Search Results

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

By: Halle Reynolds, TPRA Marketing & Social Media Internship The Third Party Risk Management Lifecycle (noted below within "Starting a TPRM Program") is recommended for every organization seeking to implement a TPRM program. How programs implement the lifecycle is dependent upon their organization’s risk appetite (or the level of risk they are willing to accept), as well as the complexity of their third party relationships. After an organization has established an initial TPRM program, consideration should then be given to enhancements that will accelerate TPRM program efficiency and effectiveness in addressing third party risk. The incorporation of the following best practices is contingent upon an organization's overall objectives, budget, and size. STARTING A TPRM PROGRAM TPRM programs begin with a blueprint—a plan for how your program will function. This layout should include aspects from the Third Party Risk Management Lifecycle: Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring, Disengagement, and Continuous Improvement. At a minimum, it is best practice to have the following processes in place if you are just beginning your program: Planning and Oversight - Establish program governance, budget, policies and procedures, third party inventory, and risk rating methodology. Pre-Contract Due Diligence - Integrate into the Procurement process and ensure due diligence/risk assessment reviews are performed before contracts are signed. Contracting - Develop a contract template that defines expectation of third party controls that need to be in place, as well as allow for the review of said controls by your organization. Continuous Monitoring - Run all third parties through an Inherent Risk Questionnaire (IRQ) and establish third party re-assessment triggers and cycle times based on the inherent risk ratings. TPRA Members can access our Inherent Risk Questionnaire (IRQ) Template on our TPRM Resource page . The IRQ can be used to identify due diligence requirements and determine the inherent risk rating of each engagement with your Third Party Service Provider (TPSP). Disengagement – Establish a termination checklist, to include the handling/destruction of data and transition to another third party. Continuous Improvement – Communication and education are key when starting a program. Ensure you have top-down support, as well as the support of the business. The value you receive from a basic TPRM program can be invaluable. It allows your organization to create a holistic risk lens into your organization’s risk landscape and proactively address and mitigate third party risk in a timely manner. TPRM programs are also required by many regulators, Board members, and customers. ENHANCING YOUR TPRM PROGRAM Once you’ve established your TPRM program, then you can begin to enhance and/or automate certain activities to ensure you are focusing on what matters most in a timely and efficient manner. Below are some examples of enhancements you could make to your program. We will work through the same TPRM lifecycle and discuss enhancements to each phase. Planning and Oversight - Develop a steering committee to address highest level of risk. Ensure a risk escalation and acceptance process is in place (you may what to do this at a foundational level as well). Pre-Contract Due Diligence - Ensure you have a seat at the table with those making third party risk-based decisions, such as Procurement, Legal, Compliance, and others. Actively participating in conversations will ensure your program gains the support it needs, as well as ensures you are able to obtain the necessary evidence and documentation to perform your reviews. Contracting - You may want to “own” certain contract clauses to ensure that any redlines to specific clauses are reviewed by your team. Small changes could affect what evidence you receive from third parties and how you can assess them. You may also want to add noncompliance triggers to your contracts. These triggers ensure you can take action against contract non-compliance. Continuous Monitoring - Once your program is established, you can then begin to work through nth party reviews. An nth party is a 4th or 5th party (or your third party’s third parties). It’s important to also review nth parties, especially if they will access your organization’s data, are customer facing, or support a key activity related to the product/service you are purchasing from your third party. Disengagement – Begin to maintain a data inventory (by requesting a data flow diagram from your third party) so that you can more accurately pinpoint data destruction requirements, to include data at nth party locations. Another process enhancement for the disengagement phase is to establish exit strategies during the pre-contract phase to leverage during the disengagement phase. If the third party supports a critical function for your business, it is a good idea to have a transition plan in place before entering into an agreement with the third party. Continuous Improvement – Continuously re-evaluate risk domains and enhance as the risk environment changes (e.g., Environmental Social Governance (ESG), Ransomware, Pandemic). It is also important to benchmark off peers. Chances are, you're not the first to go through something. Benchmarking is the best way to quickly learn tips and tricks for implementing process enhancements. The value of continually enhancing your TPRM program is staying up to date on risk trends and ensuring your program is flexible enough to incorporate when/were needed. AUTOMATING YOUR TPRM PROGRAM At this point, your program may be gaining momentum quickly as you’ve established the foundational building blocks of your TPRM program and incorporated certain program enhancements. You may now be interested in seeking out ways to automate your program by incorporating tools that can lessen the strain on resources and allow for scalability. We will again work through the same TPRM lifecycle and discuss activities you can automate within each phase. Planning and Oversight - Consider a governance, risk, and compliance (GRC) or TPRM platform that provides workflow, assessment, and reporting for third party risk. A comprehensive tool can also allow you to look across third party risk to determine key risk indicators and trends. Pre-Contract Due Diligence - A GRC or TPRM platform can also assist with automating the questionnaire process and allow you to obtain evidence quicker during the pre-contract due diligence phase. You may also consider joining a third party risk assessment collective (where third parties share the responses to one questionnaire with several organizations) to assist with third party response time. Contracting - Consider implementing a tool that will notify you when contracts are no longer in compliance with updated contract templates. This helps you ensure that you are maintaining contract compliance with your third parties. Continuous Monitoring - A tool that can proactively monitor your third parties is a risk rating/intelligence tool. These tools scan the parameter of third party networks and look for public facing vulnerabilities. They are non-intrusive and can often provide you with accurate information on an organization’s vulnerability management and technology refresh program. More innovative tools can also scan the dark web and look for stolen data and/or accounts that belong to third parties. They can also tell you if a third party has offshore locations, as well as the geo-political environment of said offshore location. Disengagement – Certain tools can assist with identifying when non-compliance triggers are met (which could ultimately lead to a relationship termination). They can also assist with the data transition process. Continuous Improvement – Automatically feeding into your organization's overall risk management program can help make more informed decisions when looking across the enterprise. Many tools can integrate into risk management tools your organization may already have, thus providing your organization with a more holistic risk lens. This would also allow your organization to focus on efforts to address more critical risk. Automation can lead to better collaboration, improved transparency around risk, program scalability, quicker response to threats, and provides less burden on resources. But if you do not have an established program, automating too soon can lead to accelerated issues and misalignment on risk-based decisions. You can find value in automating workflows, assessments, continuous monitoring activities, risk follow-up and validation, reporting, and other third party lifecycle activities. CONCLUSION Most TPRM programs start out small and work their way up to more advanced risk management techniques. When beginning, it won’t be necessary to incorporate most tools right away. You may also want to consider current tools your organization already utilizes and determine if/how you can incorporate them into your TPRM program. You should also consider your program's overall objectives, budget, and size when considering which enhancements and tools to implement. The key to evaluating TPRM program maturity vs associated value is understanding your organization's risk appetite to further develop your TPRM program's risk-based approach to assessing, monitoring, and mitigating third party risk. For more information on this topic, check out the TPRA's YouTube series "TPRM Explained - TPRM Program Maturity vs. Associated Value" .

By: Heather Kadavy, Sr. Membership Success Coordinator for TPRA In the ever-evolving landscape of Third Party Risk Management (TPRM), sometimes called Vendor Risk Management (VRM), staying ahead of the game is crucial. One tool that has gained recognition and attention in recent times is the SPARK Matrix™, an assessment and ranking framework. About the SPARK Matrix™ The SPARK Matrix™ includes, but is not limited to: 1.      Informed Decision-Making : One of the primary benefits of the SPARK Matrix™ is its ability to provide organizations with a benchmark for selecting VRM solutions. With the complexities of vendor-related risks growing, it is crucial to have a standardized framework for evaluating the available options. The SPARK Matrix™ facilitates informed decision-making by comparing capabilities, features, and performance across different solutions. 2.      Risk Mitigation : Effective VRM is all about identifying and mitigating risks associated with third party vendors. The SPARK Matrix™ helps organizations to understand the landscape of VRM solutions and their capabilities, allowing them to tailor their risk mitigation strategies effectively. It can be a valuable tool for staying proactive in the face of evolving risks. 3.      Regulatory Alignment : As regulations around data protection and privacy evolve, it is essential for VRM solutions to stay aligned with these changing requirements. The SPARK Matrix™ assesses the level of alignment with regulations, reducing the risk of non-compliance and associated penalties. This is particularly crucial for organizations handling sensitive data.   Congratulations to Our TPRM Vendor Members Noted on the Matrix We would like to extend our warmest congratulations to TPRA's current Vendor Members who were recognized in the SPARK Matrix™: Vendor Risk Management (VRM), 2023 . These companies (listed below in alphabetical order) have demonstrated their commitment to excellence and innovation in the TPRM space: Aravo Solutions : has consistently been at the forefront of TPRM innovation, offering robust solutions to manage third-party risks effectively. Ncontracts : has been a valuable partner in helping organizations streamline their vendor management processes and mitigate risks. OneTrust : is known for its comprehensive privacy, security, and third-party risk management solutions, which align with the evolving regulatory landscape. ProcessUnity : integrated risk and compliance management solutions continue to empower organizations to proactively manage vendor risks. Venminder : dedication to third party risk management has been unwavering, providing organizations with tools and expertise to enhance their TPRM programs.   What Sets VRM Groups Apart? The SPARK Matrix™ is an assessment and ranking framework designed to evaluate and rank Vendor Risk Management (VRM) solutions based on numerous factors, including capabilities, features, and performance. It aims to provide organizations with a benchmark for selecting the most suitable VRM solution for their unique requirements. While the SPARK Matrix™ is a valuable resource, we want to emphasize that it does not represent a comprehensive list of all TPRM vendors in the market. Instead, it reflects those vendors who participated in the evaluation process. The TPRM landscape is diverse and continually evolving, with numerous vendors offering specialized solutions to meet the unique needs of different organizations. Therefore, it is crucial that TPRM teams look for competitive factors & differentiators when evaluating potential technology partnerships: 1.      Tailored Solutions : Exceptional VRM groups recognize that one size does not fit all. They offer tailored solutions that align with the specific needs and risk profiles of their clients. Customization and flexibility are key. End to End Vendor Lifecycle Management to enable cost optimization, operational excellence, and growth through vendor selection, contract negotiation, vendor onboarding, vendor continuous monitoring of performance and risk management. Issue & Incident Management: to enable event identification, assessment and resolution of issues or incidents with third party vendors to maintain the security, compliance, and reliability of the vendor relationships. Compliance with Laws & Regulations: to keep organizations aligned with changing regulations and ensure that vendors comply with application laws, and industry standards. [e.g., cloud computing, APIs (Application Programming Interface), RPA (robotic process automation), cognitive automation, big data analytics, blockchains, etc.] Reporting, Dashboarding & Analytics: to provide comprehensive reporting, visualization, and analytics capabilities to business owners, risk committees, executive management and/or an organization’s board of directors.  These powerful visualizations are derived by deep insights and assist leadership in making informed business decisions. 2.      Continuous Innovation : Stagnation is the enemy of progress. The best VRM groups are constantly innovating, integrating automation, AI (artificial intelligence), and emerging technologies to improve the efficiency and effectiveness of their solutions. 3.      Proactive Risk Monitoring: The ability to proactively identify and mitigate risks is a significant differentiator. VRM groups that offer real-time monitoring and alerts are better equipped to tackle the dynamic nature of vendor-related risks. 4.      Scalability and Adaptability:  The ability to scale and adapt to an organization's evolving needs is another distinguishing factor. VRM groups that offer scalability and flexibility ensure that their solutions grow with the businesses they serve.   TPRM Teams should take note of the Technology Excellence & Customer Impact factors that each market participant was analyzed against when designing their own TPRM Service Provider analysis components:   Technology Excellence: Vendor Lifecycle Management: Ability to handle the end-to-end vendor lifecycle management process. Risk-Scoring and Assessment: Evaluate and quantify potential risks associated with vendors. Usability: Quality of a product or system in terms of how easy it is to use, learn, and navigate. Continuous Monitoring and Remediation: Actively monitor and respond to events and issues as they occur. SLA (Service level agreements) & Performance Monitoring: Outlines the level of service expected, the metrics used to measure performance, and the consequences for not meeting the agreed-upon standards. Configurability and Scalability: Ability of a system or software to be easily customized or configured and scalable to meet specific requirements without requiring extensive changes. Dashboarding, Reporting and Analytics: Insights into various aspects of the business, customer behavior, and performance. Workflow and Process Automation: Automate and streamline manual tasks and processes. Integration & Interoperability: Ease of integration with other internal modules and API-based integration with third-party data providers and partners, extent of operability with third party partners. Competition Differentiation: Set it apart from its competitors and give it a competitive advantage in the marketplace. Vision & Roadmap: To what extent does the product vision align with its buyers’ needs in terms of acquiring, satisfying, and retaining customers? Does the vision promote a strong focus on the customer and a positive customer experience? How well does the vision align with current and future customer preferences? Does the company have a clear plan in place for implementing its vision through product improvements, innovation, and partnerships within the next year? Does the company possess the necessary resources and abilities to accomplish its planned roadmap? Customer Impact Product Strategy & Performance: Evaluation of multiple aspects of product strategy and performance in terms of product availability, price to performance ratio, excellence in GTM strategy, and other product-specific parameters. Market Presence: The ability to demonstrate revenue, client base, and market growth along with a presence in various geographical regions and industry verticals. Proven Record: Evaluation of the existing client base from SMB, mid-market and large enterprise segment, growth rate, and analysis of the customer case studies. Ease of Deployment & Use: The ability to provide superior deployment experience to clients supporting flexible deployment or demonstrate superior purchase, implementation, and usage experience. Additionally, vendors’ products are analyzed to offer user-friendly UI and ownership experience. Customer Service Excellence: The ability to demonstrate vendors capability to provide a range of professional services from consulting, training, and support. Additionally, the company’s service partner strategy or system integration capability across geographical regions is also considered. Unique Value Proposition: The ability to demonstrate unique differentiators driven by ongoing industry trends, industry convergence, technology innovation, and such others. Trust the Data, Verify the Path Forward In an era where data reigns supreme, the Spark Matrix™ provides TPRM practitioners with a compass for navigating the intricate vendor landscape. The insights derived from this research empower practitioners to make informed decisions, ensuring that the partnerships they forge are not just built on trust but are also fortified by a robust verification process. Empowered by this, the practitioner is now responsible for practicing their Risk Management skills when leading their organizations forward. Resources: TPRA’s TPRM Tools List:   https://www.tprassociation.org/tprm-vendor-list TPRA’s Service Provider Profiles: https://www.tprassociation.org/service-provider-profiles SPARK Matrix™ Domain Link:   https://quadrant-solutions.com/ SPARK Matrix™ Link to the Report (Payment Required):   https://quadrant-solutions.com/market-research/spark-matrix-vendor-risk-management-vrm-q4-2023-2990     Note:  SPARK Matrix™ is NOT Sponsored by TPRA.

Most third-party risk management (TPRM) practitioners understand that managing risks associated with third parties can be like sailing a ship through sometimes dangerous waters. Just as a captain must chart a detailed course and remain alert to changing weather conditions, TPRM professionals need a straightforward strategy to navigate risks. They must continually identify, assess, and mitigate potential issues while recognizing the importance of monitoring the horizon for emerging storms that could threaten the organization or its customers.   Managing third-party risks can be challenging because these risks evolve, similar to how ocean waves change due to various factors. Effective TPRM requires proactive identification, management, and continuous monitoring of risks to prevent the proverbial ship from sinking.  Unfortunately, some organizations limit their risk monitoring solely to scheduled intervals, which undermines the goal of continuous oversight. Others take a more relaxed approach, assuming everything is fine until it isn't. Delaying monitoring until a third party faces a serious issue, such as a data breach or a significant decline in performance, puts your organization at a disadvantage. Addressing problems reactively usually leads to chaos and missed opportunities. It's like trying to repair your boat when it’s already taking on water.  So, how can your organization stay safely afloat with proactive and effective continuous monitoring? Let's delve into the essential activities within the third-party risk management lifecycle that lay the groundwork for continuous monitoring and some best practices to implement.    Foundations for effective continuous monitoring   The third-party risk management lifecycle is a blueprint for managing third-party risks effectively. Key activities in this lifecycle create a strong foundation for effective continuous monitoring.  Inherent Risk Assessments Effective risk management begins with identifying risks. A thorough inherent risk assessment allows your organization to pinpoint and quantify risks related to specific products, services, and third-party relationships. Understanding these risks—whether in cybersecurity, privacy, compliance, finance, or reputation—establishes a baseline for monitoring and identifying new or emerging risks over time.  Due diligence After identifying the risks, the next step is to assess how adequate the existing controls are in mitigating them. Experts in cybersecurity and compliance should review the vendor's documented controls to evaluate their effectiveness and identify any gaps that require additional attention in the future.   Well-written contracts Third-party contracts define the roles and responsibilities of both parties and outline the specific terms and conditions that the third party must adhere to. This includes compliance with technical, security, financial, regulatory standards, and service level agreements (SLAs).   Risk reassessment and periodic due diligence When it comes to third-party risks, it's crucial to understand that this isn't a "set it and forget it" situation. Establishing protocols for reassessing inherent risks and validating third-party controls is essential. It involves reviewing the last inherent risk assessment to identify new or changing risks and performing due diligence by collecting up-to-date vendor documentation to re-verify their controls. Best practices for continuous monitoring  While every organization is different, there are best practices for continuous monitoring that can enhance the effectiveness of your efforts.  Use a risk-based approach. Not all third-party engagements carry the same risk level, so it's essential to identify effective monitoring strategies based on risk types and amounts. Critical or high-risk relationships like cloud providers require robust monitoring, while lower-risk providers, like office supply vendors, need less scrutiny. A risk-based approach ensures resources are allocated to manage the highest risks effectively.  Monitor both risk and performance. Understanding the importance of monitoring specific third-party risks is straightforward for most practitioners. However, performance monitoring is often seen as a secondary concern. Subpar performance not only prevents your organization from receiving the value it is paying for, but it can also signal emerging or increased third-party risks. Poor performance may indicate underlying issues such as declining financial health, ineffective controls, or operational and managerial problems before they are identified through other risk assessments or periodic due diligence.  Establish and stick to formal monitoring routines. Set appropriate intervals for re-evaluating risk, due diligence, and performance reviews. Document and publish these routines and ensure stakeholders are accountable for adhering to them. Increase monitoring when necessary. It's reasonable to increase monitoring when issues with third parties arise or performance declines. It may also be necessary due to declines in financial health, data breaches, or regulatory changes.  Consider using risk intelligence tools to assist your monitoring efforts. Continuous monitoring requires daily vigilance to detect changes in a third party's risk profile. But, depending solely on internet news alerts or third-party vendors for daily updates can be risky. Instead, consider utilizing subscription-based risk intelligence services to receive targeted alerts regarding changes in your third party's cybersecurity, financial health, compliance, reputation, and industry developments.   In conclusion, third-party risks are constantly changing, and organizations that want to manage them must engage in proactive, continuous monitoring to identify potential threats and reduce their impact on the organization and its customers. By following the third-party risk management lifecycle and implementing best practices for continuous monitoring, your organization can more effectively navigate the complexities of third-party risks and prepare for upcoming challenges.

Third party risk management (TPRM) is a comprehensive process that involves identifying, assessing, managing, and continuously monitoring the risks faced by your organization and its customers due to business relationships with external vendors, suppliers, and service providers. In the past few years, TPRM has evolved beyond just managing direct relationships with your third parties; it now also includes identifying, assessing, and mitigating risks related to fourth-party or Nth-party relationships—essentially, the vendors of your vendors and beyond. This layered approach is crucial, as risks within the supply or service chain can propagate through your third parties, potentially impacting your organization unexpectedly. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks.  To illustrate what fourth and nth party relationships are, imagine your organization is utilizing a third party customer service call center experiencing an outage with its call management software provider (your fourth party). Even though you do not have a contract with the vendor providing the call management software, this outage can still lead to operational disruptions for your organization, resulting in service delays and dissatisfied customers. Consider another scenario where that same software provider suffers a data breach from their contracted data center (your Nth party), ultimately impacting your customers' data. In both situations, the issues do not originate directly from your third party, but rather from their vendors (and the vendors of those vendors) who are engaged to deliver products and services to your organization.   Just thinking about fourth and nth-party risks can be overwhelming, especially as the risk landscape seems to grow with each additional layer of a relationship. And many regulatory requirements now include effectively identifying and managing these risks. However, there is no need to panic. There are effective strategies you can implement to address them, even with limited resources.  How To Manage Fourth- and Nth-Party Risks  It's essential to recognize that managing all fourth-party and nth-party risks is neither feasible nor practical. Your organization has limited time and resources. And, you do not have direct contracts with these fourth and nth parties, so they are not legally obligated to you. Furthermore, your visibility into their operations may be limited, making oversight difficult. A strategic approach is essential, so defining what "managing" these risks entails and how it is implemented in practice is important. For many organizations, this means identifying where fourth-party and nth-party risks exist and ensuring that the third party manages those extended relationships effectively.   Consequently, having strong third party risk management practices at your organization is crucial for success. This includes conducting thorough risk assessments, assigning risk ratings, identifying critical vendors, performing due diligence, establishing contracts, and implementing continuous monitoring. These processes are vital for effectively identifying and managing fourth-party and nth-party risks.  Take a stepwise approach and start with your own critical third party vendors and service providers. Critical third parties are those relationships that can seriously impact your operations if there should be a business interruption. Critical third parties are those that access, process, transmit, or store Personally Identifiable Information (PII) or confidential data, or any vendor or service provider that interacts with your customers. Targeting your critical third parties first can help you narrow your scope and concentrate on where the most significant risks are.   Build your 4th and nth party inventory  Once you have your list of Critical third parties, you’ll need to understand which of their vendors and service providers are essential for delivering products and services to you, or those that could cause regulatory issues or customer dissatisfaction.  Here are some tips for accomplishing that task.  Ask your third parties to list their critical vendor and service provider relationships.  This should be a requirement in your critical third party contracts, but if it isn’t, schedule a meeting to discuss your objectives and criteria so they can report back to you. Ensure they provide the organization’s name, location, and product or service. It’s also important to ask if they have additional relationships through their vendors (your nth parties) that can impact your organization or its customers.  Check your critical vendors’ third party SSAE 18 (SOC reports)  to find relevant fourth-party vendors. Look in the “Subservice Organizations” section for this information. These vendors provide the controls needed to meet your third party’s system requirements or commitments to you.  After you have identified these fourth and nth party relationships, keeping the inventory current and organized is essential. Remember to look for fourth and nth parties servicing more than one of your third parties. For example, if all your cloud, data, and analytics providers are using AWS, you may need to consider and address that additional nth-party concentration risk.  Review Your Vendor’s TPRM Policy And Practices  You must rely on third parties to effectively manage their vendor and service provider relationships. A key aspect of successfully addressing third party risk is understanding how your vendors and service providers are managing their third party risks. Never assume that they have it under control. You must see evidence that their TPRM practices meet your requirements. Always review the following:  Policy : Review their internal third party or vendor risk management policy. Is it comprehensive? Does it clearly outline roles and responsibilities? Who is ultimately accountable for TPRM? Does the policy address each part of the TPRM lifecycle?  Risk assessments: Request their inherent risk assessments, risk ratings (including the methodology for rating), how they define critical risks, and the frequency of risk assessments conducted.  Due Diligence : Request real examples of due diligence conducted on critical third parties and review the vendor risk control assessments provided by qualified subject matter experts.  Contracts: Understand if minimum contract terms and conditions are utilized to reduce or mitigate risks. Ensure that there are legally binding contracts that are managed appropriately for critical 4th and nth parties. Ongoing Monitoring : Ask about their requirements for ongoing monitoring. Confirm if they are performing both risk and performance monitoring for their vendors. Ask for proof of monitoring and see if there have been any incidents or performance failures. Issue Management : Inquire about the processes for managing issues, which include reporting, remediation, and escalation related to TPRM. When you understand how your third parties manage vendor relationships and can see proof of effective and timely processes, you will be able to address nth-party risk more confidently.  Update your contracts  It is essential to recognize that your organization relies heavily on third parties to identify and manage risks associated with fourth and nth parties. If your current third party contracts do not require the disclosure of critical nth parties or do not include provisions for managing third party risks, it may be time to amend those contracts. If immediate changes aren't feasible, it's crucial to document the necessary improvements so your organization can effectively negotiate them before renewing the contracts.  Monitor nth party risk.  Like other risks, you need to stay aware of third-party and fourth-party risks that could impact your organization or its customers. You should require your third party vendors to provide monitoring information about their vendors and service providers, and review this information regularly, especially if any issues have arisen. Ensuring that you receive proof of remediation for these issues is essential. Additionally, consider utilizing risk intelligence services to monitor critical or high-risk fourth and nth parties.  In conclusion, although addressing fourth and nth-party risks may seem complex, they become more manageable with a strategic approach. By focusing on your critical third parties, building an inventory of their essential vendors, and requiring them to uphold robust TPRM practices, you create a solid framework for proactively identifying and mitigating risks. Committing to continuous monitoring and maintaining open communication with your third parties will enable you to identify and address the risks in your service or supply chains more effectively.

Compliance doesn’t wait—and neither should you.   Regulators aren’t sitting idle, and neither are the risks buried in your third-party ecosystem. As more organizations outsource critical services, the scrutiny around how those relationships are managed has grown sharper, faster, and more complex. Vendor oversight is no longer a back-office function; it’s a frontline defense in your regulatory playbook.  Whether it’s cybersecurity, consumer privacy, operational resilience, or responsible banking, compliance expectations now extend well beyond your own four walls. They travel with your data, systems, and customers straight into the hands of your vendors.  So, how do you keep pace without burning out your risk and compliance teams? By treating regulatory alignment as an active, continuous part of your third-party risk program, not a once-a-year fire drill. The good news? You can get ahead of the curve and stay there with the right approach.  Here are five practical strategies to make that happen:  1. Know the Rules—And Where They Apply  You don’t need to memorize every regulatory acronym, but you do need a solid grasp of which ones affect your third-party relationships. That includes direct regulations like:  GLBA, if your vendors access customer financial data.  HIPAA, if they touch health records.  GDPR and CPRA, if you’re dealing with global or California-based personal data.  Plus, there is a growing patchwork of cybersecurity and operational risk standards like NIST, OCC, and FFIEC guidance.  Start with a risk-regulatory mapping exercise. Connect the dots between your critical vendors, their services, and the applicable laws or guidance. Then build a compliance checklist for each category, so you're not scrambling the next time a regulator wants evidence.  2. Make Compliance Part of Your DNA, Not Just a Checkbox   You're likely missing something if your due diligence templates haven’t changed in the last 18 months. Regulatory expectations evolve, and your assessment process should too.  That means asking smarter questions and requiring supporting evidence. A “yes” on a self-assessment doesn’t cut it anymore. Ask for:  Recent SOC reports, penetration tests, or certifications (ISO 27001, PCI-DSS).  Policy documents that reflect specific regulatory controls (like data retention or breach notification).  Contractual language showing compliance with laws like GDPR or HIPAA.  If a vendor claims they’re compliant, they should be able to show you how. And if they can’t? That’s a conversation worth having before an examiner starts asking the same question.  3. Monitor, Document, Repeat  Initial due diligence is only the starting point. Regulatory compliance should be present day-to-day, not just during onboarding.  Set up a monitoring cadence that makes sense for the risk level, quarterly check-ins for your critical and high-risk vendors, and annual refreshes for the rest. Don’t wait for a contract renewal to find out if a vendor has changed sub-processors, moved data centers, or had a cyber event.  Key actions to build into your process:  Trigger-based reviews (e.g., regulatory changes, vendor incidents, service scope shifts).  Control monitoring, especially for data privacy, cybersecurity, and financial controls.  Evidence logging, saving emails, reports, certifications, and attestations. Document as you go, not in hindsight.  Well-organized documentation is not only essential during audits but also demonstrates that your program has meaningful substance.  4. Use Frameworks—and Foundational Guidance—as Your North Star   You don’t need to start from scratch. Established frameworks and regulatory guidance provide the scaffolding your program needs to stay aligned, scalable, and defensible. Used well, they’re more than checklists—they’re strategic tools that guide smart decision-making and help you demonstrate maturity.  A strong foundation starts with the Interagency Guidance on Third-Party Relationships: Risk Management ,  issued by the OCC, FDIC, and Federal Reserve. This guidance outlines key lifecycle elements—planning, due diligence, contract structuring, ongoing monitoring, and termination—and serves as a gold standard for banks and any organization managing critical vendor relationships.  Not a financial institution? The Third Party Risk Association provides the standard for Third Party Risk Management in their free, comprehensive  TPRM 101 Guidebook  that will walk you through all phases of the TPRM lifecycle in detail and provide you with practical tools, tips, and examples for its implementation.  Once that foundation is established, you can layer in frameworks tailored to your specific risk domains and industry. For example:  Financial Services :  Use the FFIEC Cybersecurity Assessment Tool (CAT)  to benchmark third-party cyber risk, and align your broader program with NIST 800-53  or the NIST Cybersecurity Framework (CSF)  to strengthen control mapping and monitoring.  Healthcare : Look to HIPAA Security and Privacy Rules   when evaluating vendors handling protected health information (PHI). Ensure Business Associate Agreements (BAAs) are in place—these are legally required contracts that outline each party’s responsibilities when handling PHI and help ensure HIPAA compliance. Vendor controls should also align with HITECH Act  provisions.  Insurance: Frameworks like NAIC Model Laws  and Guidance on Third-Party Administrators (TPAs)  help shape due diligence expectations, especially for claims processors, brokers, and customer data handlers.  Technology and Software Supply Chain : Adopt software-specific frameworks like SLSA (Supply-chain Levels for Software Artifacts )  and the NIST Secure Software Development Framework (SSDF)  to manage risks from open-source components, CI/CD pipelines, and outsourced developers.  Cross-Industry or Global Operations : To scale assessments across geographies and vendor types, use certifications like ISO 27001 . The goal here isn’t to follow all  frameworks—it’s to select the ones that make sense for your organization, risk profile, regulatory exposure, and operational reality.    By combining lifecycle-based regulatory guidance with targeted frameworks, you build a tailored and resilient TPRM program. This shows regulators, auditors, and your own leadership that you understand not just the “what” but the “why” behind your oversight approach.    Proactive risk programs stand out by effectively anticipating potential challenges and implementing strategic measures to mitigate them before they escalate.  5. Make TPRM Everyone’s Business   Even the best-designed compliance framework will fall apart if no one uses it. Training and communication aren’t optional—they’re how you operationalize your program.  Risk and compliance teams can’t do it alone. Your business stakeholders need to understand:  When a vendor relationship triggers regulatory requirements.  What documentation or approvals need collection.  How to recognize and escalate red flags.  Keep it simple, repeatable, and relevant. Offer live sessions, recorded refreshers, or just-in-time guidance during intake or onboarding. Compliance works best when built into the workflow, not bolted on as an afterthought.  Final Word: Stay Ready So You Don’t Have to Get Ready  Proactive regulatory compliance isn’t about predicting the future but building the muscle to adapt. When your program is designed to flex, monitor, and evolve, you’re not just reacting to audits or enforcement actions. You’re leading with confidence, clarity, and control.  And that’s what true TPRM maturity looks like.  MEMBER EXCLUSIVE  To learn more on this topic, watch our June TPRM Webinar, “Staying Compliant: Proactively Addressing New Regulations.” This roundtable focused on proactive strategies to navigate the dynamic regulatory landscape impacting third-party risk management.   AUTHOR BIO Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third-Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

Introduction   In the modern business landscape, Third-Party Risk Management (TPRM) has become a focal point for organizations aiming to safeguard their operations. While much attention is given to assessing and managing the risks associated with third-party vendors using questionnaires, Boards of Directors are asking CISOs what the business is doing to protect the organization from third parties. Access Management in Complementary User Entity Controls (CUECs) is a crucial internal control often overlooked by TPRM when performing asses sments. Additional access protections are available through the organization’s implementation of a Zero Trust strategy  and utilizing Artificial Intelligence (AI) and Machine Learning (ML) applications.  Access Management in Complementary User Entity Controls (CUECs)  CUECs represent the controls that service providers expect you (as the customer) to implement to complement their own control environment. In the context of third-party management, these controls are crucial for maintaining a secure and effective relationship. Critical access management CUECs that organizations often overlook when managing third parties include the following:  Access provisioning and deprovisioning controls : According to a Black Kite study, 54% of all third-party breaches were due to unauthorized network access. ( 1) Monitoring of third-party activities : According to a Ponemon Institute study, only 34% of organizations effectively monitor third-party access to critical systems. (2)  This creates significant blind spots in security posture. Regular reassessment of third-party access needs : A Wiz Research study indicates that 82% of companies unknowingly provide third-party vendors with highly privileged roles. (3) Validation of CUEC controls : Conventional CUEC validation, if performed, focuses only on control existence and design effectiveness but not control operation and operating effectiveness, creating a false sense of security. Access Management in a Zero Trust Strategy  Zero Trust is fundamentally about “never trust, always verify” – a principle that can significantly enhance the protection of an organization's network and systems when granting third-party access. The implementation of Zero Trust requires a shift away from the traditional security models that rely on perimeter defenses and instead focus on securing individual assets and data. Traditional models grant broad network access once a user is authenticated; however, Zero Trust gives only the minimum access needed for a task. (4)  Zero Trust identity and access management controls are implemented using a risk-based approach and may include the following:  Multi-factor authentication (MFA): Third-party users are required to authenticate using at least two factors (something they know, have, or are). According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, MFA can stop 30% to 50% of account compromise attacks. (5)   Just-in-time (JIT) access: Third party users are provided temporary, time-limited access only when needed rather than persistent access. This minimizes the potential for attackers to exploit vulnerabilities and gain unauthorized access. Privileged access management (PAM): Session recording and monitoring is implemented   for all third-party privileged access. According to Gartner, organizations that implement PAM can reduce the risk of privileged credential abuse by 75%. (6) Micro-segmentation: Third-party access is limited to only specific network segments or applications required for their function. By isolating critical systems and sensitive data, detecting and responding to threats becomes easier. Device posture assessment: The security posture of third-party devices is monitored before granting access. Third-party devices must meet minimum security requirements (patches, endpoint protection, etc.) Leveraging Artificial Intelligence (AI) and Machine Learning (ML) in a Zero Trust Strategy  Organizations using AI-powered security tools have an 85% success rate at predicting cyberattacks. (7)  Examples of AI and ML applications used in a Zero Trust strategy include the following:  Anomaly detection: AI and ML algorithms can be trained to detect unusual patterns or behaviors within the organization’s network. Deviations from normal activity may indicate potential security threats, for example spikes in access requests from unfamiliar locations may trigger alerts for further investigation. (8) Behavioral analysis: ML models can analyze user behavior and establish a baseline of normal activities for each user. Any deviations from these patterns can raise flags for potential insider threats or compromised accounts. (8) Threat intelligence integration: By analyzing threat intelligence feeds alongside internal network data, organizations can make more informed decisions regarding access control and threat mitigation strategies. ML algorithms can prioritize and contextualize threat intelligence data, helping security teams focus on the most critical risks. (8) Adaptive access controls: ML-driven access control mechanisms can dynamically adjust permissions based on real-time risk assessments. By continuously evaluating factors such as user behavior, device health, and network conditions, these systems can grant or revoke access privileges dynamically. (8) Case Studies   Case Study 1:  Implementing Complementary User Entity Controls in a Retail Environment  A leading retail company implemented Complementary User Entity Controls to enhance its third-party risk management. This involved establishing strict access controls and clear usage policies for third-party vendors accessing its systems. By doing so, the company improved its ability to detect and respond to unauthorized access attempts, significantly reducing the risk of data breaches. The implementation of these controls also led to better accountability and adherence to security protocols among third-party vendors.    Case Study 2:  Adopting Zero Trust Controls in a Technology Firm  A technology firm adopted a Zero Trust strategy to manage third-party access to its network and critical systems. The approach required verification of every access request, regardless of the source, and continuous monitoring of user activities. By using multi-factor authentication and least-privilege access principles, the firm ensured that only authorized users could access sensitive data. This strategy not only prevented unauthorized access but also provided granular visibility into third-party activities, enabling proactive threat detection and response.  Conclusion  While third-party assessments remain a cornerstone of TPRM, it is essential to recognize and implement broader access controls that contribute to a more comprehensive risk management strategy. By validating both the design and operating effectiveness of critical access management CUECs and implementing Zero Trust access controls, organizations can enhance their resilience and better protect themselves against the myriad risks associated with third-party relationships. AI and ML applications can also play a crucial role to ensure access controls remain robust and responsive to evolving threats. TPRM is not just about the third party; it is about creating a holistic approach to risk management that safeguards the organization from within and beyond.    References:   Black Kite, “Third-Party Breach Report” Vol.5, 2024. [Online]. Available: https://blackkite.com/wp-content/uploads/2024/03/third-party-breach-report-2024.pdf .   Imprivata, “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year,” February 13, 2025. [Online]. Available: https://www.imprivata.com/company/press/imprivata-study-finds-nearly-half-organizations-suffered-third-party-security .    Security Magazine, “82% of companies give third parties access to all cloud data,” January 26, 2021. [Online]. Available:  https://www.securitymagazine.com/articles/94435-of-companies-give-third-parties-access-to-all-cloud-data .    Cipher, Alex, “Zero Trust: Redefining Cybersecurity,” 2024  Cybercrime Magazine , “Mult-Factor Authentication is (Not) 99 Percent Effective,” February 23, 2023.   [Online] . Available:   https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/ .  CTO (Core Team One),   “Did you know? 74% of data breaches start with the abuse of privileged credentials,”  Wednesday, 12 June 2024. [Online]. Available:   https://www.bing.com/search?pglt=297&q=74%25+of+data+breaches+start+with+the+abuse+of+privileged+credentials&cvid=5411e708f64447b8b8e91782242cba48&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQRRg80gEKMTYxMzY2ajBqMagCALACAA&FORM=ANNTA1&adppc=EDGEBRV&PC=EDGEBRV .   Furness, Dylan, Emerj, November 9, 2024. [Online]. Available:  https://emerj.com/an-ai-cybersecurity-system-may-detect-attacks-with-85-percent-accuracy/#:~:text=An%20AI%20Cybersecurity%20System%20May,Accuracy%20%7C%20Emerj%20Artificial%20Intelligence%20Research .   Goraga , Zemelak, Dr., “AI and ML Applications for Decision-Making in Zero Trust Cyber Security,” Volume 1, SkyLimit Publishing, 2024, p. 2-3

Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

Maintaining a compliant third-party risk management (TPRM) program involves active collaboration between multiple stakeholders. Compliance isn’t just an objective but a shared responsibility throughout your organization, from senior management and the board of directors to the business lines and vendor owners. Vendors themselves also have a responsibility to comply with TPRM policies and regulations, so it’s crucial to develop a strategy that involves effective collaboration.   In this blog, you’ll learn some tips on collaborating with your vendors to achieve compliance in your TPRM program. You’ll also learn some next steps to take when a vendor is creating challenges in your compliance efforts.  How to Achieve Third-Party Risk Management Compliance Through Vendor Collaboration  TPRM program compliance involves more than just reacting to specific laws and regulations. It's about being proactive and considering internal policies, rules, and industry best practices that are designed to maintain effective TPRM programs. Below are some proactive strategies to collaborate with your vendor and achieve TPRM program compliance across multiple expectations and standards:   Set a culture of compliance – In order to effectively set expectations for your vendors' compliance, it’s advisable to first establish your organization's values and practices for your TPRM program. Organizations should communicate priorities internally to foster a culture of compliance that’s clearly understood and endorsed by all stakeholders. Once this culture has been established, it can be more effectively conveyed to your vendors, leading to smoother collaboration and program compliance.  Follow up on due diligence –   Compliance issues are usually identified during the due diligence process as you collect and review the vendor's documentation. Follow up on any issues that were found and ask for clarification or more information as needed. In some cases, the vendor may have additional documentation that can verify its compliance with your expectations.  Negotiate a compliant contract –   Make sure to include contract provisions that require both parties to comply with applicable laws and regulations. These provisions could relate to areas such as data protection, privacy, and breach notification requirements. Contract provisions could also outline any internal compliance requirements set by your organization, such as following your corporate policies or industry standards.  Communicate early and often  – Don’t assume that your vendor is staying updated on changing regulatory expectations and industry standards. New state privacy laws continue to emerge, and cybersecurity standards are revised to address new vulnerabilities, so it's essential to frequently communicate your expectations to ensure the vendor is aware of relevant changes and is updating their processes as needed. This ongoing communication is key to building a collaborative partnership.  Work together on remediation –   Just like compliance should involve vendor collaboration, so should remediation plans. Whenever there are issues with compliance, work with the vendor to develop a remediation plan that’s actionable, effective, and time bound. Vendors may be more responsive to requests for improvement if they collaborate on the remediation plan and can identify any roadblocks to success.  Addressing Challenges With Vendor Compliance  It’s not uncommon to face compliance challenges with vendors who might have different strategic goals and priorities. Some vendors may choose to do the bare minimum in compliance and only meet applicable laws and regulations. Here are some suggestions for handling a vendor that isn’t collaborative in your compliance efforts:  Talk with the vendor – First, sit down and have a conversation with the vendor about any issues to better understand their perspective. There may be a misunderstanding about a certain requirement, or they may not have the resources to meet your expectations. These conversations can help clarify your compliance goals and determine if you and the vendor can work toward an improvement plan.  Document issues and progress – Make sure to document any compliance issues and improvement plans, along with a time frame for remediation. It’s important to track any progress made on the compliance issue and regularly follow up with the vendor for updates until the issue is resolved.  Increase monitoring – In addition to documenting the compliance issue, you may need to increase your ongoing monitoring activities with the vendor. Depending on the issue, this may include more frequent reviews of the vendor’s financial health, business continuity risk, security testing, or negative news.   Move forward with the exit strategy  – If the vendor isn’t following the requirements to an extent that’s too severe and beyond your risk tolerance, you may need to think about ending the relationship. Evaluate your plan for ending the relationship and start talking to the right people to make sure your organization can end the vendor relationship securely. Following through with your plan to end the relationship might take more time and resources, but it could be a worthwhile effort to keep your TPRM program in compliance.  Collaborating with your vendors through due diligence, careful contract negotiations, and remediation plans can be an effective strategy for TPRM program compliance. When you build a culture of compliance that extends to your vendors, your organization’s TPRM program can achieve many benefits, such as satisfying regulators and following your internal standards.

TPRA recently released their Third Party Risk Management (TPRM) 101 Guidebook, a document that details the TPRM framework that all mature programs should have in place. It walks readers through all phases of the TPRM lifecycle and provide them with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community). This Guidebook is the first of its kind, with close to 150 pages of in-depth details on the TPRM Program Lifecycle, with each section breaking down one of the six lifecycle phases. Complete with definitions, notes, examples, charts, diagrams, relevant resources, and best practices all designed with the goal of ensuring successful implementation and/or enhancement of your current TPRM program. The TPRM lifecycle outlined within the guidebook includes six phases: Planning and Oversight - Provides an organization with the foundation to build upon and properly support their overall program. Pre-Contract Due Diligence - Ensures the organization performs due diligence, commensurate with the level of inherent risk, to determine if the organization should proceed with a specific third party relationship and prior to signing a contract. This phase assists with determining if a third party meets business needs in relation to the risk presented. Contract Review - Ensures the organization documents relationship expectations in an agreement that can be upheld in a court of law. It also ensures risks noted within the due diligence process can be addressed within contractual clauses. Continuous Monitoring - Requires the organization to assess third party risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met. Disengagement - Ensures the organization is able to transition away from a third party with minimal impact should the relationship end due to contract expiration or when adverse/unplanned conditions are met. Continuous Improvement - Is an ongoing activity which seeks to enhance the organization’s TPRM program as third party risk management guidance, trends, and techniques are realized. The guidebook is currently available to TPRA members only. TPRA Members are able to get their FREE copy by clicking the link below. As this is the first edition draft of the Guidebook, TPRA members can also submit relevant comments, suggested edits, proposed additions, and/or critiques for the Guidebook, using the link below. The comment period will run through Friday, October 13th. Once comments are reviewed and edits are made, the guidebook will be available for free to the entire TPRM community. The guidebook will also be the foundation for TPRA's next certification, the Third Party Risk Management Practitioner (TPRMP). This certification will be available for pre-order Fall of 2023 and launch in early 2024. To provide readers with a taste of what is included in the Guidebook, see below a small excerpt from the "Contract Review" section. "It is important for TPRM practitioners to have a seat at the table (or be involved) when REVIEWING CONTRACTS. Third party contracts typically involve clauses related to cybersecurity, data protection, regulatory compliance, and other risk areas that are critical to protecting the organization. By having a seat at the table, practitioners can provide valuable insight and guidance as subject matter experts on these topics. TPRM practitioners are responsible for proactively identifying and mitigating risks associated with their organization's third parties. Therefore, by reviewing contract clauses, practitioners can identify potential risks in cybersecurity-related contract clauses before they impact the organization, as well as work towards mitigating identified risks. TPRM Practitioners should work closely with their Legal and Procurement teams to ensure contracts align closely with their organization’s risk management strategy. Templates for cybersecurity requirements should be drafted to ensure they provide sufficient coverage of key controls, define expectations for participating in compliance monitoring activities (i.e., due diligence assessments), as well as providing evidence items upon request, and detail appropriate remedies in the event that the third party fails to meet its obligations under the agreement. See "CR 2 – Contract Clauses & Template Agreements” subsection for a detailed list of specific contract clauses you may want to include within your contracts, specifically for third parties with inherently high risks. TPRM Practitioners may also want to review redlines within specific clauses that relate to cybersecurity terms, as well as terms that would allow a practitioner to perform his/her duties (such as a “Right to Audit or Review” and/or “Termination” clause). This will ensure any changes made to these clauses remain in line with the organization’s risk appetite and control expectations. Practitioners can also ensure any high-risk findings noted during the due diligence process are noted within contractual terms. TPRM practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable. It is important to perform due diligence activities before a contract is signed. In doing so, companies can identify potential risks related to the third party’s financial stability, legal and regulatory compliance, reputation, cybersecurity intelligence, and other relevant factors. This can help companies make informed decisions about whether to enter into a contract with the third party and what contractual terms and conditions should be included to mitigate risks. Contracts should be reviewed on a regular cadence to confirm they remain in line with your organization’s risk appetite, as well as reflect any emerging risks that have been identified. If changes need to be made to bring contracts in line with current standards, then an amendment should be considered. Contract changes could also be made during the renewal process. It is important to have a clear and comprehensive contract in place at the beginning of the relationship to avoid misunderstandings and disputes later on. However, if changes need to be made to the contract, they should be made in a timely and transparent manner. The contract should include provisions for how changes will be made and how they will be communicated to all parties involved. The parties should negotiate the changes in good faith and reach an agreement that is fair and reasonable to all parties. BEST PRACTICE: TPRM practitioners should assist with the creation and review of contract clauses that relate to cybersecurity terms, as well as terms that will allow a practitioner to perform his/her duties, to ensure that the organization is protected from cybersecurity and other risks associated with third parties." TPRA also recently created a video on the Contract Review process. Click the link below to view the video and subscribe to Third Party Risk Association's YouTube channel.

Managing third-party risks can be a complex task. With a changing regulatory and technological landscape, even experienced professionals find it challenging to stay on top of evolving risks. In addition to these difficulties, there are also risks associated with fourth parties – the vendors of your vendors. These additional parties can add another layer of complexity to third-party risk management (TPRM). Managing fourth and nth parties isn’t the easiest skill to master, but one that’s necessary to gain a broader understanding of your organization’s risk landscape. The good news is that there are a few best practices that can help. Once you know how to identify, assess, and manage your fourth and nth parties, your overall TPRM program will be much more effective.   Challenges in Managing Fourth- and Nth-Party Risks Fourth parties are the vendors that have a direct contract with your third parties, while nth parties are essentially all the vendors of your fourth parties and beyond. As you can imagine, these degrees of separation can create many challenges when it comes to managing risk, such as: No choice With few exceptions, your organization generally can’t choose your fourth or nth parties. In some cases, your third parties may have a different risk appetite than your organization regarding a particular vendor. This might create a situation where you decline working with a third party because of its vendor inventory. No direct relationship Your organization has no direct relationship with fourth and nth parties, which means you likely can’t perform TPRM practices, like risk assessments, due diligence, and ongoing monitoring. These practices must instead be performed by your third parties. Organizations often have little to no influence on how nth parties respond. No contract Since your organization doesn’t have a direct relationship with a fourth or nth party, there’s no contract to protect the organization from risk. Without a contract, there’s also no leverage to manage fourth parties’ performance or set any expectations around service level agreements (SLAs) and data breach notifications. No due diligence   Managing fourth- and nth-party risks is especially challenging when you don’t have the ability to perform due diligence. Fourth and nth parties typically don’t provide documentation unless an organization has a direct contract. Your organization may have a high-level view of nth-party risks, but many details will still be unknown.   Solutions to Managing Fourth- and Nth-Party Risks When your organization has no direct relationship and no leverage to perform risk management activities, it can seem almost impossible to manage fourth- and nth-party risks. However, there are still practices to implement to mitigate the risks. The most effective strategy is to manage risk through your third parties, with whom you do have leverage. Here are five solutions to manage your fourth and nth parties: 1. Require Transparency Third parties should be required to disclose which of their vendors have an impact on your organization. These vendors might access sensitive information or be essential to your third party’s operations. Your organization should essentially identify your third party’s critical vendors. Fortunately, these critical vendors will be listed in the third party’s SOC report. Focusing on critical fourth parties is a much easier solution than trying to create a complete list of every fourth and nth party. 2. Review TPRM practices Since you can’t manage fourth- or nth-party risk directly, it’s important for your third parties to have effective TPRM practices in place. When reviewing due diligence and monitoring your own third parties, you’ll need to evaluate how they manage their vendors’ risk. Make sure your third parties are performing their TPRM activities effectively and consistently. 3. Leverage contracts When onboarding a new vendor, there are a few ways to use the third-party contract to manage fourth-party risk and beyond. Consider adding contractual provisions that obligate third parties to manage their vendors through SLAs, data breach notifications, and a right to audit. This will ensure third parties are following the same TPRM best practices as your organization. 4. Manage any issues Suppose you discover your third party doesn't assess their vendors, verify controls, or monitor risks. When issues arise, communicate with the third party and amend the contract, if possible, to require stronger TPRM practices. Any issues should be documented through remediation and reported to senior management and the board. 5. Reconsider the relationship There will always be some level of fourth-party risk in third-party relationships, so your organization needs to determine for itself what’s acceptable. Depending on your organization’s risk appetite, strategic goals, and other factors, you may decide it’s best to reconsider the third-party relationship. This can mean either selecting a different third party during onboarding or proceeding with your exit strategy if you’ve signed the contract. Managing fourth- and nth-party risk can be complex. While you may not have a direct relationship or contract with fourth parties, it’s crucial to ensure your third parties are transparent about their third-party relationships and have robust third-party risk management practices. Your organization needs documented evidence from your third parties of fourth-party risk assessments, due diligence, and monitoring to ensure your third parties are managing their vendors safely. This visibility will give your organization confidence in the appropriate management of fourth-party vendors.

It’s time for executives to rethink the role procurement professionals hold in organizations, and this shift is critical to reducing organizational risk, boosting resilience, and increasing return on investment (ROI). While the traditional approach to procurement centered on margin impact and managing suppliers from an operational perspective, there is an evolution taking place requiring forward-thinking organizations to focus on the long-term strategy and impacts that the role is playing in today's world.  This increased recognition of the vital position of procurement is seen across all industries, and according to Deloitte Insights ,  “CPOs are successfully navigating… complexities while delivering across a greater breadth of KPIs. Although they are still heavily focused on costs, they have expanded their value propositions to influence demand, drive innovation, and work closely with strategic suppliers and partners to foster commercial compliance, increase speed to market, accelerate M&A integration/divestiture programs, and drive continuous improvement.” Deloitte Insights  There are high-stakes risks that necessitate procurement’s shift to a more holistic strategy. However, without the buy-in and support of executives, these initiatives can lose momentum and support.  Why a Risk-Based Approach to Procurement?  No longer can procurement departments solely serve cost-savings functions. They must also be aware of risks introduced by key suppliers and be provided with the appropriate tools and technology to proactively manage them before major losses or breaches occur.   Heightened risk areas that are leading this necessary shift in procurement’s functions include:  Isolated or siloed procurement functions:  Traditional procurement departments were de-centralized from the larger organization and focused on transactional, short-term initiatives. Organizations that still exemplify these silos face challenges when it comes to managing risks from all angles. Driving collaboration and strategic initiatives between departments from the top down is a best practice for eliminating these silos, while still managing a daily workload of financial responsibilities.   Elevated third-party risks:  Third-party risks are rising, and can take the forms of cyber-attacks, supply chain delays, components shortages, sustainability challenges, and more. While the incidences of these events rise, organizations are increasingly being held accountable, and procurement plays a critical role in managing vendor relationships.   A multitude of unorganized, decentralized data points:  Procurement professionals deal with a huge amount of data related to personnel, financial, operational, regulatory, contractual, and more. When this type of information is stored on different platforms, inconsistent, incomplete, or managed by different teams, procurement cannot gain proper insight into potential external risks facing the organization.  Transforming Chaos into Clarity  As the role of procurement has evolved, procurement professionals are moving from transactional managers to strategic relationship managers, focusing on developing and managing a wide variety of data points across all aspects of their supplier relationships.    In order to understand the riskiness of suppliers and third parties, procurement professionals need to wade through all of this information with efficiency and ensure alignment with both company strategies and global regulatory mandates. To do this, third-party risk management software needs to be available that provides centralization of data, full visibility, and documentation for audit trails. Procurement needs to play a key role in managing and utilizing this software in order to monitor vendor relationships and performance.  In addition, it is imperative that procurement maintains healthy, collaborative internal relationships to ensure that organizational teams like IT, compliance, finance, sustainability, and others are well informed, with real-time visibility to potential risks, and are able to sustain positive working relationships with suppliers.  Areas Where Executives Can Assist Procurement  Without the buy-in and support from executives and key stakeholders, procurement teams will not be able to make holistic risk management improvements. While not everything will be implemented immediately, there are general aspects of agility that should be on procurement and executives’ agendas, including:  Empowerment and a culture shift:    Perhaps the most important area to undertake is to embrace the power that procurement holds within an organization. During years since the pandemic, CPOs and their teams protected their organizations, and executives should continue to take notice of these critical functions. Procurement should be empowered to include themselves in company strategy and products that matter, build teams to better combat emerging risks, and find ways to drive positive change.  Thinking holistically:    To take TPRM beyond a single function and into holistic areas for acceleration, CPOs should be empowered to focus on their collaboration and influence across job functions, not just as a spend relationship. Being involved in the entire third-party/supplier relationship management process ensures agility. This allows prioritization of suppliers who may pose a higher risk to an organization, rather than relying on a one-size-fits-all procurement strategy that may allow risks to fall through the cracks.   Company strategy:    By shifting a primary focus to long-term initiatives and goals, procurement professionals can gain a greater foothold in wider organizational strategy. This includes determining risk management priorities, and working with risk, legal, executive, and other teams to better manage supplier onboarding, relationships, and risks. By being in tune with company strategy and thinking of procurement activities from a risk-based approach, procurement teams step out of the shadows and into more collaborative roles.  Digital transformation:    A key step to take is to   build scalable practices rather than one-off pilot programs. By prioritizing data cleanup and investment in TPRM tools  that can build centralization and efficiency, CPOs can work with executives to see positive impacts across the organization that support overall risk management.   If there are challenges with incorporating digital procurement technology into an organization, gaining executive sponsorship is a critical way to garner support and investment in the tools that will assist in procurement and supplier data. Emphasizing both short and long-term goals and wins, and how these technologies will drive organizational resiliency and agility can be critical when approaching executives.  Environmental, Social, Governance (ESG) urgency:    The magnitude of environmental, social, governance (ESG) regulations and compliance is reshaping how organizations manage suppliers, affecting not only procurement, but legal, compliance, risk functions, executives, and more. With concerns such as climate change, eliminating human trafficking and modern slavery from supply chains, identifying and eliminating corruption, etc. procurement must work with executives to take a driving role in ensuring that third-party vendor relationships are compliant and ethical.   Shifting Company Culture for Procurement Success  Maintaining healthy supplier relationships is not just about onboarding, it also must include managing risk, quality, and performance of suppliers, assuring compliance where needed, while still owning the transactional responsibilities that are at the foundation of this role.   The procurement team is the bridge between the enterprise and the extended enterprise: the organization and its suppliers. No one knows suppliers as intimately as procurement. They, like no other function, can make predictive connections between their suppliers and the risks they may pose to the enterprise. In addition to mitigating risk, procurement has the unique opportunity to drive innovation for the enterprise by partnering with suppliers to identify new products, materials, capabilities, and offerings.   In order to manage these responsibilities, drive efficiency, and take a risk-based approach to procurement, executives within a company need to recognize procurement’s strategic value to the organization. They must step up to establish an organization-wide culture that empowers procurement to be a driver in managing the full lifecycle of their organization’s supplier and third-party relationships.  Aravo  provides centralized, automated TPRM solutions to help procurement and other risk teams proactively manage risks and build resilience throughout their organizations. To learn more, speak with one of Aravo’s experts today.       Author Info:   Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions , the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns and contributes as an author for articles and blog posts.   Hannah holds over 13 years of writing and marketing experience, with 7 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.