-service platforms, illustrated how one vendor breach can ripple across thousands of customers.  For CISOs and cyber teams, the perimeter now extends far beyond internal networks. For privacy, finance and compliance leaders, supply chain breaches mean real financial, legal, and reputational consequences.  Takeaway: The old model of annual third party assessments can’t keep up. Continuous cyber monitoring and contractual visibility into sub-vendors must become the norm.  The AI Shift: Power, Promise & Peril  Artificial intelligence is rewriting the risk landscape, and not always in predictable ways.  IBM’s Cybersecurity Predictions for 2025 identified “shadow AI” (unsanctioned generative-AI use) as a growing enterprise threat. At the same time, AI-powered tools are transforming due diligence, anomaly detection, and vendor monitoring.  In June 2025, the Reserve Bank of India issued a warning about “systemic threat from vendor lock-ins" and called for AI-aware defense and zero-trust frameworks across financial institutions.  According to Venminder’s State of Third-Party Risk Management 2025 survey , nearly 49% of organizations experienced some type of third party cyber incident in the past 12 months. And in that same report, 40% of those organizations have added third party contract language addressing AI risk (reflecting rising concern over third party-AI use).  The lesson: AI is both a risk accelerator and a resilience enabler.  For 2026:   Third Party due diligence must now include assessment of AI use, data inputs, and governance controls.  Model Risk Managers, Procurement, Legal and Compliance should align with TPRM to ensure contract language addresses AI transparency and model risk.  Cyber and privacy teams must evaluate third party identity controls and data-handling practices in AI workflows.  Macro Risk and the Global Context  Beyond technology, 2025 underscored how geopolitics, economics, and the environment intersect with third party risk.  The World Economic Forum Global Risks Report 2025 lists conflict, trade wars, and technological polarization among the top medium-term global threats.  Meanwhile, inflation and interest-rate volatility continue to squeeze third party liquidity, and climate-related disasters disrupt logistical and critical materials.  For TPRM, SCRM, finance, and compliance leaders, the message is simple but sobering: your third party ecosystem doesn’t exist in isolation.  It is exposed to the same global shocks as you are, and often more so.  Action Steps:  Build macro-risk stress-testing into your TPRM program by asking yourself:   “If a key supplier were sanctioned tomorrow, how would we respond?”    “If extreme weather wiped out a regional facility, what is our back up plan?”  Organizational Readiness and the Integration Imperative  Even as risk complexity rises, many TPRM programs remain under-resourced and siloed. The SecurityScorecard  study found that most organizations “feel confident” in their third party cyber risk management, yet lack visibility into even half their vendors.  Confidence without integration is dangerous.  The best performing organizations in 2025, shared one trait: cross-functional collaboration. Cyber teams partnered with Procurement. Compliance sat at the same table as Finance. Business leaders viewed third party risk as enterprise risk.  For 2026, Ask Yourself:  Does our third party risk management lifecycle link directly to risk and compliance processes?  Are our contracts AI-aware and data protection aligned?  Do we have joint playbooks for responding to third party incidents?  Are we continuously monitoring, not just assessing , our third party ecosystem?  Looking Ahead: 2026 & Beyond  As we enter 2026, expect five defining shifts in third party and supply-chain risk:  Nth Party Visibility will move from buzzword to business requirements.  Real time monitoring will replace static due diligence.  AI governance will become a standard third party risk criterion.  Supply chain resilience will merge cyber, operational, and ESG risk views.  Regulatory scrutiny will tighten, especially around data privacy, AI, and supply chain transparency.   In short, resilience is the new ROI (return on investment).   Every organization’s competitive edge will hinge on how well it manages its interconnected risk ecosystem.  Quick Check: Your 2026 Third Party Risk Readiness:  Do you know your third party sub-vendors?  Do your contracts address AI, identity, and data governance?  Can you monitor third party cyber posture continuously?  Are cyber, procurement, compliance, and finance aligned on third party lifecycle management?  Are teams all rowing in the same direction, or do you have prideful teammates rowing against reality on a power trip.  Have you stress-tested your supply chain for geopolitical or climate shocks?  If not, now is the time to act. 2026 will reward the prepared.  Third Party Risk Management (TPRM) is not a compliance exercise, it's a leadership function (and always has been).  As the lines blur between supply chain, cyber, and enterprise risk, the organizations that thrive will be those that break down silos and collaborate across disciplines.  The state of the industry isn’t just about where we are, it’s about how we choose to respond.  Let’s all choose to lead.  TPRA’s Call To Action:  At the Third Party Risk Association,  we believe progress happens when professionals connect, share and lead together.  Join thousands of your peers across industries who are shaping the future of TPRM through collaboration, education, and thought leadership.  You can get involved through membership, join a working group, volunteer, partner as a vendor member or strategic partner to help strength the global TPRM community.  Also, join us at our highly-anticipated in-person conference April 20 – 23, 2026 in Denver, CO. Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

In today’s third party risk management (TPRM) environment, time is a scarce resource, and risk teams are feeling the pressure. As organizations grow their third party ecosystems and regulatory expectations rise, TPRM programs are expected to scale without receiving more people or budget.  That’s where automation can help.  But before jumping into technology solutions, practitioners often ask a crucial question:   “How do I know what to automate?”   Not everything is a good candidate. Some processes rely on deep judgment or require hands-on communication. But others, the repetitive, rules-based, time-consuming tasks, are perfect opportunities to automate and free up your team’s time for strategic risk management activities.  Let’s walk through how to spot automation use cases inside your own program, and hear how one risk leader turned hours of manual work into minutes of automated flow.  What Makes a Good Candidate for Automation?  Start with a simple lens. The best automation processes usually have these qualities:  High volume: Happens frequently across many third parties  Repetitive: Same steps followed every time  Rule-based: Decisions based on set criteria or logic  Low variation: Minimal case-by-case customization  Trackable: Easily measurable in terms of success or failure  If you’re doing a task over and over, and it doesn’t require nuanced human decision-making, it’s probably a strong automation candidate.  Common TPRM Automation Use Cases    Here are some of the most common areas where automation delivers real value:  1. Initial Third Party Intake & Risk Tiering   Automating the intake form and feeding third party and business owner responses directly into a tiering model saves time and reduces manual scoring errors. You can set rules to automatically assign low, medium, or high risk based on responses like data sensitivity or criticality.  2. Due Diligence Questionnaire Distribution   Rather than tracking who received what questionnaire; use automation to send the right assessment based on third party type and level of risk, trigger reminder emails, and flag when a response is overdue.  3. Policy & Document Collection   Stop chasing third parties manually for SOC reports, insurance certs, or data mapping. Use tools that auto-request, validate expiration dates, and flag missing documents before you notice.  4. Issue Remediation Workflows   If a third party fails a control assessment, automation can generate a ticket, assign it to the right risk owner, and send periodic follow-ups until it’s resolved or escalated.  5. Continuous Monitoring   Set thresholds and rules so that alerts from external monitoring platforms are filtered, prioritized, and routed to the right business owner and/or third party. Not every continuous monitoring alert needs to land in your inbox.  Real-World Example: Automating Third Party Risk Tiering  Case Study: Financial Services TPRM Team (Mid-Sized U.S. Bank)     A TPRM team supporting over 1,000 third parties struggled to keep up with onboarding. Each third party was manually risk-tiered by reviewing spreadsheets, pasting data into a scoring tool, and then having it double-checked by a second analyst.  “It was taking us 2 to 3 hours per vendor, just to assign a tier,” the risk lead told us.   By implementing an automation workflow using a TPRM platform, they built a rules engine tied to their intake questionnaire. Now, as third parties fill out intake forms, their answers auto-feed into a tiering model based on categories like access to sensitive data, cloud usage, and financial impact. The automation generates a tier instantly, flags high-risk vendors for human review, and logs everything for audit readiness.  Result:  Manual effort dropped from 3 hours to under 10 minutes  Analyst hours saved = ~50/month  More consistent tiering = stronger regulator confidence  How to Identify Automation Opportunities in Your Program  Start simple. Ask yourself and your team:  What process eats up the most time?  Are there tasks we do the same way every time?  Where do errors or delays occur?  What are we manually tracking in Excel or email?  What do we wish we had more time for (but don’t)?  Then, map out the steps. If you can diagram it on paper, chances are you can automate it.  Avoid These Common Pitfalls  Before automating, take these precautions:  Don’t automate a broken process. Fix inefficiencies first.  Avoid black-box logic [ a system or algorithm where the internal workings are not easily understood or accessible to the user ]. You still need visibility and traceability.  Keep humans in the loop for judgment calls or escalations.  Test in small batches before going wide.  Final Thought: Start Small, Scale Smart  You don’t need a full digital transformation to begin automating. Choose one use case, something your team is tired of doing manually, and experiment. Measure the time saved. Show impact.  Remember in TPRM, every minute you save on manual administration is a minute you can spend mitigating actual risk.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

" Why Automate Sanctions Monitoring? " is a one-page infographic that outlines how automation improves the accuracy, speed, and consistency of sanctions screening. It highlights key automation capabilities such as continuous third party monitoring, executive and ownership screening, and automated flagging workflows. These features help organizations stay compliant with evolving global regulations, reduce the burden of manual checks, and quickly identify potential compliance risks. Use this infographic as a reference to better understand where automation fits in your TPRM process and how it can strengthen your overall compliance strategy.

"Creating a TPRM Budget" is a one-page infographic that provides a sample budget format to help risk management teams build and present a clear, effective budget. It outlines the essential components of a TPRM budget, including cost avoidance, operational resilience, return on investment (ROI), measurable key performance indicators (KPIs), and multi-year forecasting. By using this framework, organizations can showcase the value of their TPRM program, align with strategic goals, and gain executive buy-in for future investments. Download the infographic to use as a quick reference and support your next TPRM budget presentation.

This resource, Establishing Accountability in Third Party Risk Management (TPRM) , provides a concise yet powerful framework for embedding accountability into TPRM programs. Built around the Three Lines of Defense model  introduced by the Institute of Internal Auditors (IIA), the guide highlights how operational management, risk/compliance functions, and internal audit each play a distinct but interconnected role in protecting the organization from third-party risks. It outlines: First Line (Operational Management):  Frontline teams managing vendors and risks directly. Second Line (Risk Management & Compliance):  Dedicated teams ensuring oversight, building policies, and supporting consistent risk management practices. Third Line (Internal Audit):  Independent assurance to evaluate effectiveness, verify compliance, and recommend improvements. The resource emphasizes that effective TPRM is not just about tools and processes , but about making accountability part of organizational culture. With clear responsibilities and a strong governance structure, TPRM professionals can drive transparency, reduce risk exposure, and enhance resilience. This downloadable guide is designed for any TPRM practitioner seeking a quick-reference tool to strengthen accountability within their programs.