Search Results

If a third party, or their key executives, were added to a sanctions list tomorrow, how quickly would you know?  If your answer includes words like “manual process,” “periodic check,” or “we probably wouldn’t,” you’re not alone.  But in today’s geopolitical climate, real-time sanctions and watchlist screening isn’t a nice-to-have, it’s a regulatory and reputational must-have. And thankfully, it’s one of the most automation-ready functions in your Third Party Risk Management (TPRM) toolbox.  The Growing Sanctions Landscape  Governments and global bodies update sanctions and enforcement lists frequently, sometimes daily. These include:  OFAC (U.S. Treasury Department)  EU & UK Sanctions Lists  UN Sanctions List  State-level or regional enforcement databases  But what can happen if you are not actively and continually ensuring your third parties, or their executives, are not on a sanctions list?  Inaction or delayed detection can result in:  Civil or criminal penalties  Loss of government contracts  Reputational harm and media exposure  Regulatory investigations for due diligence failures  This isn’t theoretical. There are documented cases of companies continuing to work with blacklisted entities because the list was checked “once, at onboarding.”  Where Automation Fits In  Automated screening ensures you aren’t relying on point-in-time checks or someone’s memory to flag a critical compliance issue.  Here’s how it works:  1. Continuous Third Party Monitoring  Third Parties are screened continuously against real-time or nightly updated watchlists  If a match is found, it automatically triggers alerts and escalations  Tool Tip:  Many due diligence and TPRM platforms integrate with data providers like Dow Jones, Refinitiv, World-Check, or LexisNexis for live list monitoring.    2. Executive & Beneficial Ownership Checks  Automation isn’t just about third party names. It also scans key individuals tied to the third party (owners, board members, executives) for matches  Tool Tip: Use enhanced due diligence services or APIs that enrich third party profiles with corporate family trees and UBOs (ultimate beneficial owners).  3. Auto-Flagging and Escalation Workflows  Matched entries can be routed to TPRM or compliance teams for review  You can configure risk scores to increase automatically or trigger an urgent reassessment if a third party is flagged  Tool Tip: Use case management tools to document investigation steps, outcomes, and decisions for audit-readiness.  Real-World Example: Catching a Sanctions Match Before It Went Public  A pharmaceutical company’s TPRM team was using automated sanctions monitoring tied to their third party master file. When a supplier’s parent company was added to the OFAC list, the system flagged the match immediately, even though the supplier’s name hadn’t changed.  “If we had waited for the quarterly vendor review, we would’ve missed it, and been in violation,” said their Director of Compliance.   They paused all spend, conducted a rapid risk and legal review, and replaced the third party, all documented through an automated case workflow.    What to Monitor Automatically  Here’s what should be in your automation scope:  Data Type Example Vendor Name Acme Global Services LLC Parent / Subsidiary Orgs Acme Holdings Inc. Ultimate Beneficial Owners John Doe, 51% Stake Key Contacts/Executives Jane Smith, CFO Country of Registration Vendors in embargoed nations How to Get Started  You don’t need a complex setup. Start with:  Free tools:  OFAC’s online SDN check tool or World Bank debarred list  Subscription databases: World-Check, Refinitiv, LexisNexis, or Sayari  API integration: Tie real-time alerts into your TPRM platform or workflow engine (Zapier, Workato, etc.)    Key Takeaways  Sanctions and watchlist screening shouldn’t be a “once and done” task.  Automation helps you stay in compliance without increasing manual workload.  Screening third parties and their principals continuously is essential for managing modern regulatory risk.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

If you’re still relying on spreadsheets, shared drives, or email threads to collect due diligence evidence from third parties, you're not alone.  But you’re also probably:  Spending too much time sending reminders  Missing key artifacts come audit season  Duplicating efforts across assessments  Struggling to prove historical compliance  This is a ripe area for automation, one that can immediately ease TPRM fatigue and strengthen audit readiness.     The Evidence Burden is Real  In today’s TPRM environment, third parties are expected to provide dozens of artifacts, often across multiple frameworks or request types:  SOC 2 or ISO 27001 reports  Cybersecurity policies & control assessments  Insurance certificates  Penetration test summaries  Business continuity plans  Signed attestations  It’s a lot and often scattered. Multiply that by 50, 200, or 1,000 vendors, and suddenly your risk team is a full-time document chaser.  The Automation Opportunity  Here's how automation can modernize your evidence collection process, reduce back-and-forth, and give you better visibility into what's complete, and what's missing.     1. Auto-Send Evidence Requests on Schedule or Trigger  Set your TPRM application to automatically send evidence requests based on:  Vendor onboarding  Contract renewal dates  Annual or semi-annual reassessment cycles  Triggered events (e.g., scope changes or security alerts)  Tool Tip: TPRM platforms like Mirato, ProcessUnity, or Aravo can generate evidence requests tied to vendor risk tier and lifecycle stage.     2. Use Pre-Built Templates and Smart Forms  Build or reuse standardized templates by risk type or assessment purpose (e.g., privacy, InfoSec, ESG)  Use dynamic forms that adjust based on vendor responses to avoid over-requesting  Tool Tip: Tools like OneTrust or Venminder, an Ncontracts Company enabled conditional logic in assessments to streamline collection.    3. Centralize and Auto-Categorize Submissions  Route uploaded documents directly into the correct vendor profile and artifact folder  Use metadata to label evidence by type (e.g., SOC 2, PCI cert), date, and expiration  Tool Tip: Integrate SharePoint, Google Drive, or your TPRM platform’s document library with automation tags for search and retrieval.     4. Track Expirations and Send Auto-Reminders  Set calendar-based reminders before a certificate or report expires  Automatically notify both internal stakeholders and vendor point of contacts (POCs)  Tool Tip:  Use Power Automate, Zapier, or ServiceNow to flag expiring evidence and send personalized nudge emails.    5. Map Evidence to Controls or Frameworks  Auto-tag evidence to align with relevant controls (e.g., NIST CSF, ISO 27001, CAIQ)  Allow auditors or regulators to view which evidence supports each control  Tool Tip: Use tools with compliance mapping capabilities like AuditBoard, LogicGate, or TrustCloud.  Real-World Example: How a Mid-Sized Bank Reduced Audit Chaos  A regional bank with over 350 vendors had been relying on Excel trackers and shared folders to manage third party evidence. Every audit cycle brought panic, re-requests, and unclear ownership.  They introduced automated workflows that:  Sent initial evidence requests 90 days before renewal  Tracked which vendors responded and what was missing  Auto-tagged files by control area  Alerted internal teams if a document was expired or missing  Result:  85% reduction in last-minute evidence scramble  100% audit-ready vendor files  50+ hours saved per quarter    Getting Started with Evidence Automation  You don’t need a full GRC overhaul to get going. Start small with:  Standardized email templates for reminders  A centralized intake form for vendors to upload files  A shared dashboard to track evidence status by vendor or category  Then build toward automation and integration with your TPRM, GRC, or document management tools.  Pro Tip: Ask for Evidence Once. Use It Many Times.  Good automation also means good reuse. Store and tag documents so you’re not asking for the same SOC report for every new engagement.    Key Takeaway  Chasing down evidence is not a good use of your team’s time, or the vendor’s. Automating the collection, tracking, and expiration process saves effort, reduces errors, and strengthens your TPRM program’s credibility.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

You’ve built the framework. Defined the roadmap. Clarified the policies, procedures, and objectives. Now, the spotlight is on the final act before execution: the Budget .  Presenting a Third Party Risk Management (TPRM) budget isn’t just a numbers game, it’s a strategic dialogue with your C-suite. Each leader sees risk through a different lens. Your job is to make sure TPRM isn’t seen as a cost center, but as a business-critical function that protects brand value, operational continuity, and long-term growth.  When you step into the room, or join the Zoom, come prepared not only with accurate data, but also with a tailored approach that speaks each executive’s language when presenting your TPRM budget proposal.  Below is a sample budget submission  for a Third Party Risk Management (TPRM) program using estimated figures for a mid-sized organization  with around 1000 third parties , 20% of which are high or critical risk. This submission can be tailored for formal budget meetings, especially when speaking to a C-suite audience.  Sample Budget Example: TPRM Budget Submission: FY2026    Prepared by:  TPRM Program Office/Officer  Submitted to : Executive Leadership Team (CEO, CFO, CRO, CIO, COO, & CMO)  Date: June 6, 2025  Program Scope:  Covers third party onboarding, due diligence, ongoing monitoring, issue remediation, and exit/termination processes across 1000 third parties.  Executive Summary   This budget supports the implementation and maturity growth of our Third Party Risk Management (TPRM) program. It is designed to mitigate increasing third party risk exposure while enabling operational efficiency, regulatory alignment, and long-term resilience.  After aligning our budget with peer business units (e.g. IT, Procurement, etc.) to ensure no overlapping, we are requesting $1,240,000 in total TPRM program funding for FY2026, broken into the categories below.  TPRM Budget Breakdown  Category Detail Estimated Cost (USD) Personnel 3 FTEs (Manager, Analyst, Coordinator) + 1 contract assessor $450,000 Automation/Tools TPRM automation platform (e.g. onboarding, workflow, risk rating, etc.) $225,000 Training & Certification 3 staff attending TPRM conference & obtaining or maintaining certifications $15,000 Consulting Services External maturity model assessment and roadmap facilitation  $50,000  Operations Supplies, licenses, report, software, translation of vendor assessments $10,000 Travel   Site visits to top 10 critical third parties  $20,000 Risk Monitoring Services Third party financial, cyber, ESG monitoring subscriptions $150,000 Contingency Reserve For incident response or unplanned third-party reviews  $50,000 Program Development Internal awareness campaigns, playbook updates, policy refresh $25,000 Total   $1,240,000 Maturity Model Alignment  This budget enables us to progress from a TPRM Level 2 “Defined” to TPRM Level 3 “Integrated” maturity in the next 12 months. We will formalize our processes, integrate toolsets, and implement real-time monitoring with key risk indicators.  Supporting Attachments [Exhibit A-E]  Risk Appetite & Control Gap Analysis  Financial Risk Avoidance Estimator  Industry Peer Benchmarking  Sample ROI from Process Automation  5-Year Third Party Incident Tracker (Regulatory + Financial Impact)  TPRM to Corporate Alignment  This budget aligns to each of our organization’s six corporate goal:  Strategic Enablement  Risk Avoidance ROI  Risk Appetite Alignment  Efficiency Gains  Cyber & Operational Resilience  Brand Protection & ESG  As CEO,  I recognize one of your primary goals is Strategic Enablement :  Supporting secure scaling of partnerships, M&A, and outsourcing  Demonstrating proactive governance and leadership integrity    “As such, here is how TPRM aligns with our enterprise strategy and growth trajectory."    Every initiative in this budget supports not just compliance, but resilience and reputation. If we want to expand into new markets, partner with innovative vendors, and build customer trust, we must ensure that our third parties don’t introduce vulnerabilities. This budget enables proactive oversight that protects our ability to scale with confidence.    As CFO,  I recognize one of your primary goals is Risk Avoidance ROI :  Helping to avoid regulatory fines averaging $1.4M per incident (source: IBM/Ponemon)  Automate savings of ~$100K/year in reduced manual review hours    "So, Let’s talk about cost avoidance and value protection."    TPRM doesn’t generate revenue, but it shields it. Consider the financial impact of a third party data breach, regulatory fine, or supply chain disruption. We’ve included an incident impact analysis and a financial risk mitigation model. Tools like automation platforms may have upfront costs, but they reduce FTE hours and shorten due diligence cycles, providing long-term savings. This budget protects the bottom line.  As CRO: I recognize one of your primary goals is Risk Appetite Alignment:   Providing real-time risk visibility across 1,000 vendors  Improving response time to regulatory inquiries and audit findings    "As such, this is risk management at scale."    Our roadmap supports maturing the program to keep pace with emerging risks—cybersecurity, ESG, concentration, and geopolitical instability. With this budget, we gain visibility across the supply chain, build consistency in due diligence, and drive risk-informed decision making across the enterprise. Risk appetite isn’t just a principle, it’s operationalized here.    As COO:  I recognize one of your primary goals is Efficiency Gains :  Accelerating vendor onboarding timelines by ~30%  Reducing disruptions due to unknown vendor risks    "As such, TPRM budget plan enables operational efficiency and reduces friction."    Every tool and resource in this plan contributes to smoother onboarding, faster assessments, and fewer surprises post-contract. We’ve mapped resources to real operational demand, based on our third party portfolio’s inherent risk tiers. With the right investment, we reduce bottlenecks and improve our vendor lifecycle management without overburdening your teams.    As CIO: I recognize one of your primary goals is Cyber & Operational Resilience:   Detecting risk in data access and system integrations pre-contract  Supporting zero-trust third party architecture   "This budget strengthens our IT risk posture through third party visibility and integration support."   In today's interconnected ecosystem, our third parties don't just support the business, they connect to our systems, access sensitive data, and influence our security perimeter. This budget funds the tools and intelligence we need to proactively assess those relationships before they pose a risk.     Specifically, it supports:   A TPRM platform that integrates with ITSM and procurement tools for seamless intake and tracking  Ongoing cyber risk monitoring of vendors handling sensitive data or system access  Risk scoring tied to our internal architecture and controls, improving alignment with zero-trust and defense-in-depth strategies   By investing here, we’re ensuring that third party risks don’t undermine the protections we’ve worked so hard to build internally. It’s not just about compliance, it’s about maintaining system integrity, business continuity, and trust in our infrastructure.    We’re already seeing regulatory expectations shift toward shared accountability in third party breaches. This budget helps us stay ahead of those trends, and aligned with frameworks like NIST, ISO 27001, and the updated SEC guidance.    As CMO: I recognize one of your primary goals is   Brand Protection & ESG :   Assessing vendors for reputational risk, DEI, and ESG performance  Avoiding headline risk from third party failures    "We know that Brand trust is built on vendor integrity."  In a world where consumers and regulators scrutinize supply chains, a single third party misstep can create reputational headlines. Our TPRM budget supports robust assessments of vendors that touch customer data, brand experience, or ESG commitments. This is not only a risk measure, it’s a marketing safeguard.  Overall   What’s included in this Budget (and Why It Matters):   Resources: We’ve forecasted FTE and contractor needs to meet expected assessment volumes and maintain SLA targets.  Operations: This includes daily workflow support and practical tools to run an efficient program.  Training & Travel: To keep our team skilled and informed, and to support onsite reviews for critical third parties.  Maturity Investments:  We’ve aligned our asks to our current maturity level and the next step in our TPRM evolution.  Technology: We’ve assessed ROI for tools that reduce manual workloads and drive consistency.  We’ve also included benchmarking against peer organizations and a review of industry incidents and fines over the last five years to contextualize our ask. This isn’t “nice to have.” This is “mission critical.”    Bottom Line:   This is a proactive investment in resilience. It’s a shield for our brand, a hedge against regulatory and operational exposure, and a step toward a smarter, more scalable enterprise. I’m not just asking for budget, I’m asking for buy-in to protect what we’re building, the way we build it, and deliver it.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third par ty relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

If you’re sending the same full-blown risk assessment to every third party, whether they host sensitive data or simply mow your corporate lawn, it’s time for smarter automation.  Third Party tiering isn’t just a best practice, it’s a necessity. But too often, it’s handled manually or inconsistently, leading to:  Wasted time on low-risk third parties Insufficient scrutiny of high-risk partners  Frustration from internal teams and third parties alike  With automation, you can streamline how third parties are tiered, when they’re reassessed (i.e., their assessment cycle time), and whether they trigger enhanced due diligence, all without adding manual work.  Why Tiering Matters  Third Party tiering (or risk segmentation) helps you:  Prioritize time and resources  Tailor assessments based on risk  Justify lighter-touch reviews when appropriate  Align to internal policies and regulatory expectations  But the old way of doing it, with manual scoring, spreadsheet-based tiers, and ad hoc judgment, doesn’t scale. How Automation Improves Vendor Tiering & EDD  Let’s break this down into two key functions that benefit from automation:  1. Automated Vendor Tiering  Start by automatically assigning third party to tiers based on logic built into your intake or inherent risk assessment process.  Common inputs include:   Type and amount of data accessed (e.g., PII, PHI, cardholder data)  If the third party will access your organization's internal network and which environment (e.g., VPN, production environment)  Geographic presence or location of services  Regulatory exposure (e.g., HIPAA, GDPR)  Criticality to business operations    Tool Tip: Use intake forms or TPRM platforms that include conditional logic. Based on answers, third parties are automatically placed into Tier 1 (High), Tier 2 (Moderate), or Tier 3 (Low/Non-Critical).  Example Automation:   Business Owner selects “Yes” to the third party accessing customer PII → Platform sets them as Tier 1 → Full information security risk assessment initiated automatically.  2. Triggering Enhanced Due Diligence (EDD)  Once a third party is tiered, you can then set triggers to launch deeper reviews on a regular cadence, as well as if/when something changes.  EDD may include:   Expanded assessments Onsite or virtual visits Background checks on executives  Penetration testing evidence  Financial statement reviews  Crisis response documentation (e.g., BCP/DR tests)  Trigger Conditions Could Include, but not be Limited to:   A risk score threshold is exceeded  The third party is acquired by another organization and there is a change in leadership The third party will now host data offshore Contract change increases data access  Negative media or litigation is detected  Tool Tip: Connect monitoring platforms (BitSight, Security Scorecard, RiskRecon, Sayari) to your TPRM system to ensure events auto-trigger reassessment workflows.  Real-World Example: How a Tech Company Reduced Third Party Assessment Volume by 40%  A SaaS firm supporting fintech clients struggled with over-assessing third parties. Everyone received the same 200-question InfoSec review, whether they hosted client data or just helped with branding.  The organization decided to implement an automated tiering engine using a simple logic tree:  Tier 1: Hosts client data or business-critical systems → full TPRA Information Security Questionnaire + SOC 2  Tier 2: Indirectly supports regulated operations → limited questionnaire  Tier 3: No data access, non-critical → no further review  When a Tier 2 vendor’s risk rating system score dipped significantly, the system triggered an EDD workflow with an escalated assessment.  Results after 6 months:   40% fewer full assessments  Average assessment cycle time dropped 30%  Fewer third party complaints about irrelevant or overbearing reviews  What to Include in an Automated Tiering Framework  The TPRA community has created a free inherent risk questionnaire that can be leveraged within an automated tiering framework. If you are a TPRA member, you can obtain the inherent risk questionnaire template here . Getting Started  You don’t need to go from 0 to full automation in one step. Start with:  A basic inherent risk assessment that captures core risk drivers  A rules-based tiering system in Excel, Power Automate, or your TPRM tool  Clear definitions for Tier 1, 2, and 3, and what EDD should be performed for each tier Additional triggers for EDD (e.g., change in data access or poor cyber score)  Pro Tip: Automation Doesn’t Mean “Set and Forget”  You still need risk oversight. Automation just ensures your attention is focused on the third parties who need it most and when they need it most.     Key Takeaways  Treating all third parties the same is inefficient and risky  Automated tiering reduces noise and sharpens focus  Enhanced due diligence should be triggered by real risk, not just policies  You can implement this in phases with existing tools  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third par ty relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Third-party risk management (TPRM) primarily aims to safeguard the organization and its customers from potential threats, including data breaches, service interruptions, and hefty regulatory fines—particularly in heavily regulated industries. While the principles of TPRM may seem simple, putting them into action can be quite intricate, requiring a web of interconnected and sometimes complex processes and tasks. However, even the most well-crafted TPRM framework can fall flat without a strong foundation of accountability. Without accountability, the consequences can be severe, leading to increased risk exposure, regulatory non-compliance, and potential damage to the organization's reputation. Simply put, accountability is the backbone of effective TPRM; it ensures that responsibilities are clearly defined and distributed among stakeholders, with everyone playing a vital role in managing risks. To ensure effective accountability, many organizations utilize the Three Lines of Defense model established by the Institute of Internal Auditors (IIA) in 2013. This model delineates the roles in risk management: Operational Management as the first line of defense. Risk Management and Compliance as the second line. Internal Audit, which provides independent assurance, is the third line. This framework clarifies responsibilities and enhances risk management effectiveness, making it ideal for establishing accountability in TPRM. Now, let's explore each of the three lines and their roles in TPRM. First Line of Defense:  The frontline employees who directly handle and manage the products or services provided by third-party vendors and service providers. Their primary TPRM responsibilities include identifying and managing risks associated with third-party offerings, such as data security breaches, service interruptions, and regulatory non-compliance. They are also responsible for setting service level agreements (SLAs) and monitoring and managing third-party performance. They are also typically responsible for completing inherent risk assessments and are crucial in establishing exit strategies for high-risk and critical third parties should they need to end the relationship. Second Line of Defense : This group includes dedicated third-party risk management teams, the enterprise risk team, and subject matter experts from compliance, legal, finance, information security, business continuity, and more. They establish the policies, frameworks, and tools necessary for effective vendor risk management while monitoring first-line activities to ensure consistency and quality risk measurement and management Third Line of Defense : An independent assurance function, often comprised of internal auditors who assess and monitor the overall effectiveness of third-party risk management activities. Their role is crucial in providing an unbiased evaluation of the TPRM process. They evaluate the effectiveness of risk management frameworks, the quality of the risk management work, and compliance with all laws and regulations. They report any gaps or weaknesses to the board of directors and senior management and provide recommendations for improvement. Regular audits of the TPRM framework and processes are a necessary part of a healthy TPRM function. The Board of Directors and Senior Management:  When it comes to managing third-party risks, each line of defense plays a crucial role in keeping accountability in check. However, the ultimate responsibility for making sure these defenses work effectively falls on the board of directors and senior management. They’re the ones who define the company’s appetite for risk around third parties and shape the governance strategies that guide the organization. The board and executive team must be engaged to effectively manage third-party risks. This means not just approving risk management policies but also setting a strong ‘tone from the top’ that highlights the importance of TPRM at the organization. The board should also review any issues occurring from critical third parties, review independent risk assessments, and allocate sufficient resources for effective third-party risk management. By integrating these considerations into the company’s broader strategies and decision-making, they can ensure that third-party risks are addressed proactively and effectively. Whether your organization adopts the three lines of defense strategy or chooses a different structure, one thing is clear: accountability at all levels of the organization is essential for effective third-party risk management (TPRM). When everyone—from frontline employees to executives—understands their roles and responsibilities, it creates a solid foundation for managing the risks associated with using third-party products and services. This clarity not only aids in identifying and mitigating third-party issues but also fosters a culture of collaboration and vigilance, empowering everyone to contribute to safeguarding against third-party risks. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third-Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

Maintaining a compliant third-party risk management (TPRM) program involves active collaboration between multiple stakeholders. Compliance isn’t just an objective but a shared responsibility throughout your organization, from senior management and the board of directors to the business lines and vendor owners. Vendors themselves also have a responsibility to comply with TPRM policies and regulations, so it’s crucial to develop a strategy that involves effective collaboration.   In this blog, you’ll learn some tips on collaborating with your vendors to achieve compliance in your TPRM program. You’ll also learn some next steps to take when a vendor is creating challenges in your compliance efforts.  How to Achieve Third-Party Risk Management Compliance Through Vendor Collaboration  TPRM program compliance involves more than just reacting to specific laws and regulations. It's about being proactive and considering internal policies, rules, and industry best practices that are designed to maintain effective TPRM programs. Below are some proactive strategies to collaborate with your vendor and achieve TPRM program compliance across multiple expectations and standards:   Set a culture of compliance – In order to effectively set expectations for your vendors' compliance, it’s advisable to first establish your organization's values and practices for your TPRM program. Organizations should communicate priorities internally to foster a culture of compliance that’s clearly understood and endorsed by all stakeholders. Once this culture has been established, it can be more effectively conveyed to your vendors, leading to smoother collaboration and program compliance.  Follow up on due diligence –   Compliance issues are usually identified during the due diligence process as you collect and review the vendor's documentation. Follow up on any issues that were found and ask for clarification or more information as needed. In some cases, the vendor may have additional documentation that can verify its compliance with your expectations.  Negotiate a compliant contract –   Make sure to include contract provisions that require both parties to comply with applicable laws and regulations. These provisions could relate to areas such as data protection, privacy, and breach notification requirements. Contract provisions could also outline any internal compliance requirements set by your organization, such as following your corporate policies or industry standards.  Communicate early and often  – Don’t assume that your vendor is staying updated on changing regulatory expectations and industry standards. New state privacy laws continue to emerge, and cybersecurity standards are revised to address new vulnerabilities, so it's essential to frequently communicate your expectations to ensure the vendor is aware of relevant changes and is updating their processes as needed. This ongoing communication is key to building a collaborative partnership.  Work together on remediation –   Just like compliance should involve vendor collaboration, so should remediation plans. Whenever there are issues with compliance, work with the vendor to develop a remediation plan that’s actionable, effective, and time bound. Vendors may be more responsive to requests for improvement if they collaborate on the remediation plan and can identify any roadblocks to success.  Addressing Challenges With Vendor Compliance  It’s not uncommon to face compliance challenges with vendors who might have different strategic goals and priorities. Some vendors may choose to do the bare minimum in compliance and only meet applicable laws and regulations. Here are some suggestions for handling a vendor that isn’t collaborative in your compliance efforts:  Talk with the vendor – First, sit down and have a conversation with the vendor about any issues to better understand their perspective. There may be a misunderstanding about a certain requirement, or they may not have the resources to meet your expectations. These conversations can help clarify your compliance goals and determine if you and the vendor can work toward an improvement plan.  Document issues and progress – Make sure to document any compliance issues and improvement plans, along with a time frame for remediation. It’s important to track any progress made on the compliance issue and regularly follow up with the vendor for updates until the issue is resolved.  Increase monitoring – In addition to documenting the compliance issue, you may need to increase your ongoing monitoring activities with the vendor. Depending on the issue, this may include more frequent reviews of the vendor’s financial health, business continuity risk, security testing, or negative news.   Move forward with the exit strategy  – If the vendor isn’t following the requirements to an extent that’s too severe and beyond your risk tolerance, you may need to think about ending the relationship. Evaluate your plan for ending the relationship and start talking to the right people to make sure your organization can end the vendor relationship securely. Following through with your plan to end the relationship might take more time and resources, but it could be a worthwhile effort to keep your TPRM program in compliance.  Collaborating with your vendors through due diligence, careful contract negotiations, and remediation plans can be an effective strategy for TPRM program compliance. When you build a culture of compliance that extends to your vendors, your organization’s TPRM program can achieve many benefits, such as satisfying regulators and following your internal standards.

Written by Supply Wisdom It's important to remember that the primary objective of these regulatory bodies is to ensure that you are effectively protecting your business and your customers from unnecessary third-party risks. This approach aligns closely with third-party risk management best practices. Key Regulatory Bodies and Their Guidance Office of the Comptroller of the Currency (OCC) The OCC's 2013-29 Bulletin outlines essential principles for third-party risk management. Key areas of concern include: Planning: Ensure you have a comprehensive plan to manage third-party relationships. Due Diligence: Evaluate vendors against your organization’s risk tolerance before onboarding. Contractual Expectations and Enforcement: Define and enforce your expectations to limit liability. Ongoing Monitoring: Continuously monitor vendor performance and maintain accountability. Roles and Responsibilities: Assign clear roles and responsibilities within a structured framework. Reporting: Track and document third-party relationships for reporting and analysis. Transitioning: Develop contingency plans for service disruptions and transitions. Auditing: Utilize objective evaluations to assess your processes and tools. Consumer Financial Protection Bureau (CFPB) The CFPB emphasizes protecting consumer interests, with guidelines ensuring that financial institutions manage risks effectively to avoid consumer harm. Federal Deposit Insurance Corporation (FDIC) The FDIC's risk management guidance focuses on maintaining the stability of the financial system. It requires banks to implement robust third-party risk management practices. Federal Financial Institutions Examination Council (FFIEC) The FFIEC provides a framework for financial institutions to assess and manage third-party risks, ensuring compliance and safeguarding operations. Joint EU Supervisory Authorities , including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority oversee the operational resilience of EU financial sector. Together, these authorities oversee the Digital Operational Resilience Act (DORA), which mandates that firms: Maintain Strong IT Systems: Ensure systems are resilient against cyber threats. Regular Testing: Conduct regular tests to assess the effectiveness of their IT security measures. Incident Reporting: Implement procedures for reporting significant cyber incidents. Third-Party Risk Management: Extend risk management practices to third-party Information and Communications Technology (ICT) service providers. Implementing Effective Third-Party Risk Management The scrutiny of the financial services industry, as well as many other industries, continues to increase. It's not enough to simply have a supplier monitoring tool; you must have an effective risk management process, framework, and reporting structure to manage third party vendors throughout their lifecycle. About Supply Wisdom: Supply Wisdom provides real-time alerts and insights to help companies track and mitigate supplier- and location-based risks. Our comprehensive solution supports TPRM processes, including streamlined compliance with regulatory requirements. Contact us for more information or to get started with a free trial. Let us help you develop robust strategies and plans for third-party oversight within your organization.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder     For many, residual risk is a confusing third-party risk management (TPRM) concept, but it’s important to understand how and when residual risk is calculated and its proper utilization in your TPRM program. Residual risk is a vendor’s remaining risk after controls have been applied.  Determining a residual risk rating is important for two reasons:   First, it helps determine if you need more or different controls before beginning or continuing a vendor relationship.  For example, you might require the vendor to conduct more systems testing or implement more frequent monitoring to mitigate identified issues.   Second, it helps determine if the residual risk is acceptable.  For example, your organization may be willing to accept high residual risks if the vendor is the sole provider of a product or service crucial to meeting your goals. However, if an existing vendor has high residual risk and, after several attempts, fails to provide evidence of sufficient controls, you may decide to discontinue the relationship.     The Residual Risk Rating Process on Vendors  Let’s explore the steps to determine and assign a vendor’s residual risk rating:  Determine inherent risk: There’s always some level of risk with third-party products, services, and relationships. The specific types and amounts of those risks are typically identified during an inherent risk assessment, which considers the vendor’s raw risk, or the level of risk before any controls are applied.   Conduct due diligence:  This involves reviewing and assessing a vendor's risk management practices and controls to mitigate the identified risks and determine if they’re sufficient.   Review vendor controls:  These are systems and measures implemented to detect, prevent, or rectify unwanted events. They’re meant to mitigate the risks in vendor relationships, products, and services and provide reassurance in the risk management process.  Assign a residual risk rating:  The level of residual risk can only be determined after completing due diligence, when a subject matter expert (SME) concludes the review of the vendor's controls and offers a qualified opinion regarding their sufficiency in mitigating the risk. In other words, do the vendor’s controls lessen those risks' likelihood, occurrence, severity, or impact? Many organizations quantify residual risk with a rating or score, often using the same risk scale for determining inherent risk, such as low, moderate, or high.  Understand your risk appetite:  This is the level of risk your organization is willing to accept to pursue its goals and objectives. After determining a vendor’s residual risk, your organization will need to decide if that risk is acceptable or if you need to move on from the relationship.   Controls can't eliminate a vendor’s risks altogether. Think of it like a seatbelt in a vehicle. Wearing a seatbelt can lessen the likelihood of severe injury or death in an accident. Still, it can't prevent an accident, so additional controls are necessary, such as driving the appropriate speed limit. Most individuals recognize the risks associated with driving but are willing to take those risks with proper controls in place. That’s the concept of residual risk in a nutshell – are the controls enough to make you comfortable with the remaining risks while pursuing your objectives?    Calculating a Vendor’s Residual Risk  You need to know how to calculate a vendor’s residual risk.   As a high-level concept, residual risk can be expressed as:  Inherent Risk + Controls = Residual Risk .   To further refine that concept with a calculation, you might consider one of these formulas:  Residual Risk = Severity × Probability:  For example, a vendor accesses, processes, transmits, or stores personally identifiable information (PII). This has a high inherent information security risk because of the potential severity and probability of a data breach. The vendor has strong encryption and data de-identification controls, so if there’s a network breach, hackers won't be able to utilize much of the data, reducing the potential severity of the breach. The vendor also has regular penetration testing and proactively monitors for security events, which can lessen the probability of a breach. Here, the inherent risk is high, but the residual risk is moderate.  Residual Risk = Threats × Vulnerability:  Another vendor also accesses, processes, transmits, or stores PII, and customers can access account data through a vendor-provided mobile app. Data could be accessed through the vendor network and the customer's mobile device, expanding the attack surface and increasing the threat of a breach. A review of the controls shows the vendor doesn't utilize multi-factor authentication, which increases the vulnerability to data theft or cyberattacks. Here, the inherent risk is high and the residual risk is also high.  There are other formulas organizations use to calculate residual risk. No matter which method you choose, it’s important to document your methodology and use it consistently, so there’s continuity in the decisions made with regards to residual risk ratings.    Avoiding the Most Common Residual Risk Mistakes in Vendor Risk Management  The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities.    That’s determined by the inherent risk rating. How often risk is re-assessed, the scope and frequency of due diligence, required performance management activities and review cadence, business continuity reviews, and monitoring requirements should all be aligned to the inherent risk.    This is because controls that are only reviewed at a specific point in time may be effective initially but can become less effective or fail over time. Vendor risks are constantly changing, and external events like industry changes, regulatory updates, geopolitical developments, new technologies, or consumer behaviors are factors that can’t be influenced by a vendor's controls. A high-risk vendor with sufficient controls may have a residual risk rating of moderate, but that should never result in a decreased frequency or intensity of core risk management activities; the risks are still high regardless of the control environment.  In conclusion, residual risk ratings are best used as post due diligence data points to determine if more or different controls are necessary before you can confidently move forward with the vendor engagement and if the remaining risks are within your organization’s risk appetite.

“Emily was a mid-level manager in the risk management department of a major financial institution. One day, the company faced a significant challenge: a critical vendor experienced a data breach, exposing sensitive client information. The CEO tasked Emily with leading the Third Party Risk Management (TPRM) response team to address the crisis. Emily had handled vendor assessments before, but this situation required swift and decisive action. She quickly assembled a cross-functional team, including IT, legal, compliance, and communications experts. Emily knew that transparent communication and coordinated efforts were essential. She initiated daily briefings to keep everyone informed and aligned on the response strategy. Emily also reached out to the vendor, establishing an open line of communication to understand the breach's scope and implement immediate risk mitigation measures. Recognizing the need for long-term solutions, Emily led a thorough review of the company's TPRM framework. She identified gaps and proposed enhancements, such as more stringent vendor vetting processes and continuous monitoring systems. Her proactive approach not only mitigated the immediate risk but also strengthened the organization's overall TPRM program. The successful handling of the crisis and the subsequent improvements earned Emily high praise from senior leadership. Her ability to lead under pressure and implement effective risk management strategies led to her promotion to head of the TPRM division.” This anecdote highlights how taking charge in a TPRM crisis, fostering collaboration, and driving systemic improvements can propel career growth and demonstrate essential leadership qualities.   TPRA’S LEADERSHIP LADDERS Originally developed by TPRA's Women in TPRM "Lead" work group, “Leadership Ladders” is a training activity designed for all current and aspiring leaders within the Third Party Risk Management (TPRM) industry.  Each box on the slides and ladders-style game board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity.   “ Leadership Ladders ” involves focusing on the progression of leadership skills, traits, and responsibilities at different levels within an organization.  It is a transformative experience that challenges you to evolve and grow. DIFFERENT LEADERSHIP LEVELS Entry-Level Leadership : Focuses on the initial stage, key responsibilities, and essential skills (e.g., team leadership, basic project management). Mid-Level Leadership : Covers the next stage, focusing on more complex responsibilities (e.g., departmental management, strategic planning). Senior Leadership : Involves the traits and skills needed at the senior level (e.g., executive decision-making, vision setting). Executive Leadership : Focuses on the top-tier leadership level, emphasizing overall organizational leadership and high-stakes decision-making. Each of these levels requires a new set of skills and understanding to meet its challenges, focusing on specific responsibilities and collaborative efforts.  TPRA’s “Leadership Ladders” can assist with developing those skills no matter what level of leadership you are working towards. KEY CATEGORIES UNDER THE TPRA LEADERSHIP LADDERS Core Competencies  (Communication, Collaboration, Confidence, Cultivating Relationships, Coaching) TPRM Lifecycle Budgeting HR Process Boundaries Driving Strategy & Influencing Change Navigating Executive Leadership Discussions Crucial Conversations Mentorship Public Speaking & Getting Published   LEADERSHIP LADDERS PLAY A CRUCIAL ROLE IN CAREER DEVELOPMENT FOR SEVERAL REASONS Structured Progression Clear Pathways : Leadership Ladders provide a clear roadmap for career advancement, helping individuals understand the steps required to move up within an organization. Goal Setting : They enable employees to set specific, achievable goals for their career progression, making it easier to track and measure success. Skill Development Targeted Learning : Different levels on the Leadership Ladders require different skills. By understanding these levels, individuals can focus on developing the necessary skills for their current and next roles. Continuous Improvement : Leadership Ladders encourage a mindset of continuous learning and improvement, essential for personal and professional growth. Increased Engagement and Retention Motivation : Clear pathways for advancement can increase motivation and job satisfaction, as employees see tangible opportunities for growth. Retention : Organizations with well-defined pathways to leadership often experience lower turnover rates, as employees are more likely to stay when they see potential for career advancement. Effective Succession Planning Preparation for Leadership : Leadership Ladders help organizations identify and prepare future leaders, ensuring a smooth transition when current leaders retire or move on. Consistency : They help maintain organizational continuity by ensuring that new leaders are well-prepared and aligned with the company's culture and values. Enhanced Organizational Performance Better Leadership : As employees move up the ladder, they bring enhanced skills and experience to their roles, leading to more effective leadership and improved team performance. Strategic Alignment : Leadership Ladders ensure that individuals at all levels understand and align with the organization's strategic goals, leading to more cohesive and focused efforts. Personal Growth and Fulfillment Self-Awareness : Working through the Leadership Ladders activity requires self-assessment and reflection, helping individuals understand their strengths and areas for improvement. Achievement : Successfully progressing through the Leadership Ladders activity provides a sense of accomplishment and personal fulfillment, contributing to overall well-being. Competitive Advantage Attracting Talent : Organizations known for their strong leadership development programs are more attractive to top talent. Market Positioning : Effective leadership at all levels enhances an organization's reputation and competitive positioning in the market.   In summary, Leadership Ladders is great for both individuals and organizations. It provides a structured approach to career development, promoting skill growth, increased engagement, and retention. It also can assist with facilitating effective succession planning, enhance overall performance, and contribute to personal fulfillment. For organizations, they are a key tool in building a robust leadership pipeline and maintaining a competitive edge.   CHECK IT OUT We encourage you to assess your current leadership level and work towards the next. Have fun and expand your knowledge: https://www.tprassociation.org/leadership-ladders – play TPRA’s thought-provoking Leadership Ladders game enriched with additional resources such as videos, interviews & quizzes, and whitepapers.

Managing third-party risks can be a complex task. With a changing regulatory and technological landscape, even experienced professionals find it challenging to stay on top of evolving risks. In addition to these difficulties, there are also risks associated with fourth parties – the vendors of your vendors. These additional parties can add another layer of complexity to third-party risk management (TPRM). Managing fourth and nth parties isn’t the easiest skill to master, but one that’s necessary to gain a broader understanding of your organization’s risk landscape. The good news is that there are a few best practices that can help. Once you know how to identify, assess, and manage your fourth and nth parties, your overall TPRM program will be much more effective.   Challenges in Managing Fourth- and Nth-Party Risks Fourth parties are the vendors that have a direct contract with your third parties, while nth parties are essentially all the vendors of your fourth parties and beyond. As you can imagine, these degrees of separation can create many challenges when it comes to managing risk, such as: No choice With few exceptions, your organization generally can’t choose your fourth or nth parties. In some cases, your third parties may have a different risk appetite than your organization regarding a particular vendor. This might create a situation where you decline working with a third party because of its vendor inventory. No direct relationship Your organization has no direct relationship with fourth and nth parties, which means you likely can’t perform TPRM practices, like risk assessments, due diligence, and ongoing monitoring. These practices must instead be performed by your third parties. Organizations often have little to no influence on how nth parties respond. No contract Since your organization doesn’t have a direct relationship with a fourth or nth party, there’s no contract to protect the organization from risk. Without a contract, there’s also no leverage to manage fourth parties’ performance or set any expectations around service level agreements (SLAs) and data breach notifications. No due diligence   Managing fourth- and nth-party risks is especially challenging when you don’t have the ability to perform due diligence. Fourth and nth parties typically don’t provide documentation unless an organization has a direct contract. Your organization may have a high-level view of nth-party risks, but many details will still be unknown.   Solutions to Managing Fourth- and Nth-Party Risks When your organization has no direct relationship and no leverage to perform risk management activities, it can seem almost impossible to manage fourth- and nth-party risks. However, there are still practices to implement to mitigate the risks. The most effective strategy is to manage risk through your third parties, with whom you do have leverage. Here are five solutions to manage your fourth and nth parties: 1. Require Transparency Third parties should be required to disclose which of their vendors have an impact on your organization. These vendors might access sensitive information or be essential to your third party’s operations. Your organization should essentially identify your third party’s critical vendors. Fortunately, these critical vendors will be listed in the third party’s SOC report. Focusing on critical fourth parties is a much easier solution than trying to create a complete list of every fourth and nth party. 2. Review TPRM practices Since you can’t manage fourth- or nth-party risk directly, it’s important for your third parties to have effective TPRM practices in place. When reviewing due diligence and monitoring your own third parties, you’ll need to evaluate how they manage their vendors’ risk. Make sure your third parties are performing their TPRM activities effectively and consistently. 3. Leverage contracts When onboarding a new vendor, there are a few ways to use the third-party contract to manage fourth-party risk and beyond. Consider adding contractual provisions that obligate third parties to manage their vendors through SLAs, data breach notifications, and a right to audit. This will ensure third parties are following the same TPRM best practices as your organization. 4. Manage any issues Suppose you discover your third party doesn't assess their vendors, verify controls, or monitor risks. When issues arise, communicate with the third party and amend the contract, if possible, to require stronger TPRM practices. Any issues should be documented through remediation and reported to senior management and the board. 5. Reconsider the relationship There will always be some level of fourth-party risk in third-party relationships, so your organization needs to determine for itself what’s acceptable. Depending on your organization’s risk appetite, strategic goals, and other factors, you may decide it’s best to reconsider the third-party relationship. This can mean either selecting a different third party during onboarding or proceeding with your exit strategy if you’ve signed the contract. Managing fourth- and nth-party risk can be complex. While you may not have a direct relationship or contract with fourth parties, it’s crucial to ensure your third parties are transparent about their third-party relationships and have robust third-party risk management practices. Your organization needs documented evidence from your third parties of fourth-party risk assessments, due diligence, and monitoring to ensure your third parties are managing their vendors safely. This visibility will give your organization confidence in the appropriate management of fourth-party vendors.

It’s time for executives to rethink the role procurement professionals hold in organizations, and this shift is critical to reducing organizational risk, boosting resilience, and increasing return on investment (ROI). While the traditional approach to procurement centered on margin impact and managing suppliers from an operational perspective, there is an evolution taking place requiring forward-thinking organizations to focus on the long-term strategy and impacts that the role is playing in today's world.  This increased recognition of the vital position of procurement is seen across all industries, and according to Deloitte Insights ,  “CPOs are successfully navigating… complexities while delivering across a greater breadth of KPIs. Although they are still heavily focused on costs, they have expanded their value propositions to influence demand, drive innovation, and work closely with strategic suppliers and partners to foster commercial compliance, increase speed to market, accelerate M&A integration/divestiture programs, and drive continuous improvement.” Deloitte Insights  There are high-stakes risks that necessitate procurement’s shift to a more holistic strategy. However, without the buy-in and support of executives, these initiatives can lose momentum and support.  Why a Risk-Based Approach to Procurement?  No longer can procurement departments solely serve cost-savings functions. They must also be aware of risks introduced by key suppliers and be provided with the appropriate tools and technology to proactively manage them before major losses or breaches occur.   Heightened risk areas that are leading this necessary shift in procurement’s functions include:  Isolated or siloed procurement functions:  Traditional procurement departments were de-centralized from the larger organization and focused on transactional, short-term initiatives. Organizations that still exemplify these silos face challenges when it comes to managing risks from all angles. Driving collaboration and strategic initiatives between departments from the top down is a best practice for eliminating these silos, while still managing a daily workload of financial responsibilities.   Elevated third-party risks:  Third-party risks are rising, and can take the forms of cyber-attacks, supply chain delays, components shortages, sustainability challenges, and more. While the incidences of these events rise, organizations are increasingly being held accountable, and procurement plays a critical role in managing vendor relationships.   A multitude of unorganized, decentralized data points:  Procurement professionals deal with a huge amount of data related to personnel, financial, operational, regulatory, contractual, and more. When this type of information is stored on different platforms, inconsistent, incomplete, or managed by different teams, procurement cannot gain proper insight into potential external risks facing the organization.  Transforming Chaos into Clarity  As the role of procurement has evolved, procurement professionals are moving from transactional managers to strategic relationship managers, focusing on developing and managing a wide variety of data points across all aspects of their supplier relationships.    In order to understand the riskiness of suppliers and third parties, procurement professionals need to wade through all of this information with efficiency and ensure alignment with both company strategies and global regulatory mandates. To do this, third-party risk management software needs to be available that provides centralization of data, full visibility, and documentation for audit trails. Procurement needs to play a key role in managing and utilizing this software in order to monitor vendor relationships and performance.  In addition, it is imperative that procurement maintains healthy, collaborative internal relationships to ensure that organizational teams like IT, compliance, finance, sustainability, and others are well informed, with real-time visibility to potential risks, and are able to sustain positive working relationships with suppliers.  Areas Where Executives Can Assist Procurement  Without the buy-in and support from executives and key stakeholders, procurement teams will not be able to make holistic risk management improvements. While not everything will be implemented immediately, there are general aspects of agility that should be on procurement and executives’ agendas, including:  Empowerment and a culture shift:    Perhaps the most important area to undertake is to embrace the power that procurement holds within an organization. During years since the pandemic, CPOs and their teams protected their organizations, and executives should continue to take notice of these critical functions. Procurement should be empowered to include themselves in company strategy and products that matter, build teams to better combat emerging risks, and find ways to drive positive change.  Thinking holistically:    To take TPRM beyond a single function and into holistic areas for acceleration, CPOs should be empowered to focus on their collaboration and influence across job functions, not just as a spend relationship. Being involved in the entire third-party/supplier relationship management process ensures agility. This allows prioritization of suppliers who may pose a higher risk to an organization, rather than relying on a one-size-fits-all procurement strategy that may allow risks to fall through the cracks.   Company strategy:    By shifting a primary focus to long-term initiatives and goals, procurement professionals can gain a greater foothold in wider organizational strategy. This includes determining risk management priorities, and working with risk, legal, executive, and other teams to better manage supplier onboarding, relationships, and risks. By being in tune with company strategy and thinking of procurement activities from a risk-based approach, procurement teams step out of the shadows and into more collaborative roles.  Digital transformation:    A key step to take is to   build scalable practices rather than one-off pilot programs. By prioritizing data cleanup and investment in TPRM tools  that can build centralization and efficiency, CPOs can work with executives to see positive impacts across the organization that support overall risk management.   If there are challenges with incorporating digital procurement technology into an organization, gaining executive sponsorship is a critical way to garner support and investment in the tools that will assist in procurement and supplier data. Emphasizing both short and long-term goals and wins, and how these technologies will drive organizational resiliency and agility can be critical when approaching executives.  Environmental, Social, Governance (ESG) urgency:    The magnitude of environmental, social, governance (ESG) regulations and compliance is reshaping how organizations manage suppliers, affecting not only procurement, but legal, compliance, risk functions, executives, and more. With concerns such as climate change, eliminating human trafficking and modern slavery from supply chains, identifying and eliminating corruption, etc. procurement must work with executives to take a driving role in ensuring that third-party vendor relationships are compliant and ethical.   Shifting Company Culture for Procurement Success  Maintaining healthy supplier relationships is not just about onboarding, it also must include managing risk, quality, and performance of suppliers, assuring compliance where needed, while still owning the transactional responsibilities that are at the foundation of this role.   The procurement team is the bridge between the enterprise and the extended enterprise: the organization and its suppliers. No one knows suppliers as intimately as procurement. They, like no other function, can make predictive connections between their suppliers and the risks they may pose to the enterprise. In addition to mitigating risk, procurement has the unique opportunity to drive innovation for the enterprise by partnering with suppliers to identify new products, materials, capabilities, and offerings.   In order to manage these responsibilities, drive efficiency, and take a risk-based approach to procurement, executives within a company need to recognize procurement’s strategic value to the organization. They must step up to establish an organization-wide culture that empowers procurement to be a driver in managing the full lifecycle of their organization’s supplier and third-party relationships.  Aravo  provides centralized, automated TPRM solutions to help procurement and other risk teams proactively manage risks and build resilience throughout their organizations. To learn more, speak with one of Aravo’s experts today.       Author Info:   Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions , the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns and contributes as an author for articles and blog posts.   Hannah holds over 13 years of writing and marketing experience, with 7 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.

As 2025 winds down, one thing is clear: risk has be come borderless.  Third party risk, supply chain risk, cyber risk, and compliance risk no longer live in separate silos, they're converging into a single, fast-moving current that touches every part of the enterprise.  For third party risk management (TPRM), supply chain risk management (SCRM), cyber, procurement, privacy, finance, and compliance teams alike, 2025 delivered a mix of wake-up calls and opportunities. As we head into 2026, the “state of the industry” is best summed up as: interconnected, complex and constantly tested .  The Expanding Webs of Dependency  Organizations rely on more third parties than ever before, often hundreds or thousands. But those third parties, in turn, rely on their own network of sub-vendors and service providers. The result? A risk ecosystem that’s far deeper than most teams can see.  In a blog from Supply Wisdom , one of their “Top 10 Predictions for TPRM in 2025” was the rise of Nth party accountability (e.g., risk of sub-vendors & deeper tiers) becoming a business/regulatory priority. They further noted that organizations are shifting from static third party risk assessments to real-time/continuous monitoring of third parties and their locations.   According to AuditBoard’s TPRM Trends for 2025 report, “growing dependency on third parties – intensified by AI adoption – has expanded not only the number of vendors but the array of related risks.”  In other words, we’re not just managing third party risk anymore, we are managing ecosystem risk. And that ecosystem often extends three, four, even five tiers deep.  Implication for 2026: TPRM and procurement must move beyond static third party lists for true supply chain visibility. Continuous monitoring and Nth-party mapping are no longer “nice to haves,” they are the new foundation of resilience.  Supply-Chain Risk is the New Normal  “Supply chain disruptions are no longer rare – they’re the new normal,” warned Willis Towers Watson in its Global Supply Chain Risk Report 2025.  From geopolitical tensions and shipping disruptions to raw-material shortages and climate events, 2025 reminded us that a supplier’s risk is our own.  The Organization for Economic Co-Operation & Development (OECD)  recently cautioned that aggressive reshoring efforts, while intended to strengthen supply chains, could reduce global trade and GDP by up to 12% in some regions. That means even “localization” has global consequences.    What this means for SCRM & TPRM teams :  Collaboration between supply chain and cyber risk teams is essential.  Third Party onboarding should include resilience indicators such as alternate sourcing, regional exposure, and operational continuity.  Organizations should scenario-test by performing table-top exercises: What happens if a key supplier is hit by a regional conflict or climate event?  The Cyber Visibility Gap  While awareness of supply-chain cyber risk surged in 2025, action is still lagging. SecurityScorecard’s 2025 Supply Chain Cybersecurity Trends report  found that 88% of organizations are concerned about supply-chain cyber risk, yet 79% say less than half of their Nth party suppliers are covered by a cybersecurity program.  That gap is where incidents happen.  And they did.  Several 2025, cyber events, ransomware attacks targeting software providers and managed-service platforms, illustrated how one vendor breach can ripple across thousands of customers.  For CISOs and cyber teams, the perimeter now extends far beyond internal networks. For privacy, finance and compliance leaders, supply chain breaches mean real financial, legal, and reputational consequences.  Takeaway: The old model of annual third party assessments can’t keep up. Continuous cyber monitoring and contractual visibility into sub-vendors must become the norm.  The AI Shift: Power, Promise & Peril  Artificial intelligence is rewriting the risk landscape, and not always in predictable ways.  IBM’s Cybersecurity Predictions for 2025 identified “shadow AI” (unsanctioned generative-AI use) as a growing enterprise threat. At the same time, AI-powered tools are transforming due diligence, anomaly detection, and vendor monitoring.  In June 2025, the Reserve Bank of India issued a warning about “systemic threat from vendor lock-ins" and called for AI-aware defense and zero-trust frameworks across financial institutions.  According to Venminder’s State of Third-Party Risk Management 2025 survey , nearly 49% of organizations experienced some type of third party cyber incident in the past 12 months. And in that same report, 40% of those organizations have added third party contract language addressing AI risk (reflecting rising concern over third party-AI use).  The lesson: AI is both a risk accelerator and a resilience enabler.  For 2026:   Third Party due diligence must now include assessment of AI use, data inputs, and governance controls.  Model Risk Managers, Procurement, Legal and Compliance should align with TPRM to ensure contract language addresses AI transparency and model risk.  Cyber and privacy teams must evaluate third party identity controls and data-handling practices in AI workflows.  Macro Risk and the Global Context  Beyond technology, 2025 underscored how geopolitics, economics, and the environment intersect with third party risk.  The World Economic Forum Global Risks Report 2025 lists conflict, trade wars, and technological polarization among the top medium-term global threats.  Meanwhile, inflation and interest-rate volatility continue to squeeze third party liquidity, and climate-related disasters disrupt logistical and critical materials.  For TPRM, SCRM, finance, and compliance leaders, the message is simple but sobering: your third party ecosystem doesn’t exist in isolation.  It is exposed to the same global shocks as you are, and often more so.  Action Steps:  Build macro-risk stress-testing into your TPRM program by asking yourself:   “If a key supplier were sanctioned tomorrow, how would we respond?”    “If extreme weather wiped out a regional facility, what is our back up plan?”  Organizational Readiness and the Integration Imperative  Even as risk complexity rises, many TPRM programs remain under-resourced and siloed. The SecurityScorecard  study found that most organizations “feel confident” in their third party cyber risk management, yet lack visibility into even half their vendors.  Confidence without integration is dangerous.  The best performing organizations in 2025, shared one trait: cross-functional collaboration. Cyber teams partnered with Procurement. Compliance sat at the same table as Finance. Business leaders viewed third party risk as enterprise risk.  For 2026, Ask Yourself:  Does our third party risk management lifecycle link directly to risk and compliance processes?  Are our contracts AI-aware and data protection aligned?  Do we have joint playbooks for responding to third party incidents?  Are we continuously monitoring, not just assessing , our third party ecosystem?  Looking Ahead: 2026 & Beyond  As we enter 2026, expect five defining shifts in third party and supply-chain risk:  Nth Party Visibility will move from buzzword to business requirements.  Real time monitoring will replace static due diligence.  AI governance will become a standard third party risk criterion.  Supply chain resilience will merge cyber, operational, and ESG risk views.  Regulatory scrutiny will tighten, especially around data privacy, AI, and supply chain transparency.   In short, resilience is the new ROI (return on investment).   Every organization’s competitive edge will hinge on how well it manages its interconnected risk ecosystem.  Quick Check: Your 2026 Third Party Risk Readiness:  Do you know your third party sub-vendors?  Do your contracts address AI, identity, and data governance?  Can you monitor third party cyber posture continuously?  Are cyber, procurement, compliance, and finance aligned on third party lifecycle management?  Are teams all rowing in the same direction, or do you have prideful teammates rowing against reality on a power trip.  Have you stress-tested your supply chain for geopolitical or climate shocks?  If not, now is the time to act. 2026 will reward the prepared.  Third Party Risk Management (TPRM) is not a compliance exercise, it's a leadership function (and always has been).  As the lines blur between supply chain, cyber, and enterprise risk, the organizations that thrive will be those that break down silos and collaborate across disciplines.  The state of the industry isn’t just about where we are, it’s about how we choose to respond.  Let’s all choose to lead.  TPRA’s Call To Action:  At the Third Party Risk Association,  we believe progress happens when professionals connect, share and lead together.  Join thousands of your peers across industries who are shaping the future of TPRM through collaboration, education, and thought leadership.  You can get involved through membership, join a working group, volunteer, partner as a vendor member or strategic partner to help strength the global TPRM community.  Also, join us at our highly-anticipated in-person conference April 20 – 23, 2026 in Denver, CO. Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".