Search Results

"Creating a TPRM Budget" is a one-page infographic that provides a sample budget format to help risk management teams build and present a clear, effective budget. It outlines the essential components of a TPRM budget, including cost avoidance, operational resilience, return on investment (ROI), measurable key performance indicators (KPIs), and multi-year forecasting. By using this framework, organizations can showcase the value of their TPRM program, align with strategic goals, and gain executive buy-in for future investments. Download the infographic to use as a quick reference and support your next TPRM budget presentation.

This resource, Establishing Accountability in Third Party Risk Management (TPRM) , provides a concise yet powerful framework for embedding accountability into TPRM programs. Built around the Three Lines of Defense model  introduced by the Institute of Internal Auditors (IIA), the guide highlights how operational management, risk/compliance functions, and internal audit each play a distinct but interconnected role in protecting the organization from third-party risks. It outlines: First Line (Operational Management):  Frontline teams managing vendors and risks directly. Second Line (Risk Management & Compliance):  Dedicated teams ensuring oversight, building policies, and supporting consistent risk management practices. Third Line (Internal Audit):  Independent assurance to evaluate effectiveness, verify compliance, and recommend improvements. The resource emphasizes that effective TPRM is not just about tools and processes , but about making accountability part of organizational culture. With clear responsibilities and a strong governance structure, TPRM professionals can drive transparency, reduce risk exposure, and enhance resilience. This downloadable guide is designed for any TPRM practitioner seeking a quick-reference tool to strengthen accountability within their programs.

Blog was inspired by the presentation by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s September 2024 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the September 2024 meeting recording.)  In Third Party Risk Management (TPRM), establishing a thorough and well-structured budget allows teams to not only support their program’s current needs but also helps plan for future maturity efforts. A budget can also show the value TPRM brings to your organization. This is important because it allows executives to understand what you are doing, where you plan on going, and the return on investment (ROI) when you get there. So, how do you go about developing a strategic TPRM budget?  In this blog, we will cover:  Demonstrating Your TPRM Program’s Value   Key Budget Considerations   Resources   Operations   Travel   Program Maturity   Tools   Sample Budget Format   Demonstrating Value  It is important to first demonstrate the value of your TPRM program to executives.  There are many ways to demonstrate the value of your program and team to receive executive support on the TPRM budget. This ensures they understand the program's importance and the return on investment the organization receives from funding the TPRM program.  To start, articulate the value  of mitigating third party risks, such as protecting sensitive data, ensuring operational resilience, and minimizing financial and reputational impact. Then, tie in how the TPRM budget aligns with the organization’s strategic goals, like reducing risk exposure, ensuring compliance, and maintaining business continuity. It is important to share how the TPRM budget aligns with the organization’s goals, to ensure buy-in and support. Note the TPRM program does not relate to the main organization-wide activity and is everyone's responsibility.   Next, show how the budget is allocated  based on the level of risk posed by different third party relationships. High-risk vendors (e.g., those with access to sensitive data or critical systems) may require more scrutiny and more investment. You will also want to discuss the evolving risk environment , including cybersecurity threats, regulatory changes, and geopolitical factors, as well as how this influences the allocation of resources in the TPRM budget. Another aspect to highlight is the potential financial consequences  of failing to manage third party risks, such as regulatory fines, penalties, or breach-related costs. You can include considerations for the costs associated with responding to third party-related incidents, such as legal fees, forensic investigations, and customer notification processes. If incident response costs are included in a different budget outside of TPRM, then note that, as incident response is a big piece of managing risks.   You may also want to provide benchmarking data  to show how the organization’s TPRM budget compares to industry peers. This can justify the budget request and demonstrate that the organization is staying competitive in its risk management approach.  Lastly, discuss how the budget reflects the organization’s risk appetite and tolerance . Highlight the balance between cost and the need for adequate risk mitigation measures to protect the organization from potential third party-related failures. Be sure to provide examples of how the organization can optimize costs by focusing on the most critical third party risks and leveraging tools to reduce manual workload.     Key Budget Considerations  After you’ve demonstrated your program’s value to the organization, it’s now time to create your formal TPRM budget.  Items to consider include, but are not limited to:    Resources are centered around current and future employees, or contractors, as well as the costs associated with training them.  You may also want to note if pieces/parts of the program will be allocated to other departments (which should also have a budget for risk assessment activities), as well as the cost savings associated with the allocation for your department.  Operations include costs associated with daily tasks and running the TPRM program (such as variable and fixed costs). This also includes costs associated with regulatory compliance and incident response.   Travel can include costs associated with onsite visits, disaster recovery testing, disengaging with a third party, and other travel required. Travel costs can also include responding to incidents with in-person meetings.  Program Maturity  includes costs associated with TPRM program enhancements required, and what is needed to get there. Program maturity is important because while your budget says what you want to do, program maturity can show your executives where you are headed.  You can note what process enhancements are you looking to make and how those enhancements will improve your program.   Tools include budgeting for TPRM program automation.  You can also estimate the cost savings a tool(s) will bring to your organization.  Specific tool types you will want to consider include, but are not limited to, Governance Risk Compliance (GRC) tools, TPRM Platforms, Risk Rating/Risk Intelligence tools, and TPRM Services (such as consultants).    Sample Budget Format  Your budget should detail the value your TPRM program brings to the organization, the return on investment, and enhancements you wish to make to continuously improve program activities. Below is an example budget format that can be leveraged.   Executive Summary: Briefly explain the purpose of the TPRM budget, aligning it with the organization’s strategic goals and objectives. This should highlight why TPRM is essential to mitigating risks and ensuring compliance.   Value of TPRM Organization: Here is where you can explain how the TPRM program aligns with and supports key business objectives, such as safeguarding the organization’s reputation, maintaining compliance with regulations, and protecting against supply chain disruptions.  Cost Avoidance: Provide examples of how TPRM has helped avoid costly incidents, such as data breaches, regulatory fines, or business disruptions. This can be a bit harder to identify or call out, but it does paint a clearer picture for the board and executives.  Operational Resilience: Highlight how the program ensures the stability of operations, particularly in managing critical vendors.  Return on Investment: Share how the TPRM program is providing value to the organization by comparing the cost of managing third party risk to potential financial damage avoided, similar to operational resilience.  Budget Breakdown: Include a detailed breakdown of your budget, to include any budget subcategories.  Key Performance Indicators (KPIs) & Metrics: Lay out specific KPIs to measure the success of the TPRM program and the effectiveness of the budgeted items. Include metrics that show how the program is reducing risk exposure, such as lower incident rates, reduced financial impact from third party risks, or improved risk scores from third party risk management platforms.  Risk Assessment & Mitigation: Note potential risks to the TPRM program itself, such as lack of resources or budget constraints, and how they will be mitigated. Clearly explain the risks of underfunding the TPRM program, such as increased vulnerability to cyberattacks, compliance failures, or vendor disruptions.  Multi-Year Budget Forecast: Highlight potential areas for future investment, such as automation, artificial intelligence, or additional personnel to manage an increasing number of third party relationships.  Conclusion: Reinforce the critical role of TPRM in protecting the organization and mitigating vendor risks. Provide a clear and concise summary of the budget request, linking back to the strategic goals and value brought by the program. Then, ask for approval of the budget and support for any key investments highlighted in the report.    Conclusion  A well-crafted TPRM budget not only justifies the costs associated with managing third party risks, but also positions your program as a strategic asset to the organization. By clearly demonstrating how the budget supports business objectives, mitigates risks, and provides a solid ROI, you create a compelling case for continued and increased support. The insights and structure provided ensure that executives understand the critical role TPRM plays in protecting the organization, thereby making it easier to secure the resources needed for long-term success.    Additional Resources TPRA Offers   TPRM 101 Guidebook   TPRM Tools Site     Service Provider Profiles    Resources TPRA Offers to Members Request for Proposal (RFP) Site   The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership

by Third Party Risk Association & Shared Assessments As part of our ongoing support to the large global community of third-party risk practitioners and programs, the Third Party Risk Association (TPRA) and Shared Assessments have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership . At a time when many firms are planning and finalizing their annual budgets, our two organizations developed this basic guidance for senior executives and board members to encourage them either to launch new or to mature legacy third-party risk programs in the coming year. Working with hundreds of companies and thousands of risk professionals globally, our two membership organizations bring decades of collective experience with third-party risk management, including what regulators and clients routinely expect from such programs. We hope that our combined experience will help the vast and growing audience of TPRM professionals and programs gain or expand the leadership commitment and budgets they need to improve their ability to protect their firms, their clients, and the related assets they are working to safeguard. Download Now!

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors. Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options? The value of adding the answer choice ‘partial’. As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization. Compare what is said to what was said last time. Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed. Business visit and demo. Compare what is said to what is done. An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided. In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.

TPRM oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This then allows the program to address third party risks at the highest level, while ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements. But what does good TPRM Oversight provide to your program? Accountability Consistency Support Value Let's take a look at the benefits noted above individually to determine what governance activities would be required to achieve each benefit. Accountability - Is the benefit from clear expectations and defined roles & responsibilities. Activities related to this benefit include, but are not limited to: Program Governance – Determine how your TPRM program will run. Will it be Centralized (one team/department is responsible for the majority of program activities) or De-Centralized (multiple teams/departments are responsible for pieces/parts of your TPRM program). Roles & Responsibilities - Clearly define all of the different roles each person/team/department will play. Chances are your entire organization will be impacted by your TPRM program as third party products/services are used by many. Key roles/responsibilities to define may include, but not be limited to, the Assessors, TPRM Program Leads (who will own/maintain the TPRM program policies and procedures), Procurement, Legal, Information Security, Business/Relationship Owners. Third Party Risk Committee – It is best practice to set up and maintain some type of risk committee where third party risks are discussed. This ensures your organization can make informed decisions regarding third party risk, as well as accept risk at the highest level. Business Owners should not be the only ones to accept High risk on behalf of the organization. Education & Training – Create a TPRM education and training program for not only business owners and key stakeholders within your organization, but also third parties. Training may include a summary of how your TPRM program is structured (what assessments are performed and when, the process to validate, follow up on, and remediate findings, and the risk escalation process), as well as what evidence you will be collecting, when, and why. It's also important to communicate business owner and third party expectations and support requirements. Consistency - Is the benefit from defined TPRM program requirements and structured metrics. Policies and Procedures - Document program policies and procedures, to include TPRM lifecycle activities (Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring/Post-Contract Due Diligence, Disengagement, & Continuous Improvement), handoffs between departments, escalation procedures, and reporting. Metrics & Reporting – Creating program metrics that evaluate program maturity, third party risk trends, and assessment workflow can help you accelerate program performance and reduce third party risk impact on your organization. Continuous Improvement – At least on an annual basis, perform a gap analysis of program activities and controls by comparing them to more mature programs or leveraging TPRM maturity models. Support - Is the benefit from executive-level support and sufficient resources. Budgeting – Develop a comprehensive TPRM program budget that includes resources, operations, maturity model (for future enhancements), travel (for onsite visits), training, and tools. The TPRA held a meeting in October 2021 that reviewed what a comprehensive budget should include. Playback is available to TPRA members on our website. Resourcing – Develop and implement a resource strategy for attracting and retaining talent. In response to the pandemic, a higher volume of regulations, cyber threats, and technology advancements, TPRM is growing in demand and practitioners are becoming more specialized. It is important to ensure your staff is knowledgeable, communicates well, and understands business needs. Tools – If your program has reached a certain level of maturity (at least has documented policies and procedures, as well as a good support system), you may wish to purchase TPRM tools to reduce constraint on your resources and allows you to focus on mitigating third party risk at the highest level. The majority of programs use a TPRM Platform & Continuous Monitoring Tool(s). TPRA is working to create an exhaustive list of TPRM tools . Disclaimer: This list does not include affiliate links and the TPRA does not receive any monetary value from the list. Board Support – Your Board should already be asking your Executives third party-related questions. They have a duty to ensure appropriate action is taken to mitigate third party risk. Ensure you are updating the Board on third party risk trends at a minimum on an annual basis. You may want to work your way up to providing a Board update per quarter. Executive & Business Support - It is imperative to have the support of your executives, which then drives the support you receive from the business. Ensure your executives and business understand the value of having a comprehensive TPRM program in place. Value - Is the benefit of having TPRM program outcomes lead to the mitigation of cyber, financial, and reputational risk. Business Case – It is best practice to have a strong business case documented for why TPRM is important & what value you bring to the organization. This ensures future TPRM program enhancements can be obtained. Responding to Third Party-related Incidents - Studies have shown that the more mature your program is, the less of an impact third party incidents will pose to your organization. Ensure your program contains a plan to respond to and address third party-related incidents and that your Legal and Information Security teams are included within the plan. Holistic View of Risk Landscape - A mature TPRM program can also show your executives, as well as the Board, a more holistic view of your organization's risk landscape, to include fourth and fifth party risk. This then allows the Board and Executives to make better and more informed decisions on strategic initiatives. Overall, good TPRM program governance can not only set your program up for continuous success, but also save your organization from significant business disruption by proactively mitigating third party risk. For more information on TPRM topics and to participate in the many discussions on third party risk, join the community of TPRA Practitioners by visiting www.tprassociation.org/why-join . Standard Practitioner Membership is FREE and Premium Membership (which includes your ticket to our annual, in-person conference) is $199.

With our 2024 in-person conference  just around the corner, Third Party Risk Association (TPRA) would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog focuses on the Impact of Conferences on Industry Insight & Innovation .  It highlights how these events provide a platform for professionals to engage with peers and leaders in the exchanging of research, trends, and innovative ideas. Attendees benefit from interactive sessions, panel discussions, and networking events, gaining insights that fuel forward-thinking strategies. This blog will explore how attendees can maximize these opportunities for staying updated, engaging with industry leaders, and contributing to their respective fields' growth. Embracing Technology, Trends, & Research Conferences are a conduit for collaboration on emerging risks, solving for TPRM challenges, and working together on new and innovative approaches to mitigate third party risk. These interactions not only deepen individual knowledge, but also contribute to industry growth and development by promoting innovation and shaping future techniques. Attending the Third Party Risk Madness  conference will help you stay updated on the latest advancements in technology and industry trends. With 56 total sessions spread over 4 days, including three keynote speakers, 12 roundtables, and four demo sessions, you can gain insights from knowledgeable industry professionals. Participate in sessions on technology and emerging risks, engage with industry leaders during networking events and roundtable sessions, and follow up with speakers and attendees post-conference for further discussions and insights. View the full agenda > Following a conference, thank speakers and attendees for their insights, follow-up through email or social media, share thoughts on their presentations, ask about resources available, and offer to connect via coffee meetups, virtual discussions, or collaborative projects to strengthen relationships and foster knowledge sharing.  This ensures that conversation don’t stop with the conference.  That you, as a practitioner, can further develop ideas discussed at the event, and work to implement new TPRM strategies. Conference materials can be a great resource for deepening your understanding of the topics covered.  They allow you to not re-create the wheel and implement strategies and processes that have worked for others.  They can also validate mature processes your organization has in place; thereby, adding credibility to your program.  Do some research before and learn about the latest research and trends that the conference may be addressing. Before attending a conference, conduct thorough research to understand the latest research findings and emerging trends. Explore publications, industry reports, and articles to understand the current landscape and find key topics, challenges, and innovations to discuss.  Bring those thoughts, ideas, and questions to the conference and actively participate in conversations during presentations and roundtables.  Also come with pain points and questions from your own program to benchmark off fellow peers in similar situations.   Professional Development Conferences offer professional development opportunities to enhance attendees' skills, knowledge, and capabilities. Workshops and training sessions cover emerging technologies, best practices, and industry-specific regulations. Networking opportunities promote mentorship, knowledge sharing, and learning, allowing attendees to broaden their perspectives and gain insight from experienced professionals. Take notes during sessions to capture key insights, ideas, and strategies shared by speakers and panelists. This will help you gather key insights, ideas, and strategies that you do not want to forget. Use these notes to transform concepts into plans, driving change within your organization, and start discussions about innovative TPRM approaches.  Often times, an idea from a conference can influence your perspective on processes and activities within your organization. Use networking breaks and social events to set up connections with industry peers, potential mentors, and collaborators. As we discussed in our last blog, networking is the best way to connect with fellow attendees and collaborate with industry peers. Make sure to take advantage of opportunities such as networking events and lunchtime meetups to foster conversations that could lead to future partnerships. Conclusion Attending conferences like our very own Third Party Risk Madness provides opportunities for professional growth and networking. Attendees can stay updated on technological advancements and engage in discussions with industry leaders. Post-conference follow-ups allow for collaborations. Conference materials promote understanding, particularly in Third Party Risk Management, pushing for deeper exploration. Networking breaks allow connections with professionals, mentors, and potential collaborators, paving the way for future partnerships. Prior to attending the conference, research emerging trends to ensures active participation and meaningful contributions.   Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers here . Hurry, space is limited, and you won't want to be left on the bench for this thrilling event.

With our 2024 in-person conference just around the corner, TPRA would like to share the wide array of benefits which come from attending an industry-specific conference.   In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike.   Today’s blog will highlight the notable benefit of NETWORKING in conference settings, including sharing industry insights & trends, building connections, and participating in collaborative forums, as well as some tips for enhancing your networking skills at conferences.   Learn from industry experts: Within a networking environment like a conference, you can discuss a wide variety of topics with industry experts and peers. This allows you to gain a deeper understanding of your particular area of interest. It can also expand your horizons with new conversation topics by interacting with established and seasoned industry professionals within, or even outside of, your field.   Attending conferences provides a special chance to network with peers and fellow industry professionals within an in-person setting. Engaging and participating in activities offered such as panels, roundtables, and in-house networking events provides you with valuable knowledge and understanding not regularly gained from an online setting. By simply talking to other seasoned professionals and tapping into their knowledge and expertise, you are able to gain a more in-depth understanding of new technological innovations, industry trends, and best practices. Through these interactions, you can evaluate ideas, deepen your knowledge base, and get access to expertise and information that is not typically available through conventional channels.   Building meaningful connections: Professionals from various organizations, backgrounds, and positions come together at conferences, which results in the perfect setting for building deep connections. Whether it is during a special networking event, a roundtable, or even just a coffee break, conferences offer a plethora of networking opportunities. During these opportunities, you are able to build potential connections, partnerships, and collaborations by striking up conversations and exchanging contact details. These relationships grow your professional network and offer a helping hand in overcoming current challenges as chances are that someone else has already gone through what you are going through.   “Networking is so important for any professional and is how TPRA was founded,” Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association , said. “I met my former partner at a TPRM-related conference.  He was a speaker and after his presentation, I went up to him to ask him questions as it relates to developing a new TPRM program. The discussion turned into benchmarking sessions over Zoom.  I then said if we have these questions, others do as well. Thus started a roundtable that turned into TPRA.  At the time, I had no idea what that conversation would lead to.  So often I hear from others how networking has led to a career opportunity, a program enhancement, or a personal opportunity.”   Conference networking makes it possible to create lasting relationships that go beyond the mere exchange of business cards and LinkedIn connections. These relationships act as a bases of support, providing motivation, guidance, and useful knowledge that promotes both professional and personal development. Conference goers create the basis for collaborative projects, shared knowledge, and ongoing relationships that strengthen their careers and personal lives by dedicating time and energy to developing these connections.   Exploring Collaborative Opportunities Among the main advantages of networking at conferences is the chance to explore collaborative efforts with peers and business associates. Conferences serve as a nurturing environment for creativity and cooperation, creating settings in which concepts can be exchanged, improved upon, and cooperatively carried out. You might find opportunities for collaboration on joint research projects or business ventures with other practitioners through discussions, brainstorming sessions, and informal interactions. Conference discussions have the power to push innovation, advance your industry, and leave a lasting impression.   Keeping Up With Industry Trends Keeping up with industry trends and developments is crucial for professional development and organizational success in today's rapidly shifting business landscape.  Attending conferences offers networking opportunities that give you a firsthand look at the newest developments in technology, industry trends, and changes in laws and regulations. Through talks with key individuals, attending keynote discussions, and taking part in sessions specific to your industry, you can learn a great deal about the opportunities and problems that are new to your field. You can use this knowledge to position your organization and yourself for future success by preparing for changes in the market and adjusting your strategies accordingly.   Here are some additional tips for enhancing your networking skills: Set Objectives:  Establish your networking objectives before you go to the conference.  Think through your goals, whether they involve expanding your professional network, looking for collaborative opportunities, or learning about the latest market developments. Do Your Research: Prior to the conference, spend some time learning about the panelists, speakers, and other attendees. Learn about their professional backgrounds, accomplishments, and areas of specialization to find common ground and possible conversation starters. Don't Be Afraid To Initiate The Conversation: Instead of waiting for a professional to approach you, strike up a conversation with other attendees. During meals, breaks, or networking events, approach people and introduce yourself with confidence. Utilize networking games and activities provided by the hosting organization as a jumping off point for striking up conversations. These games are designed to encourage discussion and create a platform for attendees to interact with each other in meaningful ways, so take advantage of them. Attend The In-House Networking Events: Take advantage of the social events, receptions, and networking opportunities that are planned as part of the conference schedule. Our upcoming conference features two all-attendee network events, plus additional invite-only events for select attendees! These casual settings offer incredible opportunities to establish stronger connections, share contact details, and engage with peers. Use Social Media: Make use of social media sites like Instagram, X (formerly known as Twitter), and LinkedIn to expand your professional network outside of the conference room. Engage online with other attendees and share thoughts, pictures, and highlights from the conference. Follow Up: Follow up with people you met at the conference to stay in touch and keep the conversation going even after the event ends. Send personalized emails thanking the recipient for their time while giving ideas for future collaboration or interactions.   Attending conferences provides plenty of networking opportunities, such as access to industry knowledge, opportunities to form close relationships, a look into collaboration possibilities, and staying up to date on industry developments. Participating in networking activities during conferences can help you build a larger professional network, acquire valuable insight, and establish yourself as an expert in your field. As you prepare for your next conference, take advantage of the opportunities for networking and collaboration, and don't pass up the chance to grow both yourself professionally, as well as your company's success.   And where better to use your new networking skills than at TPRA’s very own Third Party Risk Madness conference! Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event. [Register Here]   Our discounted hotel room block ends on March 11t h.

By: Meghan Schrader, Marketing & Social Media Intern for TPRA Networking – the action or process of interacting with others to exchange information and develop professional or social contacts. As the threat landscape grows in complexity and regulations require organizations to review their third parties with a more focused lens, networking and benchmarking off peers has never been more important. Networking provides opportunities to develop and improve your skill set, while staying on top of the latest trends in your industry. A few key benefits of networking with peers are the opportunities to exchange information/advice and obtain support on experiences, struggles, and goals. This allows you to gain new insights that you may not have otherwise thought of. Discussing common challenges, solutions, and opportunities can also open the door to valuable suggestions and guidance. Odds are, your peers have already gone through growing pains. But what else can you gain from network opportunities and where do you start? Listed below are additional benefits to networking, as well as some tips for getting started. Learn from Industry Experts Within a networking environment, you are able to discuss a variety of topics with industry experts and peers. By learning from experienced members of your industry, you can gain greater insight into your specific area of focus, or expand your perspective with new topics of discussion. By attending and participating in networking activities, you learn from both peers and competitors first-hand, engage in information-sharing, and gain feedback on your ideas, strategies, and practices. Regardless of title or organization, you have the chance to collaborate, promote, and learn in a way that is beneficial for all parties. Through this, you can gain insights and share ideas to advance not only your program, but the whole field of TPRM. Collaborate and Connect Now, more than ever, collaboration and connection are needed for the advancement of the industry. The opportunity to experience and learn new things with peers, develop strategic partnerships, and connect with friends and colleagues is an integral part of networking. A benefit of a networking experience is that connection and discussion is not limited to one group or type of individual. When attending a networking event, you are able to connect with peers from all walks of life, varying experience and program maturity, as well as speakers, sponsors, and many more relevant parties. You can go beyond the screen and ask questions, gain varying perspectives, and expand on the content that was covered. Validate Your Program Activities The need to stay current on best-practices, technology, new techniques, and trends is vitally important; especially when the threat landscape continues to grow in complexity. Networking provides you with educational opportunities, leading to personal and professional growth, and advancement of your knowledge base by learning from thought-leaders. You’ll be able to return to your organization with new ideas to advance and grow your program. Advancing your professional education not only validates your current program, but also lends credibility to your job function. Tips for Networking There are always opportunities for networking no matter where you are at within your career. A few ideas on how and where to get started are: Network via LinkedIn or other social media platforms by sending connection requests; filtering your LinkedIn searches to connect with specific people based on industry, location, and more; attending LinkedIn events; and joining LinkedIn groups to connect with industry professionals and establish relationships. Network via special interest forums to promote discussion, ask questions, and gain real-time support from peers. Network via conferences to connect with industry professionals, gain new insights, and form meaningful professional relationships by engaging in discussion, exchanging business cards, and simply saying ‘hello’ to new people. The informal connections which take place outside of conference breakout sessions can be extremely valuable. (The TPRA actually started when two peers began to network at a conference.) To start networking, find an event or networking platform relates to your industry or that interests you, practice your entrance (meaning practice how you will introduce your self), go into a discussion with an idea in mind of what you would like to get out of it, offer something in return (whether it be a connection for someone, a thought or idea, or another resource), and (optional) work through a follow up activity (whether it be reaching out to them via email or setting up a future call). Follow up is key if you feel the network activity resulted in a benefit to yourself, career, and/or organization. Follow up can also lead to long-lasting and mutually beneficial relationships. Networking through TPRA The Third Party Risk Association (TPRA) is built on the foundation of furthering the Third Party Risk Management profession through knowledge sharing and networking. We do this through community engagement in monthly and quarterly meetings, as well as industry-specific calls, networking events, and benchmarking sessions. In addition, we collaborate on and create guidance, tools, and templates as a community. Lastly, and what you may receive the most benefit from, is communication and collaboration between peers through our Practitioner Slack Forums . Live, in-person conferences also provide a space for networking, discussions, information sharing, and collaboration. Networking in person also aids in growing your relationships with subject matter experts that can help you accelerate your TPRM program. Upcoming Networking Opportunity: TPRA In-Person Conference Third Party Risk Association’s 2022 Third Party Risk Management (TPRM) Conference, “The Art of Third Party Risk” will take place in-person, on April 18th - 20th, 2022, at the AT&T Hotel and Conference Center, in beautiful Austin, Texas. We invite all TPRM Practitioners to join us for three inspiring days of impactful discussion. Any individual and/or organization within the TPRM space (TPRM Professionals, Vendor Managers, Procurement/Sourcing Specialists, Lawyers, Information and/or Cyber Security Professionals, Compliance and/or Privacy Specialists, Auditors, and Service Providers) will find great value in attending this event. Speaker sessions are designed to suit your individual and organizational goals. Take full advantage of our sessions by shaping the experience to best fit your program’s maturity level. Track 1 (Apprentice) is for those developing their TPRM program. Track 2 (Practitioner) is for more mature programs that want to validate and obtain best practices for enhancing their program. Track 3 (Master) is for programs that have reached a higher level of maturity and want to learn more about innovative tools and techniques to elevate and automate certain aspects of their program. There are many benefits to attending in-person conferences, to include receiving continual professional education credits (receive up to 14 CPEs), meeting industry leaders, and validating your TPRM program activities. You can also visit service provider booths and learn about tools and techniques that are shaping the way the industry assesses third party risk. Join us in person to make valuable connections and participate in meaningful discussions on TPRM. Visit our website at www.artofthirdpartyrisk.org to learn more about the conference and to purchase your ticket. By visiting the conference site, you will also find our COVID protocols for the event. Conclusion When you make the investment in participating in a network event specific to your career path, you open the doors to new opportunities that will allow you to share personal experiences, gain validation for your work, and contribute to a growing community of TPRM professionals. It also allows you to return to your organization with new strategies, strong professional relationships, and the insight to help your program and organization accelerate.

Based off the TPRA May 2020 presentation from Nyemaster Goode Law Firm. Disclaimer: The following information does not represent legal advice. If you have specific questions concerning specific circumstances, please consult your attorney. Many questions have recently come up regarding improvements that can be made to contracts as a result of COVID-19. The TPRA recently held a Practitioner Member meeting that addressed some of the contract enhancements that can be made, specifically to the Force Majeure contract clause. Per Nyemaster, "Force majeure is a contractual remedy that, under certain circumstances, excuses the nonperformance of a party when the failure to perform is caused by a “fortuitous event” that makes performance impossible." COVID-19 may be considered a Force Majeure event but it truly depends on the actual clause noted within each specific contract. The first question to ask yourself is "Does my contract include a Force Majeure clause"? The event causing the disruption must be included in the Force Majeure clause and must excuse the party from performing services. Nyemaster suggests using specific language and limiting use of "catch-all" terms. Specific events to insert into your clause can include, but not be limited to: Pandemic/epidemic, Government order, law, or actions, National or regional disaster or emergency, and Material or Equipment shortages. Catch-all terms to limit and/or remove include, but are not limited to: “acts of God”, “including without limitation”, and “other events beyond the reasonable control of a party”. Nyemaster explains that courts look narrowly at the Force Majeure clause. Since the burden of proof is on the non-performance party, it is important this clause contain specific information about events that could result in non-performance and what non-performance actually means. The type of evidence a court could ask for may include, but not be limited to: Evidence that event was unforeseeable Proof of causation between the event and the nonperformance What is the performance standard (e.g. impossibly, impracticable); is the performance standard subjective or objective Is clause unilateral or bilateral (which party does it actually protect) Are there multiple Force Majeure clauses in the contract Are there any carve outs or exclusions (e.g. payment obligations, macroeconomic conditions, delays due to subcontractors) What is the contract’s governing law provision Notice requirements Mitigation requirements Nyemaster also warns that there could be consequences when declaring Force Majeure... Namely: Anticipatory Repudiation Termination of Contract or Suspension of Counterparty Performance Rate Changes LITIGATION Lastly, if your contract does not have a Force Majeure clause, Nyemaster suggests other alternative contractual provisions and/or common law defenses that could act similarly to a Force Majeure clause. Examples include, but are not limited to the below. Alternative Contractual Provisions Change in Law Dispute Resolution Termination for Convenience Common Law Defenses Impossibility - Performance is no longer possible because of a supervening event. Impracticability - A supervening event changes the inherent nature of performance to be more difficult, complex, or challenging, contravening a basic assumption of the parties' agreement. As a result, the cost of performing increases excessively and unreasonably. Frustration of Purpose - One party's known principle purpose for entering a transaction has been destroyed or obviated by a supervening event. Performance remains possible, but is excused when one party would no longer receive the expected value of their counterparty's performance. To hear the full presentation provided by Nyemaster around the topic of Force Majeure and other contractual issues to consider, TPRA Members can visit the " On-Demand Webinars " page and re-listen to the May 2020 meeting.

Due to restricted travel and quarantine zones, global supply chains are being disrupted. Per Forbes, this is also resulting in a downturn of consumer demand. (Ex. Travel, tourism, conferences, etc.) Organizations are slow to respond as sufficient testing has not been completed regarding pandemic plans. So what should you do? In today's TPRA Practitioner Meeting, we discussed steps you can take to evaluate the impact COVID-19 has/will have on your vendors/suppliers. Below are the highlights. First you need to understand the impact COVID-19 has on your own organization. - What are your critical processes and/or products? Does a vendor perform pieces of your critical processes or supply raw materials for your critical products? - Do you know the locations of your suppliers? Do you know the locations of your supplier’s suppliers? - Have you enacted your own pandemic plans? Next, are you determining if your vendors/suppliers have sufficient pandemic and recovery plans in place? - Create a task force to review critical vendors and/or suppliers. - Map out where your vendors/suppliers are located. You will need to understand where their critical suppliers are also located. - Once you have a list of vendors and suppliers critical to your business, begin understanding if they are prepared for and/or have been impacted by the pandemic. Are they in a quarantine zone? - If they are prepared, ensure you are communicating with your vendors/suppliers the change in the demand for your organization’s products/services. - If they are less prepared, determine if you need to plan for alternate sourcing. Quickly work through due diligence and contracts for alternate sources. - If you do not have them already, set key risk indicators to alert you if things change with one of your vendors/suppliers. (You can start with contract SLAs and response time.) - Ensure you and your vendor/supplier have a strong communication plan regarding updates on future impact. - Be compassionate. Every organization will be impacted by COVID-19 in one way or another. Offer to help those that need it if you can. How can you determine if your vendors are prepared? - Create a set of questions you can use to determine if your vendors/suppliers are prepared for a pandemic and/or if they are impacted by COVID-19. - Reach out to your vendors/suppliers via email or phone (depending on criticality) to determine their preparedness and/or impact. - Review responses to determine next steps. You may want to form a committee to assist with this piece. - Ensure you have an escalation plan when unfavorable responses return. For TPRA Practitioner Members, the TPRA has prepared a set of questions for you to consider. This questionnaire is available in an excel format on the Information Sharing site within the Members Only section of our website. The document is titled "COVID-19 Readiness Questionnaire - TPRA Created". Author: Julie Gaiaschi, TPRA CEO & Co-Founder