Search Results

Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

In today’s third party risk management (TPRM) environment, time is a scarce resource, and risk teams are feeling the pressure. As organizations grow their third party ecosystems and regulatory expectations rise, TPRM programs are expected to scale without receiving more people or budget.  That’s where automation can help.  But before jumping into technology solutions, practitioners often ask a crucial question:   “How do I know what to automate?”   Not everything is a good candidate. Some processes rely on deep judgment or require hands-on communication. But others, the repetitive, rules-based, time-consuming tasks, are perfect opportunities to automate and free up your team’s time for strategic risk management activities.  Let’s walk through how to spot automation use cases inside your own program, and hear how one risk leader turned hours of manual work into minutes of automated flow.  What Makes a Good Candidate for Automation?  Start with a simple lens. The best automation processes usually have these qualities:  High volume: Happens frequently across many third parties  Repetitive: Same steps followed every time  Rule-based: Decisions based on set criteria or logic  Low variation: Minimal case-by-case customization  Trackable: Easily measurable in terms of success or failure  If you’re doing a task over and over, and it doesn’t require nuanced human decision-making, it’s probably a strong automation candidate.  Common TPRM Automation Use Cases    Here are some of the most common areas where automation delivers real value:  1. Initial Third Party Intake & Risk Tiering   Automating the intake form and feeding third party and business owner responses directly into a tiering model saves time and reduces manual scoring errors. You can set rules to automatically assign low, medium, or high risk based on responses like data sensitivity or criticality.  2. Due Diligence Questionnaire Distribution   Rather than tracking who received what questionnaire; use automation to send the right assessment based on third party type and level of risk, trigger reminder emails, and flag when a response is overdue.  3. Policy & Document Collection   Stop chasing third parties manually for SOC reports, insurance certs, or data mapping. Use tools that auto-request, validate expiration dates, and flag missing documents before you notice.  4. Issue Remediation Workflows   If a third party fails a control assessment, automation can generate a ticket, assign it to the right risk owner, and send periodic follow-ups until it’s resolved or escalated.  5. Continuous Monitoring   Set thresholds and rules so that alerts from external monitoring platforms are filtered, prioritized, and routed to the right business owner and/or third party. Not every continuous monitoring alert needs to land in your inbox.  Real-World Example: Automating Third Party Risk Tiering  Case Study: Financial Services TPRM Team (Mid-Sized U.S. Bank)     A TPRM team supporting over 1,000 third parties struggled to keep up with onboarding. Each third party was manually risk-tiered by reviewing spreadsheets, pasting data into a scoring tool, and then having it double-checked by a second analyst.  “It was taking us 2 to 3 hours per vendor, just to assign a tier,” the risk lead told us.   By implementing an automation workflow using a TPRM platform, they built a rules engine tied to their intake questionnaire. Now, as third parties fill out intake forms, their answers auto-feed into a tiering model based on categories like access to sensitive data, cloud usage, and financial impact. The automation generates a tier instantly, flags high-risk vendors for human review, and logs everything for audit readiness.  Result:  Manual effort dropped from 3 hours to under 10 minutes  Analyst hours saved = ~50/month  More consistent tiering = stronger regulator confidence  How to Identify Automation Opportunities in Your Program  Start simple. Ask yourself and your team:  What process eats up the most time?  Are there tasks we do the same way every time?  Where do errors or delays occur?  What are we manually tracking in Excel or email?  What do we wish we had more time for (but don’t)?  Then, map out the steps. If you can diagram it on paper, chances are you can automate it.  Avoid These Common Pitfalls  Before automating, take these precautions:  Don’t automate a broken process. Fix inefficiencies first.  Avoid black-box logic [ a system or algorithm where the internal workings are not easily understood or accessible to the user ]. You still need visibility and traceability.  Keep humans in the loop for judgment calls or escalations.  Test in small batches before going wide.  Final Thought: Start Small, Scale Smart  You don’t need a full digital transformation to begin automating. Choose one use case, something your team is tired of doing manually, and experiment. Measure the time saved. Show impact.  Remember in TPRM, every minute you save on manual administration is a minute you can spend mitigating actual risk.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

" Why Automate Sanctions Monitoring? " is a one-page infographic that outlines how automation improves the accuracy, speed, and consistency of sanctions screening. It highlights key automation capabilities such as continuous third party monitoring, executive and ownership screening, and automated flagging workflows. These features help organizations stay compliant with evolving global regulations, reduce the burden of manual checks, and quickly identify potential compliance risks. Use this infographic as a reference to better understand where automation fits in your TPRM process and how it can strengthen your overall compliance strategy.

"Creating a TPRM Budget" is a one-page infographic that provides a sample budget format to help risk management teams build and present a clear, effective budget. It outlines the essential components of a TPRM budget, including cost avoidance, operational resilience, return on investment (ROI), measurable key performance indicators (KPIs), and multi-year forecasting. By using this framework, organizations can showcase the value of their TPRM program, align with strategic goals, and gain executive buy-in for future investments. Download the infographic to use as a quick reference and support your next TPRM budget presentation.

This resource, Establishing Accountability in Third Party Risk Management (TPRM) , provides a concise yet powerful framework for embedding accountability into TPRM programs. Built around the Three Lines of Defense model  introduced by the Institute of Internal Auditors (IIA), the guide highlights how operational management, risk/compliance functions, and internal audit each play a distinct but interconnected role in protecting the organization from third-party risks. It outlines: First Line (Operational Management):  Frontline teams managing vendors and risks directly. Second Line (Risk Management & Compliance):  Dedicated teams ensuring oversight, building policies, and supporting consistent risk management practices. Third Line (Internal Audit):  Independent assurance to evaluate effectiveness, verify compliance, and recommend improvements. The resource emphasizes that effective TPRM is not just about tools and processes , but about making accountability part of organizational culture. With clear responsibilities and a strong governance structure, TPRM professionals can drive transparency, reduce risk exposure, and enhance resilience. This downloadable guide is designed for any TPRM practitioner seeking a quick-reference tool to strengthen accountability within their programs.

Blog was inspired by the presentation by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s September 2024 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the September 2024 meeting recording.)  In Third Party Risk Management (TPRM), establishing a thorough and well-structured budget allows teams to not only support their program’s current needs but also helps plan for future maturity efforts. A budget can also show the value TPRM brings to your organization. This is important because it allows executives to understand what you are doing, where you plan on going, and the return on investment (ROI) when you get there. So, how do you go about developing a strategic TPRM budget?  In this blog, we will cover:  Demonstrating Your TPRM Program’s Value   Key Budget Considerations   Resources   Operations   Travel   Program Maturity   Tools   Sample Budget Format   Demonstrating Value  It is important to first demonstrate the value of your TPRM program to executives.  There are many ways to demonstrate the value of your program and team to receive executive support on the TPRM budget. This ensures they understand the program's importance and the return on investment the organization receives from funding the TPRM program.  To start, articulate the value  of mitigating third party risks, such as protecting sensitive data, ensuring operational resilience, and minimizing financial and reputational impact. Then, tie in how the TPRM budget aligns with the organization’s strategic goals, like reducing risk exposure, ensuring compliance, and maintaining business continuity. It is important to share how the TPRM budget aligns with the organization’s goals, to ensure buy-in and support. Note the TPRM program does not relate to the main organization-wide activity and is everyone's responsibility.   Next, show how the budget is allocated  based on the level of risk posed by different third party relationships. High-risk vendors (e.g., those with access to sensitive data or critical systems) may require more scrutiny and more investment. You will also want to discuss the evolving risk environment , including cybersecurity threats, regulatory changes, and geopolitical factors, as well as how this influences the allocation of resources in the TPRM budget. Another aspect to highlight is the potential financial consequences  of failing to manage third party risks, such as regulatory fines, penalties, or breach-related costs. You can include considerations for the costs associated with responding to third party-related incidents, such as legal fees, forensic investigations, and customer notification processes. If incident response costs are included in a different budget outside of TPRM, then note that, as incident response is a big piece of managing risks.   You may also want to provide benchmarking data  to show how the organization’s TPRM budget compares to industry peers. This can justify the budget request and demonstrate that the organization is staying competitive in its risk management approach.  Lastly, discuss how the budget reflects the organization’s risk appetite and tolerance . Highlight the balance between cost and the need for adequate risk mitigation measures to protect the organization from potential third party-related failures. Be sure to provide examples of how the organization can optimize costs by focusing on the most critical third party risks and leveraging tools to reduce manual workload.     Key Budget Considerations  After you’ve demonstrated your program’s value to the organization, it’s now time to create your formal TPRM budget.  Items to consider include, but are not limited to:    Resources are centered around current and future employees, or contractors, as well as the costs associated with training them.  You may also want to note if pieces/parts of the program will be allocated to other departments (which should also have a budget for risk assessment activities), as well as the cost savings associated with the allocation for your department.  Operations include costs associated with daily tasks and running the TPRM program (such as variable and fixed costs). This also includes costs associated with regulatory compliance and incident response.   Travel can include costs associated with onsite visits, disaster recovery testing, disengaging with a third party, and other travel required. Travel costs can also include responding to incidents with in-person meetings.  Program Maturity  includes costs associated with TPRM program enhancements required, and what is needed to get there. Program maturity is important because while your budget says what you want to do, program maturity can show your executives where you are headed.  You can note what process enhancements are you looking to make and how those enhancements will improve your program.   Tools include budgeting for TPRM program automation.  You can also estimate the cost savings a tool(s) will bring to your organization.  Specific tool types you will want to consider include, but are not limited to, Governance Risk Compliance (GRC) tools, TPRM Platforms, Risk Rating/Risk Intelligence tools, and TPRM Services (such as consultants).    Sample Budget Format  Your budget should detail the value your TPRM program brings to the organization, the return on investment, and enhancements you wish to make to continuously improve program activities. Below is an example budget format that can be leveraged.   Executive Summary: Briefly explain the purpose of the TPRM budget, aligning it with the organization’s strategic goals and objectives. This should highlight why TPRM is essential to mitigating risks and ensuring compliance.   Value of TPRM Organization: Here is where you can explain how the TPRM program aligns with and supports key business objectives, such as safeguarding the organization’s reputation, maintaining compliance with regulations, and protecting against supply chain disruptions.  Cost Avoidance: Provide examples of how TPRM has helped avoid costly incidents, such as data breaches, regulatory fines, or business disruptions. This can be a bit harder to identify or call out, but it does paint a clearer picture for the board and executives.  Operational Resilience: Highlight how the program ensures the stability of operations, particularly in managing critical vendors.  Return on Investment: Share how the TPRM program is providing value to the organization by comparing the cost of managing third party risk to potential financial damage avoided, similar to operational resilience.  Budget Breakdown: Include a detailed breakdown of your budget, to include any budget subcategories.  Key Performance Indicators (KPIs) & Metrics: Lay out specific KPIs to measure the success of the TPRM program and the effectiveness of the budgeted items. Include metrics that show how the program is reducing risk exposure, such as lower incident rates, reduced financial impact from third party risks, or improved risk scores from third party risk management platforms.  Risk Assessment & Mitigation: Note potential risks to the TPRM program itself, such as lack of resources or budget constraints, and how they will be mitigated. Clearly explain the risks of underfunding the TPRM program, such as increased vulnerability to cyberattacks, compliance failures, or vendor disruptions.  Multi-Year Budget Forecast: Highlight potential areas for future investment, such as automation, artificial intelligence, or additional personnel to manage an increasing number of third party relationships.  Conclusion: Reinforce the critical role of TPRM in protecting the organization and mitigating vendor risks. Provide a clear and concise summary of the budget request, linking back to the strategic goals and value brought by the program. Then, ask for approval of the budget and support for any key investments highlighted in the report.    Conclusion  A well-crafted TPRM budget not only justifies the costs associated with managing third party risks, but also positions your program as a strategic asset to the organization. By clearly demonstrating how the budget supports business objectives, mitigates risks, and provides a solid ROI, you create a compelling case for continued and increased support. The insights and structure provided ensure that executives understand the critical role TPRM plays in protecting the organization, thereby making it easier to secure the resources needed for long-term success.    Additional Resources TPRA Offers   TPRM 101 Guidebook   TPRM Tools Site     Service Provider Profiles    Resources TPRA Offers to Members Request for Proposal (RFP) Site   The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership

by Third Party Risk Association & Shared Assessments As part of our ongoing support to the large global community of third-party risk practitioners and programs, the Third Party Risk Association (TPRA) and Shared Assessments have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership . At a time when many firms are planning and finalizing their annual budgets, our two organizations developed this basic guidance for senior executives and board members to encourage them either to launch new or to mature legacy third-party risk programs in the coming year. Working with hundreds of companies and thousands of risk professionals globally, our two membership organizations bring decades of collective experience with third-party risk management, including what regulators and clients routinely expect from such programs. We hope that our combined experience will help the vast and growing audience of TPRM professionals and programs gain or expand the leadership commitment and budgets they need to improve their ability to protect their firms, their clients, and the related assets they are working to safeguard. Download Now!

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors. Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options? The value of adding the answer choice ‘partial’. As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization. Compare what is said to what was said last time. Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed. Business visit and demo. Compare what is said to what is done. An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided. In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.

TPRM oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This then allows the program to address third party risks at the highest level, while ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements. But what does good TPRM Oversight provide to your program? Accountability Consistency Support Value Let's take a look at the benefits noted above individually to determine what governance activities would be required to achieve each benefit. Accountability - Is the benefit from clear expectations and defined roles & responsibilities. Activities related to this benefit include, but are not limited to: Program Governance – Determine how your TPRM program will run. Will it be Centralized (one team/department is responsible for the majority of program activities) or De-Centralized (multiple teams/departments are responsible for pieces/parts of your TPRM program). Roles & Responsibilities - Clearly define all of the different roles each person/team/department will play. Chances are your entire organization will be impacted by your TPRM program as third party products/services are used by many. Key roles/responsibilities to define may include, but not be limited to, the Assessors, TPRM Program Leads (who will own/maintain the TPRM program policies and procedures), Procurement, Legal, Information Security, Business/Relationship Owners. Third Party Risk Committee – It is best practice to set up and maintain some type of risk committee where third party risks are discussed. This ensures your organization can make informed decisions regarding third party risk, as well as accept risk at the highest level. Business Owners should not be the only ones to accept High risk on behalf of the organization. Education & Training – Create a TPRM education and training program for not only business owners and key stakeholders within your organization, but also third parties. Training may include a summary of how your TPRM program is structured (what assessments are performed and when, the process to validate, follow up on, and remediate findings, and the risk escalation process), as well as what evidence you will be collecting, when, and why. It's also important to communicate business owner and third party expectations and support requirements. Consistency - Is the benefit from defined TPRM program requirements and structured metrics. Policies and Procedures - Document program policies and procedures, to include TPRM lifecycle activities (Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring/Post-Contract Due Diligence, Disengagement, & Continuous Improvement), handoffs between departments, escalation procedures, and reporting. Metrics & Reporting – Creating program metrics that evaluate program maturity, third party risk trends, and assessment workflow can help you accelerate program performance and reduce third party risk impact on your organization. Continuous Improvement – At least on an annual basis, perform a gap analysis of program activities and controls by comparing them to more mature programs or leveraging TPRM maturity models. Support - Is the benefit from executive-level support and sufficient resources. Budgeting – Develop a comprehensive TPRM program budget that includes resources, operations, maturity model (for future enhancements), travel (for onsite visits), training, and tools. The TPRA held a meeting in October 2021 that reviewed what a comprehensive budget should include. Playback is available to TPRA members on our website. Resourcing – Develop and implement a resource strategy for attracting and retaining talent. In response to the pandemic, a higher volume of regulations, cyber threats, and technology advancements, TPRM is growing in demand and practitioners are becoming more specialized. It is important to ensure your staff is knowledgeable, communicates well, and understands business needs. Tools – If your program has reached a certain level of maturity (at least has documented policies and procedures, as well as a good support system), you may wish to purchase TPRM tools to reduce constraint on your resources and allows you to focus on mitigating third party risk at the highest level. The majority of programs use a TPRM Platform & Continuous Monitoring Tool(s). TPRA is working to create an exhaustive list of TPRM tools . Disclaimer: This list does not include affiliate links and the TPRA does not receive any monetary value from the list. Board Support – Your Board should already be asking your Executives third party-related questions. They have a duty to ensure appropriate action is taken to mitigate third party risk. Ensure you are updating the Board on third party risk trends at a minimum on an annual basis. You may want to work your way up to providing a Board update per quarter. Executive & Business Support - It is imperative to have the support of your executives, which then drives the support you receive from the business. Ensure your executives and business understand the value of having a comprehensive TPRM program in place. Value - Is the benefit of having TPRM program outcomes lead to the mitigation of cyber, financial, and reputational risk. Business Case – It is best practice to have a strong business case documented for why TPRM is important & what value you bring to the organization. This ensures future TPRM program enhancements can be obtained. Responding to Third Party-related Incidents - Studies have shown that the more mature your program is, the less of an impact third party incidents will pose to your organization. Ensure your program contains a plan to respond to and address third party-related incidents and that your Legal and Information Security teams are included within the plan. Holistic View of Risk Landscape - A mature TPRM program can also show your executives, as well as the Board, a more holistic view of your organization's risk landscape, to include fourth and fifth party risk. This then allows the Board and Executives to make better and more informed decisions on strategic initiatives. Overall, good TPRM program governance can not only set your program up for continuous success, but also save your organization from significant business disruption by proactively mitigating third party risk. For more information on TPRM topics and to participate in the many discussions on third party risk, join the community of TPRA Practitioners by visiting www.tprassociation.org/why-join . Standard Practitioner Membership is FREE and Premium Membership (which includes your ticket to our annual, in-person conference) is $199.

With our 2024 in-person conference  just around the corner, Third Party Risk Association (TPRA) would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog focuses on the Impact of Conferences on Industry Insight & Innovation .  It highlights how these events provide a platform for professionals to engage with peers and leaders in the exchanging of research, trends, and innovative ideas. Attendees benefit from interactive sessions, panel discussions, and networking events, gaining insights that fuel forward-thinking strategies. This blog will explore how attendees can maximize these opportunities for staying updated, engaging with industry leaders, and contributing to their respective fields' growth. Embracing Technology, Trends, & Research Conferences are a conduit for collaboration on emerging risks, solving for TPRM challenges, and working together on new and innovative approaches to mitigate third party risk. These interactions not only deepen individual knowledge, but also contribute to industry growth and development by promoting innovation and shaping future techniques. Attending the Third Party Risk Madness  conference will help you stay updated on the latest advancements in technology and industry trends. With 56 total sessions spread over 4 days, including three keynote speakers, 12 roundtables, and four demo sessions, you can gain insights from knowledgeable industry professionals. Participate in sessions on technology and emerging risks, engage with industry leaders during networking events and roundtable sessions, and follow up with speakers and attendees post-conference for further discussions and insights. View the full agenda > Following a conference, thank speakers and attendees for their insights, follow-up through email or social media, share thoughts on their presentations, ask about resources available, and offer to connect via coffee meetups, virtual discussions, or collaborative projects to strengthen relationships and foster knowledge sharing.  This ensures that conversation don’t stop with the conference.  That you, as a practitioner, can further develop ideas discussed at the event, and work to implement new TPRM strategies. Conference materials can be a great resource for deepening your understanding of the topics covered.  They allow you to not re-create the wheel and implement strategies and processes that have worked for others.  They can also validate mature processes your organization has in place; thereby, adding credibility to your program.  Do some research before and learn about the latest research and trends that the conference may be addressing. Before attending a conference, conduct thorough research to understand the latest research findings and emerging trends. Explore publications, industry reports, and articles to understand the current landscape and find key topics, challenges, and innovations to discuss.  Bring those thoughts, ideas, and questions to the conference and actively participate in conversations during presentations and roundtables.  Also come with pain points and questions from your own program to benchmark off fellow peers in similar situations.   Professional Development Conferences offer professional development opportunities to enhance attendees' skills, knowledge, and capabilities. Workshops and training sessions cover emerging technologies, best practices, and industry-specific regulations. Networking opportunities promote mentorship, knowledge sharing, and learning, allowing attendees to broaden their perspectives and gain insight from experienced professionals. Take notes during sessions to capture key insights, ideas, and strategies shared by speakers and panelists. This will help you gather key insights, ideas, and strategies that you do not want to forget. Use these notes to transform concepts into plans, driving change within your organization, and start discussions about innovative TPRM approaches.  Often times, an idea from a conference can influence your perspective on processes and activities within your organization. Use networking breaks and social events to set up connections with industry peers, potential mentors, and collaborators. As we discussed in our last blog, networking is the best way to connect with fellow attendees and collaborate with industry peers. Make sure to take advantage of opportunities such as networking events and lunchtime meetups to foster conversations that could lead to future partnerships. Conclusion Attending conferences like our very own Third Party Risk Madness provides opportunities for professional growth and networking. Attendees can stay updated on technological advancements and engage in discussions with industry leaders. Post-conference follow-ups allow for collaborations. Conference materials promote understanding, particularly in Third Party Risk Management, pushing for deeper exploration. Networking breaks allow connections with professionals, mentors, and potential collaborators, paving the way for future partnerships. Prior to attending the conference, research emerging trends to ensures active participation and meaningful contributions.   Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers here . Hurry, space is limited, and you won't want to be left on the bench for this thrilling event.