Search Results

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors. Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options? The value of adding the answer choice ‘partial’. As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization. Compare what is said to what was said last time. Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed. Business visit and demo. Compare what is said to what is done. An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided. In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.

TPRM oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This then allows the program to address third party risks at the highest level, while ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements. But what does good TPRM Oversight provide to your program? Accountability Consistency Support Value Let's take a look at the benefits noted above individually to determine what governance activities would be required to achieve each benefit. Accountability - Is the benefit from clear expectations and defined roles & responsibilities. Activities related to this benefit include, but are not limited to: Program Governance – Determine how your TPRM program will run. Will it be Centralized (one team/department is responsible for the majority of program activities) or De-Centralized (multiple teams/departments are responsible for pieces/parts of your TPRM program). Roles & Responsibilities - Clearly define all of the different roles each person/team/department will play. Chances are your entire organization will be impacted by your TPRM program as third party products/services are used by many. Key roles/responsibilities to define may include, but not be limited to, the Assessors, TPRM Program Leads (who will own/maintain the TPRM program policies and procedures), Procurement, Legal, Information Security, Business/Relationship Owners. Third Party Risk Committee – It is best practice to set up and maintain some type of risk committee where third party risks are discussed. This ensures your organization can make informed decisions regarding third party risk, as well as accept risk at the highest level. Business Owners should not be the only ones to accept High risk on behalf of the organization. Education & Training – Create a TPRM education and training program for not only business owners and key stakeholders within your organization, but also third parties. Training may include a summary of how your TPRM program is structured (what assessments are performed and when, the process to validate, follow up on, and remediate findings, and the risk escalation process), as well as what evidence you will be collecting, when, and why. It's also important to communicate business owner and third party expectations and support requirements. Consistency - Is the benefit from defined TPRM program requirements and structured metrics. Policies and Procedures - Document program policies and procedures, to include TPRM lifecycle activities (Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring/Post-Contract Due Diligence, Disengagement, & Continuous Improvement), handoffs between departments, escalation procedures, and reporting. Metrics & Reporting – Creating program metrics that evaluate program maturity, third party risk trends, and assessment workflow can help you accelerate program performance and reduce third party risk impact on your organization. Continuous Improvement – At least on an annual basis, perform a gap analysis of program activities and controls by comparing them to more mature programs or leveraging TPRM maturity models. Support - Is the benefit from executive-level support and sufficient resources. Budgeting – Develop a comprehensive TPRM program budget that includes resources, operations, maturity model (for future enhancements), travel (for onsite visits), training, and tools. The TPRA held a meeting in October 2021 that reviewed what a comprehensive budget should include. Playback is available to TPRA members on our website. Resourcing – Develop and implement a resource strategy for attracting and retaining talent. In response to the pandemic, a higher volume of regulations, cyber threats, and technology advancements, TPRM is growing in demand and practitioners are becoming more specialized. It is important to ensure your staff is knowledgeable, communicates well, and understands business needs. Tools – If your program has reached a certain level of maturity (at least has documented policies and procedures, as well as a good support system), you may wish to purchase TPRM tools to reduce constraint on your resources and allows you to focus on mitigating third party risk at the highest level. The majority of programs use a TPRM Platform & Continuous Monitoring Tool(s). TPRA is working to create an exhaustive list of TPRM tools . Disclaimer: This list does not include affiliate links and the TPRA does not receive any monetary value from the list. Board Support – Your Board should already be asking your Executives third party-related questions. They have a duty to ensure appropriate action is taken to mitigate third party risk. Ensure you are updating the Board on third party risk trends at a minimum on an annual basis. You may want to work your way up to providing a Board update per quarter. Executive & Business Support - It is imperative to have the support of your executives, which then drives the support you receive from the business. Ensure your executives and business understand the value of having a comprehensive TPRM program in place. Value - Is the benefit of having TPRM program outcomes lead to the mitigation of cyber, financial, and reputational risk. Business Case – It is best practice to have a strong business case documented for why TPRM is important & what value you bring to the organization. This ensures future TPRM program enhancements can be obtained. Responding to Third Party-related Incidents - Studies have shown that the more mature your program is, the less of an impact third party incidents will pose to your organization. Ensure your program contains a plan to respond to and address third party-related incidents and that your Legal and Information Security teams are included within the plan. Holistic View of Risk Landscape - A mature TPRM program can also show your executives, as well as the Board, a more holistic view of your organization's risk landscape, to include fourth and fifth party risk. This then allows the Board and Executives to make better and more informed decisions on strategic initiatives. Overall, good TPRM program governance can not only set your program up for continuous success, but also save your organization from significant business disruption by proactively mitigating third party risk. For more information on TPRM topics and to participate in the many discussions on third party risk, join the community of TPRA Practitioners by visiting www.tprassociation.org/why-join . Standard Practitioner Membership is FREE and Premium Membership (which includes your ticket to our annual, in-person conference) is $199.

With our 2024 in-person conference  just around the corner, Third Party Risk Association (TPRA) would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog focuses on the Impact of Conferences on Industry Insight & Innovation .  It highlights how these events provide a platform for professionals to engage with peers and leaders in the exchanging of research, trends, and innovative ideas. Attendees benefit from interactive sessions, panel discussions, and networking events, gaining insights that fuel forward-thinking strategies. This blog will explore how attendees can maximize these opportunities for staying updated, engaging with industry leaders, and contributing to their respective fields' growth. Embracing Technology, Trends, & Research Conferences are a conduit for collaboration on emerging risks, solving for TPRM challenges, and working together on new and innovative approaches to mitigate third party risk. These interactions not only deepen individual knowledge, but also contribute to industry growth and development by promoting innovation and shaping future techniques. Attending the Third Party Risk Madness  conference will help you stay updated on the latest advancements in technology and industry trends. With 56 total sessions spread over 4 days, including three keynote speakers, 12 roundtables, and four demo sessions, you can gain insights from knowledgeable industry professionals. Participate in sessions on technology and emerging risks, engage with industry leaders during networking events and roundtable sessions, and follow up with speakers and attendees post-conference for further discussions and insights. View the full agenda > Following a conference, thank speakers and attendees for their insights, follow-up through email or social media, share thoughts on their presentations, ask about resources available, and offer to connect via coffee meetups, virtual discussions, or collaborative projects to strengthen relationships and foster knowledge sharing.  This ensures that conversation don’t stop with the conference.  That you, as a practitioner, can further develop ideas discussed at the event, and work to implement new TPRM strategies. Conference materials can be a great resource for deepening your understanding of the topics covered.  They allow you to not re-create the wheel and implement strategies and processes that have worked for others.  They can also validate mature processes your organization has in place; thereby, adding credibility to your program.  Do some research before and learn about the latest research and trends that the conference may be addressing. Before attending a conference, conduct thorough research to understand the latest research findings and emerging trends. Explore publications, industry reports, and articles to understand the current landscape and find key topics, challenges, and innovations to discuss.  Bring those thoughts, ideas, and questions to the conference and actively participate in conversations during presentations and roundtables.  Also come with pain points and questions from your own program to benchmark off fellow peers in similar situations.   Professional Development Conferences offer professional development opportunities to enhance attendees' skills, knowledge, and capabilities. Workshops and training sessions cover emerging technologies, best practices, and industry-specific regulations. Networking opportunities promote mentorship, knowledge sharing, and learning, allowing attendees to broaden their perspectives and gain insight from experienced professionals. Take notes during sessions to capture key insights, ideas, and strategies shared by speakers and panelists. This will help you gather key insights, ideas, and strategies that you do not want to forget. Use these notes to transform concepts into plans, driving change within your organization, and start discussions about innovative TPRM approaches.  Often times, an idea from a conference can influence your perspective on processes and activities within your organization. Use networking breaks and social events to set up connections with industry peers, potential mentors, and collaborators. As we discussed in our last blog, networking is the best way to connect with fellow attendees and collaborate with industry peers. Make sure to take advantage of opportunities such as networking events and lunchtime meetups to foster conversations that could lead to future partnerships. Conclusion Attending conferences like our very own Third Party Risk Madness provides opportunities for professional growth and networking. Attendees can stay updated on technological advancements and engage in discussions with industry leaders. Post-conference follow-ups allow for collaborations. Conference materials promote understanding, particularly in Third Party Risk Management, pushing for deeper exploration. Networking breaks allow connections with professionals, mentors, and potential collaborators, paving the way for future partnerships. Prior to attending the conference, research emerging trends to ensures active participation and meaningful contributions.   Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers here . Hurry, space is limited, and you won't want to be left on the bench for this thrilling event.

With our 2024 in-person conference just around the corner, TPRA would like to share the wide array of benefits which come from attending an industry-specific conference.   In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike.   Today’s blog will highlight the notable benefit of NETWORKING in conference settings, including sharing industry insights & trends, building connections, and participating in collaborative forums, as well as some tips for enhancing your networking skills at conferences.   Learn from industry experts: Within a networking environment like a conference, you can discuss a wide variety of topics with industry experts and peers. This allows you to gain a deeper understanding of your particular area of interest. It can also expand your horizons with new conversation topics by interacting with established and seasoned industry professionals within, or even outside of, your field.   Attending conferences provides a special chance to network with peers and fellow industry professionals within an in-person setting. Engaging and participating in activities offered such as panels, roundtables, and in-house networking events provides you with valuable knowledge and understanding not regularly gained from an online setting. By simply talking to other seasoned professionals and tapping into their knowledge and expertise, you are able to gain a more in-depth understanding of new technological innovations, industry trends, and best practices. Through these interactions, you can evaluate ideas, deepen your knowledge base, and get access to expertise and information that is not typically available through conventional channels.   Building meaningful connections: Professionals from various organizations, backgrounds, and positions come together at conferences, which results in the perfect setting for building deep connections. Whether it is during a special networking event, a roundtable, or even just a coffee break, conferences offer a plethora of networking opportunities. During these opportunities, you are able to build potential connections, partnerships, and collaborations by striking up conversations and exchanging contact details. These relationships grow your professional network and offer a helping hand in overcoming current challenges as chances are that someone else has already gone through what you are going through.   “Networking is so important for any professional and is how TPRA was founded,” Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association , said. “I met my former partner at a TPRM-related conference.  He was a speaker and after his presentation, I went up to him to ask him questions as it relates to developing a new TPRM program. The discussion turned into benchmarking sessions over Zoom.  I then said if we have these questions, others do as well. Thus started a roundtable that turned into TPRA.  At the time, I had no idea what that conversation would lead to.  So often I hear from others how networking has led to a career opportunity, a program enhancement, or a personal opportunity.”   Conference networking makes it possible to create lasting relationships that go beyond the mere exchange of business cards and LinkedIn connections. These relationships act as a bases of support, providing motivation, guidance, and useful knowledge that promotes both professional and personal development. Conference goers create the basis for collaborative projects, shared knowledge, and ongoing relationships that strengthen their careers and personal lives by dedicating time and energy to developing these connections.   Exploring Collaborative Opportunities Among the main advantages of networking at conferences is the chance to explore collaborative efforts with peers and business associates. Conferences serve as a nurturing environment for creativity and cooperation, creating settings in which concepts can be exchanged, improved upon, and cooperatively carried out. You might find opportunities for collaboration on joint research projects or business ventures with other practitioners through discussions, brainstorming sessions, and informal interactions. Conference discussions have the power to push innovation, advance your industry, and leave a lasting impression.   Keeping Up With Industry Trends Keeping up with industry trends and developments is crucial for professional development and organizational success in today's rapidly shifting business landscape.  Attending conferences offers networking opportunities that give you a firsthand look at the newest developments in technology, industry trends, and changes in laws and regulations. Through talks with key individuals, attending keynote discussions, and taking part in sessions specific to your industry, you can learn a great deal about the opportunities and problems that are new to your field. You can use this knowledge to position your organization and yourself for future success by preparing for changes in the market and adjusting your strategies accordingly.   Here are some additional tips for enhancing your networking skills: Set Objectives:  Establish your networking objectives before you go to the conference.  Think through your goals, whether they involve expanding your professional network, looking for collaborative opportunities, or learning about the latest market developments. Do Your Research: Prior to the conference, spend some time learning about the panelists, speakers, and other attendees. Learn about their professional backgrounds, accomplishments, and areas of specialization to find common ground and possible conversation starters. Don't Be Afraid To Initiate The Conversation: Instead of waiting for a professional to approach you, strike up a conversation with other attendees. During meals, breaks, or networking events, approach people and introduce yourself with confidence. Utilize networking games and activities provided by the hosting organization as a jumping off point for striking up conversations. These games are designed to encourage discussion and create a platform for attendees to interact with each other in meaningful ways, so take advantage of them. Attend The In-House Networking Events: Take advantage of the social events, receptions, and networking opportunities that are planned as part of the conference schedule. Our upcoming conference features two all-attendee network events, plus additional invite-only events for select attendees! These casual settings offer incredible opportunities to establish stronger connections, share contact details, and engage with peers. Use Social Media: Make use of social media sites like Instagram, X (formerly known as Twitter), and LinkedIn to expand your professional network outside of the conference room. Engage online with other attendees and share thoughts, pictures, and highlights from the conference. Follow Up: Follow up with people you met at the conference to stay in touch and keep the conversation going even after the event ends. Send personalized emails thanking the recipient for their time while giving ideas for future collaboration or interactions.   Attending conferences provides plenty of networking opportunities, such as access to industry knowledge, opportunities to form close relationships, a look into collaboration possibilities, and staying up to date on industry developments. Participating in networking activities during conferences can help you build a larger professional network, acquire valuable insight, and establish yourself as an expert in your field. As you prepare for your next conference, take advantage of the opportunities for networking and collaboration, and don't pass up the chance to grow both yourself professionally, as well as your company's success.   And where better to use your new networking skills than at TPRA’s very own Third Party Risk Madness conference! Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event. [Register Here]   Our discounted hotel room block ends on March 11t h.

By: Meghan Schrader, Marketing & Social Media Intern for TPRA Networking – the action or process of interacting with others to exchange information and develop professional or social contacts. As the threat landscape grows in complexity and regulations require organizations to review their third parties with a more focused lens, networking and benchmarking off peers has never been more important. Networking provides opportunities to develop and improve your skill set, while staying on top of the latest trends in your industry. A few key benefits of networking with peers are the opportunities to exchange information/advice and obtain support on experiences, struggles, and goals. This allows you to gain new insights that you may not have otherwise thought of. Discussing common challenges, solutions, and opportunities can also open the door to valuable suggestions and guidance. Odds are, your peers have already gone through growing pains. But what else can you gain from network opportunities and where do you start? Listed below are additional benefits to networking, as well as some tips for getting started. Learn from Industry Experts Within a networking environment, you are able to discuss a variety of topics with industry experts and peers. By learning from experienced members of your industry, you can gain greater insight into your specific area of focus, or expand your perspective with new topics of discussion. By attending and participating in networking activities, you learn from both peers and competitors first-hand, engage in information-sharing, and gain feedback on your ideas, strategies, and practices. Regardless of title or organization, you have the chance to collaborate, promote, and learn in a way that is beneficial for all parties. Through this, you can gain insights and share ideas to advance not only your program, but the whole field of TPRM. Collaborate and Connect Now, more than ever, collaboration and connection are needed for the advancement of the industry. The opportunity to experience and learn new things with peers, develop strategic partnerships, and connect with friends and colleagues is an integral part of networking. A benefit of a networking experience is that connection and discussion is not limited to one group or type of individual. When attending a networking event, you are able to connect with peers from all walks of life, varying experience and program maturity, as well as speakers, sponsors, and many more relevant parties. You can go beyond the screen and ask questions, gain varying perspectives, and expand on the content that was covered. Validate Your Program Activities The need to stay current on best-practices, technology, new techniques, and trends is vitally important; especially when the threat landscape continues to grow in complexity. Networking provides you with educational opportunities, leading to personal and professional growth, and advancement of your knowledge base by learning from thought-leaders. You’ll be able to return to your organization with new ideas to advance and grow your program. Advancing your professional education not only validates your current program, but also lends credibility to your job function. Tips for Networking There are always opportunities for networking no matter where you are at within your career. A few ideas on how and where to get started are: Network via LinkedIn or other social media platforms by sending connection requests; filtering your LinkedIn searches to connect with specific people based on industry, location, and more; attending LinkedIn events; and joining LinkedIn groups to connect with industry professionals and establish relationships. Network via special interest forums to promote discussion, ask questions, and gain real-time support from peers. Network via conferences to connect with industry professionals, gain new insights, and form meaningful professional relationships by engaging in discussion, exchanging business cards, and simply saying ‘hello’ to new people. The informal connections which take place outside of conference breakout sessions can be extremely valuable. (The TPRA actually started when two peers began to network at a conference.) To start networking, find an event or networking platform relates to your industry or that interests you, practice your entrance (meaning practice how you will introduce your self), go into a discussion with an idea in mind of what you would like to get out of it, offer something in return (whether it be a connection for someone, a thought or idea, or another resource), and (optional) work through a follow up activity (whether it be reaching out to them via email or setting up a future call). Follow up is key if you feel the network activity resulted in a benefit to yourself, career, and/or organization. Follow up can also lead to long-lasting and mutually beneficial relationships. Networking through TPRA The Third Party Risk Association (TPRA) is built on the foundation of furthering the Third Party Risk Management profession through knowledge sharing and networking. We do this through community engagement in monthly and quarterly meetings, as well as industry-specific calls, networking events, and benchmarking sessions. In addition, we collaborate on and create guidance, tools, and templates as a community. Lastly, and what you may receive the most benefit from, is communication and collaboration between peers through our Practitioner Slack Forums . Live, in-person conferences also provide a space for networking, discussions, information sharing, and collaboration. Networking in person also aids in growing your relationships with subject matter experts that can help you accelerate your TPRM program. Upcoming Networking Opportunity: TPRA In-Person Conference Third Party Risk Association’s 2022 Third Party Risk Management (TPRM) Conference, “The Art of Third Party Risk” will take place in-person, on April 18th - 20th, 2022, at the AT&T Hotel and Conference Center, in beautiful Austin, Texas. We invite all TPRM Practitioners to join us for three inspiring days of impactful discussion. Any individual and/or organization within the TPRM space (TPRM Professionals, Vendor Managers, Procurement/Sourcing Specialists, Lawyers, Information and/or Cyber Security Professionals, Compliance and/or Privacy Specialists, Auditors, and Service Providers) will find great value in attending this event. Speaker sessions are designed to suit your individual and organizational goals. Take full advantage of our sessions by shaping the experience to best fit your program’s maturity level. Track 1 (Apprentice) is for those developing their TPRM program. Track 2 (Practitioner) is for more mature programs that want to validate and obtain best practices for enhancing their program. Track 3 (Master) is for programs that have reached a higher level of maturity and want to learn more about innovative tools and techniques to elevate and automate certain aspects of their program. There are many benefits to attending in-person conferences, to include receiving continual professional education credits (receive up to 14 CPEs), meeting industry leaders, and validating your TPRM program activities. You can also visit service provider booths and learn about tools and techniques that are shaping the way the industry assesses third party risk. Join us in person to make valuable connections and participate in meaningful discussions on TPRM. Visit our website at www.artofthirdpartyrisk.org to learn more about the conference and to purchase your ticket. By visiting the conference site, you will also find our COVID protocols for the event. Conclusion When you make the investment in participating in a network event specific to your career path, you open the doors to new opportunities that will allow you to share personal experiences, gain validation for your work, and contribute to a growing community of TPRM professionals. It also allows you to return to your organization with new strategies, strong professional relationships, and the insight to help your program and organization accelerate.

Based off the TPRA May 2020 presentation from Nyemaster Goode Law Firm. Disclaimer: The following information does not represent legal advice. If you have specific questions concerning specific circumstances, please consult your attorney. Many questions have recently come up regarding improvements that can be made to contracts as a result of COVID-19. The TPRA recently held a Practitioner Member meeting that addressed some of the contract enhancements that can be made, specifically to the Force Majeure contract clause. Per Nyemaster, "Force majeure is a contractual remedy that, under certain circumstances, excuses the nonperformance of a party when the failure to perform is caused by a “fortuitous event” that makes performance impossible." COVID-19 may be considered a Force Majeure event but it truly depends on the actual clause noted within each specific contract. The first question to ask yourself is "Does my contract include a Force Majeure clause"? The event causing the disruption must be included in the Force Majeure clause and must excuse the party from performing services. Nyemaster suggests using specific language and limiting use of "catch-all" terms. Specific events to insert into your clause can include, but not be limited to: Pandemic/epidemic, Government order, law, or actions, National or regional disaster or emergency, and Material or Equipment shortages. Catch-all terms to limit and/or remove include, but are not limited to: “acts of God”, “including without limitation”, and “other events beyond the reasonable control of a party”. Nyemaster explains that courts look narrowly at the Force Majeure clause. Since the burden of proof is on the non-performance party, it is important this clause contain specific information about events that could result in non-performance and what non-performance actually means. The type of evidence a court could ask for may include, but not be limited to: Evidence that event was unforeseeable Proof of causation between the event and the nonperformance What is the performance standard (e.g. impossibly, impracticable); is the performance standard subjective or objective Is clause unilateral or bilateral (which party does it actually protect) Are there multiple Force Majeure clauses in the contract Are there any carve outs or exclusions (e.g. payment obligations, macroeconomic conditions, delays due to subcontractors) What is the contract’s governing law provision Notice requirements Mitigation requirements Nyemaster also warns that there could be consequences when declaring Force Majeure... Namely: Anticipatory Repudiation Termination of Contract or Suspension of Counterparty Performance Rate Changes LITIGATION Lastly, if your contract does not have a Force Majeure clause, Nyemaster suggests other alternative contractual provisions and/or common law defenses that could act similarly to a Force Majeure clause. Examples include, but are not limited to the below. Alternative Contractual Provisions Change in Law Dispute Resolution Termination for Convenience Common Law Defenses Impossibility - Performance is no longer possible because of a supervening event. Impracticability - A supervening event changes the inherent nature of performance to be more difficult, complex, or challenging, contravening a basic assumption of the parties' agreement. As a result, the cost of performing increases excessively and unreasonably. Frustration of Purpose - One party's known principle purpose for entering a transaction has been destroyed or obviated by a supervening event. Performance remains possible, but is excused when one party would no longer receive the expected value of their counterparty's performance. To hear the full presentation provided by Nyemaster around the topic of Force Majeure and other contractual issues to consider, TPRA Members can visit the " On-Demand Webinars " page and re-listen to the May 2020 meeting.

Due to restricted travel and quarantine zones, global supply chains are being disrupted. Per Forbes, this is also resulting in a downturn of consumer demand. (Ex. Travel, tourism, conferences, etc.) Organizations are slow to respond as sufficient testing has not been completed regarding pandemic plans. So what should you do? In today's TPRA Practitioner Meeting, we discussed steps you can take to evaluate the impact COVID-19 has/will have on your vendors/suppliers. Below are the highlights. First you need to understand the impact COVID-19 has on your own organization. - What are your critical processes and/or products? Does a vendor perform pieces of your critical processes or supply raw materials for your critical products? - Do you know the locations of your suppliers? Do you know the locations of your supplier’s suppliers? - Have you enacted your own pandemic plans? Next, are you determining if your vendors/suppliers have sufficient pandemic and recovery plans in place? - Create a task force to review critical vendors and/or suppliers. - Map out where your vendors/suppliers are located. You will need to understand where their critical suppliers are also located. - Once you have a list of vendors and suppliers critical to your business, begin understanding if they are prepared for and/or have been impacted by the pandemic. Are they in a quarantine zone? - If they are prepared, ensure you are communicating with your vendors/suppliers the change in the demand for your organization’s products/services. - If they are less prepared, determine if you need to plan for alternate sourcing. Quickly work through due diligence and contracts for alternate sources. - If you do not have them already, set key risk indicators to alert you if things change with one of your vendors/suppliers. (You can start with contract SLAs and response time.) - Ensure you and your vendor/supplier have a strong communication plan regarding updates on future impact. - Be compassionate. Every organization will be impacted by COVID-19 in one way or another. Offer to help those that need it if you can. How can you determine if your vendors are prepared? - Create a set of questions you can use to determine if your vendors/suppliers are prepared for a pandemic and/or if they are impacted by COVID-19. - Reach out to your vendors/suppliers via email or phone (depending on criticality) to determine their preparedness and/or impact. - Review responses to determine next steps. You may want to form a committee to assist with this piece. - Ensure you have an escalation plan when unfavorable responses return. For TPRA Practitioner Members, the TPRA has prepared a set of questions for you to consider. This questionnaire is available in an excel format on the Information Sharing site within the Members Only section of our website. The document is titled "COVID-19 Readiness Questionnaire - TPRA Created". Author: Julie Gaiaschi, TPRA CEO & Co-Founder

Blog was inspired by the January 2024 TPRA Practitioner Member roundtable facilitated by TPRA CEO Julie Gaiaschi. (To watch the full presentation, TPRA Members can visit our On-Demand meetings and navigate to the January 2024 meeting recording.)   The management of third party risks has become a major priority and area of focus for companies across a variety of industries because of the constantly changing nature of business operations. Recognizing the nuances and challenges that come with this field, the Third Party Risk Association (TPRA), along with a dedicated team of TPRM practitioners and service provider organizations, worked towards creating a comprehensive guidebook that assists in navigating the creation and implementation of a comprehensive Third Party Risk Management (TPRM) program.  The Development of the Guidebook  TPRA’s “Third Party Risk Management 101 Guidebook” was created not as a standalone project but as a collaborative effort that included feedback from an extensive group of TPRM professionals and service providers from a diverse range of industries. Over monthly meetings spanning three years, this group discussed various subjects related to TPRM tools, topics, and trends. Each aspect of a strong TPRM program was carefully examined and discussed by TPRA’s focus group members, from clarifying best practices to anticipating emerging risks and aligning with regulatory guidelines.     This comprehensive process of discussion, analysis, and synthesis is where the guidebook originated. With input from numerous stakeholders, the guidebook gradually took shape, undergoing a year-long editing process to condense the vast number of materials into a user-friendly format enhanced with graphics, insights, and real-world examples.  Unveiling the Guidebook: A Deep Dive  Building a TPRM program is not unlike building a house. The first step is always to make sure it’s built on a solid foundation so that it may withstand the inevitable storms to come. The TPRA guidebook gives you the tools and materials needed to begin building a successful and productive TPRM program brick by brick.    The TPRM guidebook's foundation is a lifecycle approach, outlining a strategy and framework that encompasses the entire spectrum of TPRM. Let’s dive into its key phases:  1. Planning and Oversight   Planning and oversight are the cornerstones of any TPRM program and create the conditions for success. Important topics covered in this phase include:  Establishing governance structures  Executive support  Budgeting  Policy Formulation  Metrics & Reporting  This phase supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. It also ensures the program can address third party risk at the highest level, while also warranting governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phase will make certain key stakeholders are aware of, support, and help implement program requirements. This phase ensures your entire organization is on-board with the TPRM program. After all, this program will touch every department within your organization (from Business Owners to Legal and Security).  2. Pre-contract Due Diligence   This phase emphasizes the importance of conducting comprehensive due diligence before an agreement is signed.  Key objectives during this phase include, but are not limited to:   Formalizing contractual agreements   Developing a robust third party profile  Performing Inherent risk assessments  Executing risk-based evaluations    In this phase, organizations thoroughly assess and mitigate potential third party risk before signing and committing to a contractual relationship. A company conducting this phase can minimize risks, avoid legal issues, and build and maintain a more secure partnership with their third party. The house metaphor comes back into play, allowing for that solid foundation to be secured, which in turn allows for more productive and compliant business partnerships.   3. Contract Review   As they say, the devil lies in the details, and the contract review process is where potential problems are addressed. This stage involves:  Negotiating contract terms  Examining key clauses  communicating expectations   This is to ensure that contracts match your organizational goals and risk tolerance.    The contract review phase is one of the most essential steps in the TPRM process, ensuring that any expectations for your third party relationship can hold up in a court of law. It also can address risks identified during the previous phase, Pre-contract Due Diligence, and ensures that all enforceable language is clear and specific. It is crucial for TPRM practitioners to collaborate with legal counsel to ensure their contracts include the necessary remedies in the case of a third party failure. Regular contract review and upkeep is essential to maintain and reflect the organization’s risk tolerance.  4. Continuous Monitoring   In the TPRM field, where risks are dynamic and ever-changing, continuous monitoring is essential. To maintain situational awareness and responsiveness, this phase uses mechanisms like site visits, triggered reviews, and the use of monitoring tools to mitigate risks within an always changing environment.    This phase is crucial for organizations to better assess third party risk in order to meet contract terms, business obligations, legal and regulatory requirements, and performance expectations. It also allows organizations to stay informed about changes in operations, financial stability, cybersecurity posture, and compliance status that may affect their risk exposure. This also enables swift action when risk mitigation is required and ensures full compliance with any legal and regulatory requirements.  5. Disengagement   The disengagement phase, which is frequently overlooked, ensures a smooth exit strategy, reduces lingering risk, and protects sensitive and valuable assets when third party relationships conclude.    Disengagement is the process of transitioning away from a third party with minimal impact if the relationship ends due to contract expiration or when certain adverse conditions are met. This phase can be complex and challenging due to the need of the business wanting to end the relationship quickly. Organizations and companies don’t often disengage with third parties, which can lead to rushed and overlooked processes.   If the third party maintains sensitive data post-disengagement, your organization should continue to assess the third party from a cybersecurity perspective (potentially in a limited capacity).   6. Continuous Improvement   TRPM is a journey marked by constant change and evolution. The concept of continuous improvement emphasizes the importance of flexibility and adaptability, calling for regular evaluation and adjustment to keep up with changing laws, emerging risks, and technical advancements.     This phase overlaps all other phases within the TPRM lifecycle as continuous improvement is necessary in all phases. It allows organizations to adapt to regulatory requirements, respond to new business practices, and incorporate technological advancements. This phase allows organizations to remain agile in a complex environment.  Navigating the Guidebook  Navigating the TPRM guidebook is easy due to its informative graphics, detailed definitions, intuitive sections, and helpful resources. The implementation of this guidebook will vary depending on your organization’s size, industry, and types of third party relationships. While the guidebook provides you with standards from which to begin crafting your TPRM program, careful consideration must be paid to your organization's established risk appetite when determining how to implement said standards. Your program should be rigid enough to have established criteria for the review and mitigation of third party risk, but also flexible enough to consider the variability of third party relationships, regulations, geographic locations, and emerging risks.      Accessing the Guidebook  TPRA’s first draft of our Third Party Risk Management 101 Guidebook is currently available as a free, downloadable eBook to all TPRM professionals. Visit the TPRA website and complete a short form to access this body of knowledge.    By downloading the guidebook, stakeholders can effortlessly delve into its contents, leveraging its insights to fortify their TPRM endeavors.     Conclusion: Charting the Course Ahead  The TPRM 101 Guidebook provides organizations with comprehensive guidance, tools, and resources as they navigate the complex terrain of third party risks. It enables stakeholders to navigate relationship complexities, mitigate risks and foster resilience in a dynamic environment. The guidebook is considered the golden standard for the Third Party Risk Management industry and ignites a culture of vigilance, adaptability, and continuous improvement.     In the dynamic realm of business operations, where risks lurk at every turn, the TPRM guidebook emerges as a steadfast companion, illuminating the path to success amidst uncertainty and complexity. The journey of TPRM is not merely a destination but a perpetual odyssey of discovery, resilience, and excellence, and the guidebook serves as a trusted compass, guiding stakeholders towards the shores of   resilience in an ever-changing sea of risks. But the journey doesn’t end here. TPRM Practitioners are welcome to join the TPRA for free to continue their learning journey by benchmarking off their fellow peers, participating in engaging webinars and conferences, and contributing thought leadership to roundtables and future published guidance. To join, please visit www.tprassociation.org/join .

Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page and navigate to the July 2022 meeting recording.) Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss: The common goals and challenges to integrating TPRM processes across the organization Tips for improving process integration with business stakeholders Different stakeholders and how TPRM can work with each Key aspects of TPRM governance needed to make integration work Provide a TPRM lifecycle-based framework that enables better integration of people, processes, and systems Goals and Challenges with TPRM Process Integration When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives. But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk? TPRM Challenges with Integration Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint. What is Needed to Evaluate Risk Understand what inherent risks exist As your organization enters into a new third-party relationship, what are the inherent risks (or risks before controls are considered) that the third party is potentially bringing into the business? Understanding those potential risks will drive your due diligence efforts. Evaluate controls and mitigate residual risks After inherent risk is determined, it is then time to evaluate the controls the third party has in place to mitigate the inherent risk. Findings that come from testing these controls determine the residual risk of a third party. Action plans should then be established with the third party to mitigate said residual risk. If risk cannot be mitigated, then risk must either be accepted (at the appropriate level within your organization) or you may determine that it is too risky to move forward with the relationship. Monitor for new risks and ensure remediation is effective Once the relationship is established, it is important to continuously monitor the risks of your third party. Therefore, it is vital to implement continuous monitoring activities to evaluate third party risk on an ongoing basis. It is key in this phase to use a risk-based approach and not treat every vendor the same. This will ensure a long-lasting relationship, while also addressing third party risk at the highest level. Ensure risk is mitigated even when the relationship is coming to an end It is important to continue with risk-mitigation efforts even when you are terminating a third-party relationship. You want to ensure a smooth transition away from the third party, while also ensuring all of your organization’s data the third party housed is appropriately handled (i.e., returned and/or destroyed). This can be accomplished through a strong exit strategy, including an offboarding checklist, as well as the acceptance of a certificate of destruction. If you plan for the third party to maintain your data for a specific period of time (i.e., for a legal hold), then you will want to continue to evaluate the third party from a security perspective on an ongoing basis. But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration. Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to: Start working with the third party immediately Speed to market (they have a project that has a tight deadline) Security concerns they need to address will be mitigated by the onboarding of the new third party Reaching a niche market Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place. Some of the activities you can participate in to ensure integration into the business process is to: Help the business understand Help your business understand why certain processes exist and what the steps are to reach the business’ ultimate goal. Consider meeting with the business owner on a regular basis (at least quarterly), to walk them through your process, set target dates and goals, update them on where you are at within certain due diligence processes, and to follow up on findings and where the vendor is at within their "get to green" plans. Understand the relationship Gain a better understanding of the relationship between the business and third party, and work within the context of the existing relationship. This means work with your business in obtaining what you need from the third party. If the relationship is strained, then find ways to communicate with the third party as efficiently as possible. The business, as well as the third party, want as little effort and disruption as possible. Only ask for what is needed Make sure you know what you want to ask the third party and only ask what is needed of them. Do not reach out 100 times because you did not include everything within your first request. This also provides your business with trust in what you are requesting because they know you will only ask for what is needed. Have an exit strategy As the relationship is ending, the business owner has other things they need to tend to, so they’ll want the relationship closed out as quickly as possible. There are still activities which need to happen on the back end of the relationship, such as data returned and/or destroyed appropriately. If the third party will maintain data, then security reviews are required until the data is returned and/or destroyed. While the business owner recognizes those necessary activities, they may not always want to put energy into them. To alleviate this step, ensure you think through termination and create an exit strategy before the contract is signed during the pre-contract phase. This ensures a smooth transition away from the third party on the back end of the relationship. In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process. TPRM Challenges with the Rest of the Team But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met. Below are some examples of additional stakeholders and how TPRM can work with each: Procurement This team is responsible for bringing in new third parties or renewing current contracts. They are the “gate-keepers” for third party relationships. TPRM will want to integrate into the Procurement process so they can 1) be notified when new third-party relationships are formed and can adequately review said relationships and third-party controls before contracts are signed, and 2) review contract redlines that relate to security or other third-party risks. This way they can ensure the contract has set the right level of expectations with regard to what controls the third party must have implemented and will also ensure TPRM receives what they need in order to perform the reviews. Redlining the contract can also ensure TPRM is able to review the third party on an ongoing basis. Compliance This team ensures the organization is appropriately following regulations and meeting compliance objectives. TPRM will want to work with this team to ensure their third parties are also meeting regulatory compliance objectives. Compliance can also assist TPRM in determining what regulations should be followed for offshore resources. Legal This team works through contract templates and ensures agreements can be held up within a court of law. TPRM can work with this team to develop contract templates and addendums (which are crucial to ensuring you get the most out of your third-party relationship). Other Operational Teams Depending on how your TPRM program is set up (centralized vs. decentralized) there may be other teams TPRM works with to accomplish specific pieces of their review(s). For example, they may work with the Finance team to review the financials of a higher-risk vendor. TPRM should be aware of the current workload of these teams and strategically request reviews for higher-risked vendors so as not to overload other operational teams. Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes. Executive support Ensure you have the support of your executives . This is crucial for ensuring processes are followed across the enterprise. Business and stakeholder champions Find business and stakeholder champions . Determine who makes the decisions within your organization and ensure they are on your side with regards to TPRM implementation. This can greatly increase your chances for success when integrating TPRM processes into the business, as the loudest and most important decision makers agree with your approach and share that agreement with others. Ensure everyone has a seat at the table Ensure everyone has a seat at the table. This allows all necessary players to be heard, provide input, and agree to TPRM processes. They are also more likely to follow the process if they have input into it. Strong TPRM policy and procedures Develop a strong TPRM policy, as well as procedures, and ensure it aligns with a TPRM framework. This ensures everyone is aware of the process and can follow appropriately. Risk committee Develop a risk committee. Now that your TPRM program is set up, ensuring risks are reviewed at the right level is the next step. You do not want the business accepting high risk on behalf of the organization. Therefore, this committee can help you determine the next steps in your risk mitigation efforts, as well as approve risk escalations and acceptance. Develop RACIs Develop a Responsibility Assignment Matrix (RACI) to clarify roles and responsibilities of the different stakeholder groups. This helps to not only break out what the different activities are, but to also ensure the different stakeholders are aligned in their roles in the process. Oversight and reporting Align oversight and reporting, key performance indicators (KPIs)/key risk indicators (KRIs), to create holistic governance and accountability for managing third parties. Ensure risks are reported all the way up to the Board. Periodic assessments and testing Perform periodic assessments and testing to ensure TPRM process are working as designed. Automate - Optional Automate for better transparency, process integration, workflow, and reporting. Systems should have the ability to automatically notify relevant stakeholders when an action needs to be taken. Third Party Lifecycle Management Framework But what should your TPRM Program include? Below is a diagram a TPRM framework. Source: TPRA Third Party Risk Management Lifecycle (c) The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.” Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes. Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships. Conclusion There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.

Third Party Risk Management (TPRM) is a critical process for organizations that rely on third parties to provide goods or services. It involves identifying, assessing, and mitigating risks associated with these third parties, in order to ensure that they do not negatively impact the organization's operations or reputation. As the number of third parties and the complexity of their relationships with organizations increase, managing third party risk has become a more difficult and time-consuming task. This is where automation comes in. Areas to Automate in the TPRM Lifecycle Automation can streamline and improve the process by eliminating human completion of repetitive tasks, reducing error, and increasing efficiency. There are several key areas where automation can be applied in the TPRM process, including: 1. Third Party Onboarding Third Party onboarding is the process of evaluating and accepting new third parties into the organization's TPRM program. It can be a time-consuming and resource-intensive process, involving a significant amount of paperwork and documentation. Automation can help streamline this process by handling the collection and verification of third party information, such as tax IDs, business licenses, and insurance certificates. This can significantly reduce the time and resources required to onboard new third parties. 2. Risk Assessment Risk assessment is the process of identifying and evaluating the risks associated with a third party. This can be a complex and time-consuming process, involving a significant amount of data collection and analysis. Automation can help simplify this process by performing data collection and analysis and providing an objective and consistent approach to risk assessments. Automation can also help identify and evaluate risks that may not be immediately obvious to human reviewers. 3. Continuous Monitoring Continuous monitoring is the ongoing process of monitoring a third party's performance, as well as compliance with the organization's TPRM program. This can involve monitoring the financial stability, regulatory compliance, and incident reporting of third parties. Automation can assist with simplifying this stage by creating a real-time data collection and analysis process and providing alerts of any potential issues. This then helps organizations to quickly identify and respond to any potential risks in a shorter period of time. 4. Reports and Communication Reports and communication are important aspects of the TPRM lifecycle, as they provide decision-makers with the information they need to make informed decisions about their third parties. Automation can help to simplify this process by removing the need for a human to generate reports and ensure real-time updates on third party performance and compliance. As with continuous monitoring, this can help organizations to quickly identify and respond to any potential risks. Benefits of Automation in TPRM The use of automation can provide several benefits to organizations, including: 1. Increased Efficiency Automation can help to streamline and simplify the TPRM process, reducing the time and resources required to manage third party risk. This can help organizations to focus on more important tasks, such as identifying and mitigating high-priority risks. 2. Improved Accuracy Automation can help to reduce human error and provide a more objective and consistent approach to risk assessment. This then helps organizations to make more informed decisions about their third parties. 3. Increased Visibility Automation can provide organizations with real-time visibility into third party performance and compliance. This then helps organizations to quickly identify and respond to any potential risks. 4. Compliance Automation can also help organizations to comply with regulatory requirements by providing real-time alerts of any potential issues, as well as provide an audit trail for the alerts. Challenges of Automation in TPRM Despite the many benefits of automation, there are also some challenges that organizations may face when implementing automation. These challenges include: Challenge 1: Lack of Flexibility One of the biggest challenges of using automation in the TPRM process is the lack of flexibility. Automated systems are often inflexible and may not be able to adapt to the unique needs of different organizations, as well as third party relationships. This can make it difficult for organizations to customize their TPRM processes to meet their specific requirements. Additionally, automated systems may not be able to handle unexpected situations or changes in third party risk levels. Challenge 2: Data Quality and Integrity Another challenge of using automation in the TPRM process is data quality and integrity. Automated systems rely on accurate and up-to-date data to function properly. However, TPRM data can be complex and difficult to collect and maintain. Organizations may struggle to ensure the accuracy and completeness of their TPRM data, which can lead to inaccuracies and inconsistencies in their automated systems. This can make it difficult to accurately assess third party risks and develop effective mitigation strategies. Challenge 3: Security Concerns Security is a major concern when it comes to using automation in the TPRM process. Automated systems may be vulnerable to cyber threats, such as hacking and malware. This can put sensitive TPRM data at risk and make it difficult for organizations to protect themselves against potential data breaches. Additionally, automated systems may not be able to detect and respond to advanced threats, such as social engineering and phishing attacks. Challenge 4: Limited Human Involvement Another challenge of using automation in the TPRM process is limited human involvement. Automated systems may not be able to fully replicate the expertise and judgement of human analysts. This can make it difficult for organizations to identify and assess third party risks, while also developing effective mitigation strategies. Additionally, automated systems may not be able to provide the same level of transparency and accountability as human-led processes. Challenge 5: Cost and Complexity Finally, using automation in the TPRM process can be expensive and complex. Organizations may need to invest in expensive software and hardware to implement and maintain automated systems. Additionally, organizations may need to hire specialized personnel to manage and maintain their automated systems. This can make it difficult for organizations to justify the cost and complexity of using automation in TPRM processes. Conclusion Automation can be a powerful tool for improving the TPRM process, but it also presents several challenges. These challenges may include a lack of flexibility, data quality and integrity issues, security concerns, limited human involvement, and cost and complexity. Organizations need to carefully consider these challenges when deciding whether to use automation in their TPRM processes. By understanding these challenges and taking steps to address them, organizations can improve their TPRM processes and better protect themselves against potential risks.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s March 2025 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page   and navigate to the March 2025 meeting recording.)     Now-a-days, artificial intelligence (AI) seems to be involved in nearly every type of business activity. It is reshaping business operations by offering increased efficiency, automation, and data-driven insights. Within third party networks, AI driven technologies are influencing how third party risk management (TPRM) practitioners identify and assess risks. This is due to third parties using these AI technologies in critical areas like supply chain management, financial transactions, and cybersecurity. From this increased use of AI, the risks associated with AI are also growing. However, it is important to know that not all AI is the same.  In addition, not everything labeled as AI truly fits the definition.  The first step in managing AI risks is to have an understanding of what AI is, and what it is not. According to NIST’s AI Risk Management Framework (RMF) , AI is “an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.” A custom model is typically not considered AI if it is rule-based or uses simpler statistical methods because the custom model lacks learning or adaptive capabilities.  In this blog we will explore:  Types of AI & Use Cases    Risks Related to AI    Risks Related to AI Metrics    What Should Occur Before Assessing AI Risk   Assessing AI in Third Party Networks  Types of AI & Use Cases    AI systems can be classified based on their functionality, level of intelligence, and application. The list below is not all encompassing, but breaks down some common types of AI.  Expert Systems Mimic human expertise in specific domains by following a set of programmed rules. Examples include diagnostic tools in medicine and legal analysis systems. Natural Language Processing (NLP) AI that processes and understands human language, such as chatbots, translation tools, and virtual assistants (i.e., Chat-GPT).  Computer Vision Enables machines to interpret and make decisions based on visual data, used in facial recognition, autonomous driving, and object detection (i.e., FaceID).  Robotics AI integrated with robotics to perform tasks in industries like manufacturing, healthcare, and service sectors. Recommendation Systems Common in e-commerce and entertainment (like Netflix and Amazon), these AI systems analyze user behavior to suggest products or content.   Generative AI Creates new content or data (like text, images, or music) based on learned patterns (i.e., DeepFake & DALL-E models). Cognitive Computing Mimics human thought processes, often used in fields requiring decision-making under uncertain conditions (i.e., IBM’s Watson).   Predictive Analytics Uses historical data to make predictions about future events, used widely in finance, marketing, and supply chain management.  Risks Related to AI    Compared to other risks that TPRM practitioners assess, AI technologies have the capability to impact more than just your company. AI technologies pose risks that can negatively impact individuals, groups, organizations, communities, society, the environment, and the planet. Below are some risks that are related to AI, but this is not an exhaustive list. Due to AI technology being so new, risks are still being identified as threat actors use AI for their own personal gain.   AI systems can be trained on data that changes over time, sometimes significantly and unexpectedly, affecting system functionality and trustworthiness.   AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur.   AI systems are inherently socio-technical in nature, meaning they are influenced by societal dynamics and human behavior.   Without proper controls, AI systems can amplify, perpetuate, or exacerbate inequitable or undesirable outcomes for individuals and communities.   AI risks or failures that are not well-defined or adequately understood are difficult to measure quantitatively or qualitatively. This means that if you aren't aware of how the AI operates or is being trained, then you may not see a failure or a risk.  Risks Related to AI Metrics    When it comes to AI and understanding how it works, transparency is a key theme. Part of being transparent is thoroughly understanding the metrics that you're using to evaluate AI. There are risks tied to those metrics, and it’s important to recognize how they impact AI performance and decision-making. Some risks related to AI metrics are:  Risk metrics or methodologies used by the organization developing the AI system may not align with the risk metrics or methodologies used by the organization deploying or operating the system. In addition, the organization developing the AI system may not be transparent about the risk metrics or methodologies it used.   Another AI risk metric challenge is the current lack of industry consensus on robust and verifiable measurement methods for risk and trustworthiness, as well as its applicability to different AI use cases.   Approaches for measuring AI decision impacts on a population work if they recognize that contexts matter, that harms may affect varied groups or sub-groups differently, and that communities or other sub-groups who may be harmed are not always direct users of a system.   Measuring risk at an earlier stage in the AI lifecycle may yield different results than measuring risk at a later stage.   While measuring AI risks in a laboratory or a controlled environment may yield important insights pre-deployment, these measurements may differ from risks that emerge in operational, real-world settings.  What Should Occur Before Assessing AI Risk in Third Party Networks?   Before assessing AI risks in third party networks, it is critical to lay the groundwork within your own organization. Establishing clear guidelines and considerations beforehand helps ensure a more effective risk assessment process.   The following steps should be considered:   Create an Acceptable Use Policy  to define how AI will be leveraged within the organization, as well as how data will be leveraged within third party AI systems.   Train Employees  on what AI is and the acceptable use of AI.   Leverage an AI Framework  to inform contracts & assessments (i.e., NIST AI Risk Management Framework is a great example).   Contract for AI  - Specify data usage allowed, AI type allowed, ethical considerations, decision-making responsibilities, and data ownership in contracts.   Think through an Exit Strategy  for Critical & High risk third parties (consider data retrieval and deletion activities when terminating, model and algorithm ownership, intellectual property rights, data privacy, knowledge transfer, and continuity of operations).  Assessing AI in Third Party Networks   Now that you’ve established AI policies within your own organization, you are ready to assess AI within third party networks. As we assess third-party networks, it's important to recognize that nearly every company today is leveraging AI, whether directly or through their partners. Assessing AI involves similar principles to other information security evaluations, but with distinct challenges. Unique concerns, such as data quality, model interpretability, and the potential for bias, add complexity to AI assessments. Consequently, it’s essential for organizations to prioritize responsible AI development. Developing AI responsibly requires a comprehensive approach that balances innovation with ethical considerations, social impact, and sustainability.    When assessing AI in third party networks, it is important to review the risks related to:  The AI’s Capabilities & Models  to determine how effectively and ethically AI systems operate.  Data Quality & Protection  to safeguard against ethical, legal, and operational risks, foster trust, and ensure that AI systems operate accurately and securely.  Security & Access Controls  to ensure the protection of sensitive data, maintaining model integrity, and ensuring compliance with regulatory standards.  Performance & Reliability to ensure the AI system is operating as intended, adapt to real-world conditions, and deliver dependable outcomes.  Governance & Oversight to ensure the AI system is used responsibly, safely, and effectively.  For third party networks, strong governance and oversight help ensure that external partners adhere to the same high standards, preserving the integrity of the organization’s AI ecosystem and protect against external threats.  Conclusion   AI is becoming an integral part of third party networks, and it might be safest to assume that your third parties are using AI in some capacity. This means it is crucial to understand how they are using AI, as well as the potential risks that come from AI and the metrics used to evaluate it. By understanding AI and the risks it poses in third party networks, you can make more informed decisions and strengthen your risk management strategies.