Search Results

With our 2024 in-person conference just around the corner, TPRA would like to share the wide array of benefits which come from attending an industry-specific conference.   In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike.   Today’s blog will highlight the notable benefit of NETWORKING in conference settings, including sharing industry insights & trends, building connections, and participating in collaborative forums, as well as some tips for enhancing your networking skills at conferences.   Learn from industry experts: Within a networking environment like a conference, you can discuss a wide variety of topics with industry experts and peers. This allows you to gain a deeper understanding of your particular area of interest. It can also expand your horizons with new conversation topics by interacting with established and seasoned industry professionals within, or even outside of, your field.   Attending conferences provides a special chance to network with peers and fellow industry professionals within an in-person setting. Engaging and participating in activities offered such as panels, roundtables, and in-house networking events provides you with valuable knowledge and understanding not regularly gained from an online setting. By simply talking to other seasoned professionals and tapping into their knowledge and expertise, you are able to gain a more in-depth understanding of new technological innovations, industry trends, and best practices. Through these interactions, you can evaluate ideas, deepen your knowledge base, and get access to expertise and information that is not typically available through conventional channels.   Building meaningful connections: Professionals from various organizations, backgrounds, and positions come together at conferences, which results in the perfect setting for building deep connections. Whether it is during a special networking event, a roundtable, or even just a coffee break, conferences offer a plethora of networking opportunities. During these opportunities, you are able to build potential connections, partnerships, and collaborations by striking up conversations and exchanging contact details. These relationships grow your professional network and offer a helping hand in overcoming current challenges as chances are that someone else has already gone through what you are going through.   “Networking is so important for any professional and is how TPRA was founded,” Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association , said. “I met my former partner at a TPRM-related conference.  He was a speaker and after his presentation, I went up to him to ask him questions as it relates to developing a new TPRM program. The discussion turned into benchmarking sessions over Zoom.  I then said if we have these questions, others do as well. Thus started a roundtable that turned into TPRA.  At the time, I had no idea what that conversation would lead to.  So often I hear from others how networking has led to a career opportunity, a program enhancement, or a personal opportunity.”   Conference networking makes it possible to create lasting relationships that go beyond the mere exchange of business cards and LinkedIn connections. These relationships act as a bases of support, providing motivation, guidance, and useful knowledge that promotes both professional and personal development. Conference goers create the basis for collaborative projects, shared knowledge, and ongoing relationships that strengthen their careers and personal lives by dedicating time and energy to developing these connections.   Exploring Collaborative Opportunities Among the main advantages of networking at conferences is the chance to explore collaborative efforts with peers and business associates. Conferences serve as a nurturing environment for creativity and cooperation, creating settings in which concepts can be exchanged, improved upon, and cooperatively carried out. You might find opportunities for collaboration on joint research projects or business ventures with other practitioners through discussions, brainstorming sessions, and informal interactions. Conference discussions have the power to push innovation, advance your industry, and leave a lasting impression.   Keeping Up With Industry Trends Keeping up with industry trends and developments is crucial for professional development and organizational success in today's rapidly shifting business landscape.  Attending conferences offers networking opportunities that give you a firsthand look at the newest developments in technology, industry trends, and changes in laws and regulations. Through talks with key individuals, attending keynote discussions, and taking part in sessions specific to your industry, you can learn a great deal about the opportunities and problems that are new to your field. You can use this knowledge to position your organization and yourself for future success by preparing for changes in the market and adjusting your strategies accordingly.   Here are some additional tips for enhancing your networking skills: Set Objectives:  Establish your networking objectives before you go to the conference.  Think through your goals, whether they involve expanding your professional network, looking for collaborative opportunities, or learning about the latest market developments. Do Your Research: Prior to the conference, spend some time learning about the panelists, speakers, and other attendees. Learn about their professional backgrounds, accomplishments, and areas of specialization to find common ground and possible conversation starters. Don't Be Afraid To Initiate The Conversation: Instead of waiting for a professional to approach you, strike up a conversation with other attendees. During meals, breaks, or networking events, approach people and introduce yourself with confidence. Utilize networking games and activities provided by the hosting organization as a jumping off point for striking up conversations. These games are designed to encourage discussion and create a platform for attendees to interact with each other in meaningful ways, so take advantage of them. Attend The In-House Networking Events: Take advantage of the social events, receptions, and networking opportunities that are planned as part of the conference schedule. Our upcoming conference features two all-attendee network events, plus additional invite-only events for select attendees! These casual settings offer incredible opportunities to establish stronger connections, share contact details, and engage with peers. Use Social Media: Make use of social media sites like Instagram, X (formerly known as Twitter), and LinkedIn to expand your professional network outside of the conference room. Engage online with other attendees and share thoughts, pictures, and highlights from the conference. Follow Up: Follow up with people you met at the conference to stay in touch and keep the conversation going even after the event ends. Send personalized emails thanking the recipient for their time while giving ideas for future collaboration or interactions.   Attending conferences provides plenty of networking opportunities, such as access to industry knowledge, opportunities to form close relationships, a look into collaboration possibilities, and staying up to date on industry developments. Participating in networking activities during conferences can help you build a larger professional network, acquire valuable insight, and establish yourself as an expert in your field. As you prepare for your next conference, take advantage of the opportunities for networking and collaboration, and don't pass up the chance to grow both yourself professionally, as well as your company's success.   And where better to use your new networking skills than at TPRA’s very own Third Party Risk Madness conference! Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event. [Register Here]   Our discounted hotel room block ends on March 11t h.

By: Meghan Schrader, Marketing & Social Media Intern for TPRA Networking – the action or process of interacting with others to exchange information and develop professional or social contacts. As the threat landscape grows in complexity and regulations require organizations to review their third parties with a more focused lens, networking and benchmarking off peers has never been more important. Networking provides opportunities to develop and improve your skill set, while staying on top of the latest trends in your industry. A few key benefits of networking with peers are the opportunities to exchange information/advice and obtain support on experiences, struggles, and goals. This allows you to gain new insights that you may not have otherwise thought of. Discussing common challenges, solutions, and opportunities can also open the door to valuable suggestions and guidance. Odds are, your peers have already gone through growing pains. But what else can you gain from network opportunities and where do you start? Listed below are additional benefits to networking, as well as some tips for getting started. Learn from Industry Experts Within a networking environment, you are able to discuss a variety of topics with industry experts and peers. By learning from experienced members of your industry, you can gain greater insight into your specific area of focus, or expand your perspective with new topics of discussion. By attending and participating in networking activities, you learn from both peers and competitors first-hand, engage in information-sharing, and gain feedback on your ideas, strategies, and practices. Regardless of title or organization, you have the chance to collaborate, promote, and learn in a way that is beneficial for all parties. Through this, you can gain insights and share ideas to advance not only your program, but the whole field of TPRM. Collaborate and Connect Now, more than ever, collaboration and connection are needed for the advancement of the industry. The opportunity to experience and learn new things with peers, develop strategic partnerships, and connect with friends and colleagues is an integral part of networking. A benefit of a networking experience is that connection and discussion is not limited to one group or type of individual. When attending a networking event, you are able to connect with peers from all walks of life, varying experience and program maturity, as well as speakers, sponsors, and many more relevant parties. You can go beyond the screen and ask questions, gain varying perspectives, and expand on the content that was covered. Validate Your Program Activities The need to stay current on best-practices, technology, new techniques, and trends is vitally important; especially when the threat landscape continues to grow in complexity. Networking provides you with educational opportunities, leading to personal and professional growth, and advancement of your knowledge base by learning from thought-leaders. You’ll be able to return to your organization with new ideas to advance and grow your program. Advancing your professional education not only validates your current program, but also lends credibility to your job function. Tips for Networking There are always opportunities for networking no matter where you are at within your career. A few ideas on how and where to get started are: Network via LinkedIn or other social media platforms by sending connection requests; filtering your LinkedIn searches to connect with specific people based on industry, location, and more; attending LinkedIn events; and joining LinkedIn groups to connect with industry professionals and establish relationships. Network via special interest forums to promote discussion, ask questions, and gain real-time support from peers. Network via conferences to connect with industry professionals, gain new insights, and form meaningful professional relationships by engaging in discussion, exchanging business cards, and simply saying ‘hello’ to new people. The informal connections which take place outside of conference breakout sessions can be extremely valuable. (The TPRA actually started when two peers began to network at a conference.) To start networking, find an event or networking platform relates to your industry or that interests you, practice your entrance (meaning practice how you will introduce your self), go into a discussion with an idea in mind of what you would like to get out of it, offer something in return (whether it be a connection for someone, a thought or idea, or another resource), and (optional) work through a follow up activity (whether it be reaching out to them via email or setting up a future call). Follow up is key if you feel the network activity resulted in a benefit to yourself, career, and/or organization. Follow up can also lead to long-lasting and mutually beneficial relationships. Networking through TPRA The Third Party Risk Association (TPRA) is built on the foundation of furthering the Third Party Risk Management profession through knowledge sharing and networking. We do this through community engagement in monthly and quarterly meetings, as well as industry-specific calls, networking events, and benchmarking sessions. In addition, we collaborate on and create guidance, tools, and templates as a community. Lastly, and what you may receive the most benefit from, is communication and collaboration between peers through our Practitioner Slack Forums . Live, in-person conferences also provide a space for networking, discussions, information sharing, and collaboration. Networking in person also aids in growing your relationships with subject matter experts that can help you accelerate your TPRM program. Upcoming Networking Opportunity: TPRA In-Person Conference Third Party Risk Association’s 2022 Third Party Risk Management (TPRM) Conference, “The Art of Third Party Risk” will take place in-person, on April 18th - 20th, 2022, at the AT&T Hotel and Conference Center, in beautiful Austin, Texas. We invite all TPRM Practitioners to join us for three inspiring days of impactful discussion. Any individual and/or organization within the TPRM space (TPRM Professionals, Vendor Managers, Procurement/Sourcing Specialists, Lawyers, Information and/or Cyber Security Professionals, Compliance and/or Privacy Specialists, Auditors, and Service Providers) will find great value in attending this event. Speaker sessions are designed to suit your individual and organizational goals. Take full advantage of our sessions by shaping the experience to best fit your program’s maturity level. Track 1 (Apprentice) is for those developing their TPRM program. Track 2 (Practitioner) is for more mature programs that want to validate and obtain best practices for enhancing their program. Track 3 (Master) is for programs that have reached a higher level of maturity and want to learn more about innovative tools and techniques to elevate and automate certain aspects of their program. There are many benefits to attending in-person conferences, to include receiving continual professional education credits (receive up to 14 CPEs), meeting industry leaders, and validating your TPRM program activities. You can also visit service provider booths and learn about tools and techniques that are shaping the way the industry assesses third party risk. Join us in person to make valuable connections and participate in meaningful discussions on TPRM. Visit our website at www.artofthirdpartyrisk.org to learn more about the conference and to purchase your ticket. By visiting the conference site, you will also find our COVID protocols for the event. Conclusion When you make the investment in participating in a network event specific to your career path, you open the doors to new opportunities that will allow you to share personal experiences, gain validation for your work, and contribute to a growing community of TPRM professionals. It also allows you to return to your organization with new strategies, strong professional relationships, and the insight to help your program and organization accelerate.

Based off the TPRA May 2020 presentation from Nyemaster Goode Law Firm. Disclaimer: The following information does not represent legal advice. If you have specific questions concerning specific circumstances, please consult your attorney. Many questions have recently come up regarding improvements that can be made to contracts as a result of COVID-19. The TPRA recently held a Practitioner Member meeting that addressed some of the contract enhancements that can be made, specifically to the Force Majeure contract clause. Per Nyemaster, "Force majeure is a contractual remedy that, under certain circumstances, excuses the nonperformance of a party when the failure to perform is caused by a “fortuitous event” that makes performance impossible." COVID-19 may be considered a Force Majeure event but it truly depends on the actual clause noted within each specific contract. The first question to ask yourself is "Does my contract include a Force Majeure clause"? The event causing the disruption must be included in the Force Majeure clause and must excuse the party from performing services. Nyemaster suggests using specific language and limiting use of "catch-all" terms. Specific events to insert into your clause can include, but not be limited to: Pandemic/epidemic, Government order, law, or actions, National or regional disaster or emergency, and Material or Equipment shortages. Catch-all terms to limit and/or remove include, but are not limited to: “acts of God”, “including without limitation”, and “other events beyond the reasonable control of a party”. Nyemaster explains that courts look narrowly at the Force Majeure clause. Since the burden of proof is on the non-performance party, it is important this clause contain specific information about events that could result in non-performance and what non-performance actually means. The type of evidence a court could ask for may include, but not be limited to: Evidence that event was unforeseeable Proof of causation between the event and the nonperformance What is the performance standard (e.g. impossibly, impracticable); is the performance standard subjective or objective Is clause unilateral or bilateral (which party does it actually protect) Are there multiple Force Majeure clauses in the contract Are there any carve outs or exclusions (e.g. payment obligations, macroeconomic conditions, delays due to subcontractors) What is the contract’s governing law provision Notice requirements Mitigation requirements Nyemaster also warns that there could be consequences when declaring Force Majeure... Namely: Anticipatory Repudiation Termination of Contract or Suspension of Counterparty Performance Rate Changes LITIGATION Lastly, if your contract does not have a Force Majeure clause, Nyemaster suggests other alternative contractual provisions and/or common law defenses that could act similarly to a Force Majeure clause. Examples include, but are not limited to the below. Alternative Contractual Provisions Change in Law Dispute Resolution Termination for Convenience Common Law Defenses Impossibility - Performance is no longer possible because of a supervening event. Impracticability - A supervening event changes the inherent nature of performance to be more difficult, complex, or challenging, contravening a basic assumption of the parties' agreement. As a result, the cost of performing increases excessively and unreasonably. Frustration of Purpose - One party's known principle purpose for entering a transaction has been destroyed or obviated by a supervening event. Performance remains possible, but is excused when one party would no longer receive the expected value of their counterparty's performance. To hear the full presentation provided by Nyemaster around the topic of Force Majeure and other contractual issues to consider, TPRA Members can visit the " On-Demand Webinars " page and re-listen to the May 2020 meeting.

Due to restricted travel and quarantine zones, global supply chains are being disrupted. Per Forbes, this is also resulting in a downturn of consumer demand. (Ex. Travel, tourism, conferences, etc.) Organizations are slow to respond as sufficient testing has not been completed regarding pandemic plans. So what should you do? In today's TPRA Practitioner Meeting, we discussed steps you can take to evaluate the impact COVID-19 has/will have on your vendors/suppliers. Below are the highlights. First you need to understand the impact COVID-19 has on your own organization. - What are your critical processes and/or products? Does a vendor perform pieces of your critical processes or supply raw materials for your critical products? - Do you know the locations of your suppliers? Do you know the locations of your supplier’s suppliers? - Have you enacted your own pandemic plans? Next, are you determining if your vendors/suppliers have sufficient pandemic and recovery plans in place? - Create a task force to review critical vendors and/or suppliers. - Map out where your vendors/suppliers are located. You will need to understand where their critical suppliers are also located. - Once you have a list of vendors and suppliers critical to your business, begin understanding if they are prepared for and/or have been impacted by the pandemic. Are they in a quarantine zone? - If they are prepared, ensure you are communicating with your vendors/suppliers the change in the demand for your organization’s products/services. - If they are less prepared, determine if you need to plan for alternate sourcing. Quickly work through due diligence and contracts for alternate sources. - If you do not have them already, set key risk indicators to alert you if things change with one of your vendors/suppliers. (You can start with contract SLAs and response time.) - Ensure you and your vendor/supplier have a strong communication plan regarding updates on future impact. - Be compassionate. Every organization will be impacted by COVID-19 in one way or another. Offer to help those that need it if you can. How can you determine if your vendors are prepared? - Create a set of questions you can use to determine if your vendors/suppliers are prepared for a pandemic and/or if they are impacted by COVID-19. - Reach out to your vendors/suppliers via email or phone (depending on criticality) to determine their preparedness and/or impact. - Review responses to determine next steps. You may want to form a committee to assist with this piece. - Ensure you have an escalation plan when unfavorable responses return. For TPRA Practitioner Members, the TPRA has prepared a set of questions for you to consider. This questionnaire is available in an excel format on the Information Sharing site within the Members Only section of our website. The document is titled "COVID-19 Readiness Questionnaire - TPRA Created". Author: Julie Gaiaschi, TPRA CEO & Co-Founder

Blog was inspired by the January 2024 TPRA Practitioner Member roundtable facilitated by TPRA CEO Julie Gaiaschi. (To watch the full presentation, TPRA Members can visit our On-Demand meetings and navigate to the January 2024 meeting recording.)   The management of third party risks has become a major priority and area of focus for companies across a variety of industries because of the constantly changing nature of business operations. Recognizing the nuances and challenges that come with this field, the Third Party Risk Association (TPRA), along with a dedicated team of TPRM practitioners and service provider organizations, worked towards creating a comprehensive guidebook that assists in navigating the creation and implementation of a comprehensive Third Party Risk Management (TPRM) program.  The Development of the Guidebook  TPRA’s “Third Party Risk Management 101 Guidebook” was created not as a standalone project but as a collaborative effort that included feedback from an extensive group of TPRM professionals and service providers from a diverse range of industries. Over monthly meetings spanning three years, this group discussed various subjects related to TPRM tools, topics, and trends. Each aspect of a strong TPRM program was carefully examined and discussed by TPRA’s focus group members, from clarifying best practices to anticipating emerging risks and aligning with regulatory guidelines.     This comprehensive process of discussion, analysis, and synthesis is where the guidebook originated. With input from numerous stakeholders, the guidebook gradually took shape, undergoing a year-long editing process to condense the vast number of materials into a user-friendly format enhanced with graphics, insights, and real-world examples.  Unveiling the Guidebook: A Deep Dive  Building a TPRM program is not unlike building a house. The first step is always to make sure it’s built on a solid foundation so that it may withstand the inevitable storms to come. The TPRA guidebook gives you the tools and materials needed to begin building a successful and productive TPRM program brick by brick.    The TPRM guidebook's foundation is a lifecycle approach, outlining a strategy and framework that encompasses the entire spectrum of TPRM. Let’s dive into its key phases:  1. Planning and Oversight   Planning and oversight are the cornerstones of any TPRM program and create the conditions for success. Important topics covered in this phase include:  Establishing governance structures  Executive support  Budgeting  Policy Formulation  Metrics & Reporting  This phase supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. It also ensures the program can address third party risk at the highest level, while also warranting governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phase will make certain key stakeholders are aware of, support, and help implement program requirements. This phase ensures your entire organization is on-board with the TPRM program. After all, this program will touch every department within your organization (from Business Owners to Legal and Security).  2. Pre-contract Due Diligence   This phase emphasizes the importance of conducting comprehensive due diligence before an agreement is signed.  Key objectives during this phase include, but are not limited to:   Formalizing contractual agreements   Developing a robust third party profile  Performing Inherent risk assessments  Executing risk-based evaluations    In this phase, organizations thoroughly assess and mitigate potential third party risk before signing and committing to a contractual relationship. A company conducting this phase can minimize risks, avoid legal issues, and build and maintain a more secure partnership with their third party. The house metaphor comes back into play, allowing for that solid foundation to be secured, which in turn allows for more productive and compliant business partnerships.   3. Contract Review   As they say, the devil lies in the details, and the contract review process is where potential problems are addressed. This stage involves:  Negotiating contract terms  Examining key clauses  communicating expectations   This is to ensure that contracts match your organizational goals and risk tolerance.    The contract review phase is one of the most essential steps in the TPRM process, ensuring that any expectations for your third party relationship can hold up in a court of law. It also can address risks identified during the previous phase, Pre-contract Due Diligence, and ensures that all enforceable language is clear and specific. It is crucial for TPRM practitioners to collaborate with legal counsel to ensure their contracts include the necessary remedies in the case of a third party failure. Regular contract review and upkeep is essential to maintain and reflect the organization’s risk tolerance.  4. Continuous Monitoring   In the TPRM field, where risks are dynamic and ever-changing, continuous monitoring is essential. To maintain situational awareness and responsiveness, this phase uses mechanisms like site visits, triggered reviews, and the use of monitoring tools to mitigate risks within an always changing environment.    This phase is crucial for organizations to better assess third party risk in order to meet contract terms, business obligations, legal and regulatory requirements, and performance expectations. It also allows organizations to stay informed about changes in operations, financial stability, cybersecurity posture, and compliance status that may affect their risk exposure. This also enables swift action when risk mitigation is required and ensures full compliance with any legal and regulatory requirements.  5. Disengagement   The disengagement phase, which is frequently overlooked, ensures a smooth exit strategy, reduces lingering risk, and protects sensitive and valuable assets when third party relationships conclude.    Disengagement is the process of transitioning away from a third party with minimal impact if the relationship ends due to contract expiration or when certain adverse conditions are met. This phase can be complex and challenging due to the need of the business wanting to end the relationship quickly. Organizations and companies don’t often disengage with third parties, which can lead to rushed and overlooked processes.   If the third party maintains sensitive data post-disengagement, your organization should continue to assess the third party from a cybersecurity perspective (potentially in a limited capacity).   6. Continuous Improvement   TRPM is a journey marked by constant change and evolution. The concept of continuous improvement emphasizes the importance of flexibility and adaptability, calling for regular evaluation and adjustment to keep up with changing laws, emerging risks, and technical advancements.     This phase overlaps all other phases within the TPRM lifecycle as continuous improvement is necessary in all phases. It allows organizations to adapt to regulatory requirements, respond to new business practices, and incorporate technological advancements. This phase allows organizations to remain agile in a complex environment.  Navigating the Guidebook  Navigating the TPRM guidebook is easy due to its informative graphics, detailed definitions, intuitive sections, and helpful resources. The implementation of this guidebook will vary depending on your organization’s size, industry, and types of third party relationships. While the guidebook provides you with standards from which to begin crafting your TPRM program, careful consideration must be paid to your organization's established risk appetite when determining how to implement said standards. Your program should be rigid enough to have established criteria for the review and mitigation of third party risk, but also flexible enough to consider the variability of third party relationships, regulations, geographic locations, and emerging risks.      Accessing the Guidebook  TPRA’s first draft of our Third Party Risk Management 101 Guidebook is currently available as a free, downloadable eBook to all TPRM professionals. Visit the TPRA website and complete a short form to access this body of knowledge.    By downloading the guidebook, stakeholders can effortlessly delve into its contents, leveraging its insights to fortify their TPRM endeavors.     Conclusion: Charting the Course Ahead  The TPRM 101 Guidebook provides organizations with comprehensive guidance, tools, and resources as they navigate the complex terrain of third party risks. It enables stakeholders to navigate relationship complexities, mitigate risks and foster resilience in a dynamic environment. The guidebook is considered the golden standard for the Third Party Risk Management industry and ignites a culture of vigilance, adaptability, and continuous improvement.     In the dynamic realm of business operations, where risks lurk at every turn, the TPRM guidebook emerges as a steadfast companion, illuminating the path to success amidst uncertainty and complexity. The journey of TPRM is not merely a destination but a perpetual odyssey of discovery, resilience, and excellence, and the guidebook serves as a trusted compass, guiding stakeholders towards the shores of   resilience in an ever-changing sea of risks. But the journey doesn’t end here. TPRM Practitioners are welcome to join the TPRA for free to continue their learning journey by benchmarking off their fellow peers, participating in engaging webinars and conferences, and contributing thought leadership to roundtables and future published guidance. To join, please visit www.tprassociation.org/join .

Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page and navigate to the July 2022 meeting recording.) Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss: The common goals and challenges to integrating TPRM processes across the organization Tips for improving process integration with business stakeholders Different stakeholders and how TPRM can work with each Key aspects of TPRM governance needed to make integration work Provide a TPRM lifecycle-based framework that enables better integration of people, processes, and systems Goals and Challenges with TPRM Process Integration When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives. But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk? TPRM Challenges with Integration Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint. What is Needed to Evaluate Risk Understand what inherent risks exist As your organization enters into a new third-party relationship, what are the inherent risks (or risks before controls are considered) that the third party is potentially bringing into the business? Understanding those potential risks will drive your due diligence efforts. Evaluate controls and mitigate residual risks After inherent risk is determined, it is then time to evaluate the controls the third party has in place to mitigate the inherent risk. Findings that come from testing these controls determine the residual risk of a third party. Action plans should then be established with the third party to mitigate said residual risk. If risk cannot be mitigated, then risk must either be accepted (at the appropriate level within your organization) or you may determine that it is too risky to move forward with the relationship. Monitor for new risks and ensure remediation is effective Once the relationship is established, it is important to continuously monitor the risks of your third party. Therefore, it is vital to implement continuous monitoring activities to evaluate third party risk on an ongoing basis. It is key in this phase to use a risk-based approach and not treat every vendor the same. This will ensure a long-lasting relationship, while also addressing third party risk at the highest level. Ensure risk is mitigated even when the relationship is coming to an end It is important to continue with risk-mitigation efforts even when you are terminating a third-party relationship. You want to ensure a smooth transition away from the third party, while also ensuring all of your organization’s data the third party housed is appropriately handled (i.e., returned and/or destroyed). This can be accomplished through a strong exit strategy, including an offboarding checklist, as well as the acceptance of a certificate of destruction. If you plan for the third party to maintain your data for a specific period of time (i.e., for a legal hold), then you will want to continue to evaluate the third party from a security perspective on an ongoing basis. But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration. Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to: Start working with the third party immediately Speed to market (they have a project that has a tight deadline) Security concerns they need to address will be mitigated by the onboarding of the new third party Reaching a niche market Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place. Some of the activities you can participate in to ensure integration into the business process is to: Help the business understand Help your business understand why certain processes exist and what the steps are to reach the business’ ultimate goal. Consider meeting with the business owner on a regular basis (at least quarterly), to walk them through your process, set target dates and goals, update them on where you are at within certain due diligence processes, and to follow up on findings and where the vendor is at within their "get to green" plans. Understand the relationship Gain a better understanding of the relationship between the business and third party, and work within the context of the existing relationship. This means work with your business in obtaining what you need from the third party. If the relationship is strained, then find ways to communicate with the third party as efficiently as possible. The business, as well as the third party, want as little effort and disruption as possible. Only ask for what is needed Make sure you know what you want to ask the third party and only ask what is needed of them. Do not reach out 100 times because you did not include everything within your first request. This also provides your business with trust in what you are requesting because they know you will only ask for what is needed. Have an exit strategy As the relationship is ending, the business owner has other things they need to tend to, so they’ll want the relationship closed out as quickly as possible. There are still activities which need to happen on the back end of the relationship, such as data returned and/or destroyed appropriately. If the third party will maintain data, then security reviews are required until the data is returned and/or destroyed. While the business owner recognizes those necessary activities, they may not always want to put energy into them. To alleviate this step, ensure you think through termination and create an exit strategy before the contract is signed during the pre-contract phase. This ensures a smooth transition away from the third party on the back end of the relationship. In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process. TPRM Challenges with the Rest of the Team But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met. Below are some examples of additional stakeholders and how TPRM can work with each: Procurement This team is responsible for bringing in new third parties or renewing current contracts. They are the “gate-keepers” for third party relationships. TPRM will want to integrate into the Procurement process so they can 1) be notified when new third-party relationships are formed and can adequately review said relationships and third-party controls before contracts are signed, and 2) review contract redlines that relate to security or other third-party risks. This way they can ensure the contract has set the right level of expectations with regard to what controls the third party must have implemented and will also ensure TPRM receives what they need in order to perform the reviews. Redlining the contract can also ensure TPRM is able to review the third party on an ongoing basis. Compliance This team ensures the organization is appropriately following regulations and meeting compliance objectives. TPRM will want to work with this team to ensure their third parties are also meeting regulatory compliance objectives. Compliance can also assist TPRM in determining what regulations should be followed for offshore resources. Legal This team works through contract templates and ensures agreements can be held up within a court of law. TPRM can work with this team to develop contract templates and addendums (which are crucial to ensuring you get the most out of your third-party relationship). Other Operational Teams Depending on how your TPRM program is set up (centralized vs. decentralized) there may be other teams TPRM works with to accomplish specific pieces of their review(s). For example, they may work with the Finance team to review the financials of a higher-risk vendor. TPRM should be aware of the current workload of these teams and strategically request reviews for higher-risked vendors so as not to overload other operational teams. Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes. Executive support Ensure you have the support of your executives . This is crucial for ensuring processes are followed across the enterprise. Business and stakeholder champions Find business and stakeholder champions . Determine who makes the decisions within your organization and ensure they are on your side with regards to TPRM implementation. This can greatly increase your chances for success when integrating TPRM processes into the business, as the loudest and most important decision makers agree with your approach and share that agreement with others. Ensure everyone has a seat at the table Ensure everyone has a seat at the table. This allows all necessary players to be heard, provide input, and agree to TPRM processes. They are also more likely to follow the process if they have input into it. Strong TPRM policy and procedures Develop a strong TPRM policy, as well as procedures, and ensure it aligns with a TPRM framework. This ensures everyone is aware of the process and can follow appropriately. Risk committee Develop a risk committee. Now that your TPRM program is set up, ensuring risks are reviewed at the right level is the next step. You do not want the business accepting high risk on behalf of the organization. Therefore, this committee can help you determine the next steps in your risk mitigation efforts, as well as approve risk escalations and acceptance. Develop RACIs Develop a Responsibility Assignment Matrix (RACI) to clarify roles and responsibilities of the different stakeholder groups. This helps to not only break out what the different activities are, but to also ensure the different stakeholders are aligned in their roles in the process. Oversight and reporting Align oversight and reporting, key performance indicators (KPIs)/key risk indicators (KRIs), to create holistic governance and accountability for managing third parties. Ensure risks are reported all the way up to the Board. Periodic assessments and testing Perform periodic assessments and testing to ensure TPRM process are working as designed. Automate - Optional Automate for better transparency, process integration, workflow, and reporting. Systems should have the ability to automatically notify relevant stakeholders when an action needs to be taken. Third Party Lifecycle Management Framework But what should your TPRM Program include? Below is a diagram a TPRM framework. Source: TPRA Third Party Risk Management Lifecycle (c) The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.” Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes. Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships. Conclusion There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.

Third Party Risk Management (TPRM) is a critical process for organizations that rely on third parties to provide goods or services. It involves identifying, assessing, and mitigating risks associated with these third parties, in order to ensure that they do not negatively impact the organization's operations or reputation. As the number of third parties and the complexity of their relationships with organizations increase, managing third party risk has become a more difficult and time-consuming task. This is where automation comes in. Areas to Automate in the TPRM Lifecycle Automation can streamline and improve the process by eliminating human completion of repetitive tasks, reducing error, and increasing efficiency. There are several key areas where automation can be applied in the TPRM process, including: 1. Third Party Onboarding Third Party onboarding is the process of evaluating and accepting new third parties into the organization's TPRM program. It can be a time-consuming and resource-intensive process, involving a significant amount of paperwork and documentation. Automation can help streamline this process by handling the collection and verification of third party information, such as tax IDs, business licenses, and insurance certificates. This can significantly reduce the time and resources required to onboard new third parties. 2. Risk Assessment Risk assessment is the process of identifying and evaluating the risks associated with a third party. This can be a complex and time-consuming process, involving a significant amount of data collection and analysis. Automation can help simplify this process by performing data collection and analysis and providing an objective and consistent approach to risk assessments. Automation can also help identify and evaluate risks that may not be immediately obvious to human reviewers. 3. Continuous Monitoring Continuous monitoring is the ongoing process of monitoring a third party's performance, as well as compliance with the organization's TPRM program. This can involve monitoring the financial stability, regulatory compliance, and incident reporting of third parties. Automation can assist with simplifying this stage by creating a real-time data collection and analysis process and providing alerts of any potential issues. This then helps organizations to quickly identify and respond to any potential risks in a shorter period of time. 4. Reports and Communication Reports and communication are important aspects of the TPRM lifecycle, as they provide decision-makers with the information they need to make informed decisions about their third parties. Automation can help to simplify this process by removing the need for a human to generate reports and ensure real-time updates on third party performance and compliance. As with continuous monitoring, this can help organizations to quickly identify and respond to any potential risks. Benefits of Automation in TPRM The use of automation can provide several benefits to organizations, including: 1. Increased Efficiency Automation can help to streamline and simplify the TPRM process, reducing the time and resources required to manage third party risk. This can help organizations to focus on more important tasks, such as identifying and mitigating high-priority risks. 2. Improved Accuracy Automation can help to reduce human error and provide a more objective and consistent approach to risk assessment. This then helps organizations to make more informed decisions about their third parties. 3. Increased Visibility Automation can provide organizations with real-time visibility into third party performance and compliance. This then helps organizations to quickly identify and respond to any potential risks. 4. Compliance Automation can also help organizations to comply with regulatory requirements by providing real-time alerts of any potential issues, as well as provide an audit trail for the alerts. Challenges of Automation in TPRM Despite the many benefits of automation, there are also some challenges that organizations may face when implementing automation. These challenges include: Challenge 1: Lack of Flexibility One of the biggest challenges of using automation in the TPRM process is the lack of flexibility. Automated systems are often inflexible and may not be able to adapt to the unique needs of different organizations, as well as third party relationships. This can make it difficult for organizations to customize their TPRM processes to meet their specific requirements. Additionally, automated systems may not be able to handle unexpected situations or changes in third party risk levels. Challenge 2: Data Quality and Integrity Another challenge of using automation in the TPRM process is data quality and integrity. Automated systems rely on accurate and up-to-date data to function properly. However, TPRM data can be complex and difficult to collect and maintain. Organizations may struggle to ensure the accuracy and completeness of their TPRM data, which can lead to inaccuracies and inconsistencies in their automated systems. This can make it difficult to accurately assess third party risks and develop effective mitigation strategies. Challenge 3: Security Concerns Security is a major concern when it comes to using automation in the TPRM process. Automated systems may be vulnerable to cyber threats, such as hacking and malware. This can put sensitive TPRM data at risk and make it difficult for organizations to protect themselves against potential data breaches. Additionally, automated systems may not be able to detect and respond to advanced threats, such as social engineering and phishing attacks. Challenge 4: Limited Human Involvement Another challenge of using automation in the TPRM process is limited human involvement. Automated systems may not be able to fully replicate the expertise and judgement of human analysts. This can make it difficult for organizations to identify and assess third party risks, while also developing effective mitigation strategies. Additionally, automated systems may not be able to provide the same level of transparency and accountability as human-led processes. Challenge 5: Cost and Complexity Finally, using automation in the TPRM process can be expensive and complex. Organizations may need to invest in expensive software and hardware to implement and maintain automated systems. Additionally, organizations may need to hire specialized personnel to manage and maintain their automated systems. This can make it difficult for organizations to justify the cost and complexity of using automation in TPRM processes. Conclusion Automation can be a powerful tool for improving the TPRM process, but it also presents several challenges. These challenges may include a lack of flexibility, data quality and integrity issues, security concerns, limited human involvement, and cost and complexity. Organizations need to carefully consider these challenges when deciding whether to use automation in their TPRM processes. By understanding these challenges and taking steps to address them, organizations can improve their TPRM processes and better protect themselves against potential risks.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s March 2025 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page   and navigate to the March 2025 meeting recording.)     Now-a-days, artificial intelligence (AI) seems to be involved in nearly every type of business activity. It is reshaping business operations by offering increased efficiency, automation, and data-driven insights. Within third party networks, AI driven technologies are influencing how third party risk management (TPRM) practitioners identify and assess risks. This is due to third parties using these AI technologies in critical areas like supply chain management, financial transactions, and cybersecurity. From this increased use of AI, the risks associated with AI are also growing. However, it is important to know that not all AI is the same.  In addition, not everything labeled as AI truly fits the definition.  The first step in managing AI risks is to have an understanding of what AI is, and what it is not. According to NIST’s AI Risk Management Framework (RMF) , AI is “an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.” A custom model is typically not considered AI if it is rule-based or uses simpler statistical methods because the custom model lacks learning or adaptive capabilities.  In this blog we will explore:  Types of AI & Use Cases    Risks Related to AI    Risks Related to AI Metrics    What Should Occur Before Assessing AI Risk   Assessing AI in Third Party Networks  Types of AI & Use Cases    AI systems can be classified based on their functionality, level of intelligence, and application. The list below is not all encompassing, but breaks down some common types of AI.  Expert Systems Mimic human expertise in specific domains by following a set of programmed rules. Examples include diagnostic tools in medicine and legal analysis systems. Natural Language Processing (NLP) AI that processes and understands human language, such as chatbots, translation tools, and virtual assistants (i.e., Chat-GPT).  Computer Vision Enables machines to interpret and make decisions based on visual data, used in facial recognition, autonomous driving, and object detection (i.e., FaceID).  Robotics AI integrated with robotics to perform tasks in industries like manufacturing, healthcare, and service sectors. Recommendation Systems Common in e-commerce and entertainment (like Netflix and Amazon), these AI systems analyze user behavior to suggest products or content.   Generative AI Creates new content or data (like text, images, or music) based on learned patterns (i.e., DeepFake & DALL-E models). Cognitive Computing Mimics human thought processes, often used in fields requiring decision-making under uncertain conditions (i.e., IBM’s Watson).   Predictive Analytics Uses historical data to make predictions about future events, used widely in finance, marketing, and supply chain management.  Risks Related to AI    Compared to other risks that TPRM practitioners assess, AI technologies have the capability to impact more than just your company. AI technologies pose risks that can negatively impact individuals, groups, organizations, communities, society, the environment, and the planet. Below are some risks that are related to AI, but this is not an exhaustive list. Due to AI technology being so new, risks are still being identified as threat actors use AI for their own personal gain.   AI systems can be trained on data that changes over time, sometimes significantly and unexpectedly, affecting system functionality and trustworthiness.   AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur.   AI systems are inherently socio-technical in nature, meaning they are influenced by societal dynamics and human behavior.   Without proper controls, AI systems can amplify, perpetuate, or exacerbate inequitable or undesirable outcomes for individuals and communities.   AI risks or failures that are not well-defined or adequately understood are difficult to measure quantitatively or qualitatively. This means that if you aren't aware of how the AI operates or is being trained, then you may not see a failure or a risk.  Risks Related to AI Metrics    When it comes to AI and understanding how it works, transparency is a key theme. Part of being transparent is thoroughly understanding the metrics that you're using to evaluate AI. There are risks tied to those metrics, and it’s important to recognize how they impact AI performance and decision-making. Some risks related to AI metrics are:  Risk metrics or methodologies used by the organization developing the AI system may not align with the risk metrics or methodologies used by the organization deploying or operating the system. In addition, the organization developing the AI system may not be transparent about the risk metrics or methodologies it used.   Another AI risk metric challenge is the current lack of industry consensus on robust and verifiable measurement methods for risk and trustworthiness, as well as its applicability to different AI use cases.   Approaches for measuring AI decision impacts on a population work if they recognize that contexts matter, that harms may affect varied groups or sub-groups differently, and that communities or other sub-groups who may be harmed are not always direct users of a system.   Measuring risk at an earlier stage in the AI lifecycle may yield different results than measuring risk at a later stage.   While measuring AI risks in a laboratory or a controlled environment may yield important insights pre-deployment, these measurements may differ from risks that emerge in operational, real-world settings.  What Should Occur Before Assessing AI Risk in Third Party Networks?   Before assessing AI risks in third party networks, it is critical to lay the groundwork within your own organization. Establishing clear guidelines and considerations beforehand helps ensure a more effective risk assessment process.   The following steps should be considered:   Create an Acceptable Use Policy  to define how AI will be leveraged within the organization, as well as how data will be leveraged within third party AI systems.   Train Employees  on what AI is and the acceptable use of AI.   Leverage an AI Framework  to inform contracts & assessments (i.e., NIST AI Risk Management Framework is a great example).   Contract for AI  - Specify data usage allowed, AI type allowed, ethical considerations, decision-making responsibilities, and data ownership in contracts.   Think through an Exit Strategy  for Critical & High risk third parties (consider data retrieval and deletion activities when terminating, model and algorithm ownership, intellectual property rights, data privacy, knowledge transfer, and continuity of operations).  Assessing AI in Third Party Networks   Now that you’ve established AI policies within your own organization, you are ready to assess AI within third party networks. As we assess third-party networks, it's important to recognize that nearly every company today is leveraging AI, whether directly or through their partners. Assessing AI involves similar principles to other information security evaluations, but with distinct challenges. Unique concerns, such as data quality, model interpretability, and the potential for bias, add complexity to AI assessments. Consequently, it’s essential for organizations to prioritize responsible AI development. Developing AI responsibly requires a comprehensive approach that balances innovation with ethical considerations, social impact, and sustainability.    When assessing AI in third party networks, it is important to review the risks related to:  The AI’s Capabilities & Models  to determine how effectively and ethically AI systems operate.  Data Quality & Protection  to safeguard against ethical, legal, and operational risks, foster trust, and ensure that AI systems operate accurately and securely.  Security & Access Controls  to ensure the protection of sensitive data, maintaining model integrity, and ensuring compliance with regulatory standards.  Performance & Reliability to ensure the AI system is operating as intended, adapt to real-world conditions, and deliver dependable outcomes.  Governance & Oversight to ensure the AI system is used responsibly, safely, and effectively.  For third party networks, strong governance and oversight help ensure that external partners adhere to the same high standards, preserving the integrity of the organization’s AI ecosystem and protect against external threats.  Conclusion   AI is becoming an integral part of third party networks, and it might be safest to assume that your third parties are using AI in some capacity. This means it is crucial to understand how they are using AI, as well as the potential risks that come from AI and the metrics used to evaluate it. By understanding AI and the risks it poses in third party networks, you can make more informed decisions and strengthen your risk management strategies.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

By: Halle Reynolds, TPRA Marketing & Social Media Internship The Third Party Risk Management Lifecycle (noted below within "Starting a TPRM Program") is recommended for every organization seeking to implement a TPRM program. How programs implement the lifecycle is dependent upon their organization’s risk appetite (or the level of risk they are willing to accept), as well as the complexity of their third party relationships. After an organization has established an initial TPRM program, consideration should then be given to enhancements that will accelerate TPRM program efficiency and effectiveness in addressing third party risk. The incorporation of the following best practices is contingent upon an organization's overall objectives, budget, and size. STARTING A TPRM PROGRAM TPRM programs begin with a blueprint—a plan for how your program will function. This layout should include aspects from the Third Party Risk Management Lifecycle: Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring, Disengagement, and Continuous Improvement. At a minimum, it is best practice to have the following processes in place if you are just beginning your program: Planning and Oversight - Establish program governance, budget, policies and procedures, third party inventory, and risk rating methodology. Pre-Contract Due Diligence - Integrate into the Procurement process and ensure due diligence/risk assessment reviews are performed before contracts are signed. Contracting - Develop a contract template that defines expectation of third party controls that need to be in place, as well as allow for the review of said controls by your organization. Continuous Monitoring - Run all third parties through an Inherent Risk Questionnaire (IRQ) and establish third party re-assessment triggers and cycle times based on the inherent risk ratings. TPRA Members can access our Inherent Risk Questionnaire (IRQ) Template on our TPRM Resource page . The IRQ can be used to identify due diligence requirements and determine the inherent risk rating of each engagement with your Third Party Service Provider (TPSP). Disengagement – Establish a termination checklist, to include the handling/destruction of data and transition to another third party. Continuous Improvement – Communication and education are key when starting a program. Ensure you have top-down support, as well as the support of the business. The value you receive from a basic TPRM program can be invaluable. It allows your organization to create a holistic risk lens into your organization’s risk landscape and proactively address and mitigate third party risk in a timely manner. TPRM programs are also required by many regulators, Board members, and customers. ENHANCING YOUR TPRM PROGRAM Once you’ve established your TPRM program, then you can begin to enhance and/or automate certain activities to ensure you are focusing on what matters most in a timely and efficient manner. Below are some examples of enhancements you could make to your program. We will work through the same TPRM lifecycle and discuss enhancements to each phase. Planning and Oversight - Develop a steering committee to address highest level of risk. Ensure a risk escalation and acceptance process is in place (you may what to do this at a foundational level as well). Pre-Contract Due Diligence - Ensure you have a seat at the table with those making third party risk-based decisions, such as Procurement, Legal, Compliance, and others. Actively participating in conversations will ensure your program gains the support it needs, as well as ensures you are able to obtain the necessary evidence and documentation to perform your reviews. Contracting - You may want to “own” certain contract clauses to ensure that any redlines to specific clauses are reviewed by your team. Small changes could affect what evidence you receive from third parties and how you can assess them. You may also want to add noncompliance triggers to your contracts. These triggers ensure you can take action against contract non-compliance. Continuous Monitoring - Once your program is established, you can then begin to work through nth party reviews. An nth party is a 4th or 5th party (or your third party’s third parties). It’s important to also review nth parties, especially if they will access your organization’s data, are customer facing, or support a key activity related to the product/service you are purchasing from your third party. Disengagement – Begin to maintain a data inventory (by requesting a data flow diagram from your third party) so that you can more accurately pinpoint data destruction requirements, to include data at nth party locations. Another process enhancement for the disengagement phase is to establish exit strategies during the pre-contract phase to leverage during the disengagement phase. If the third party supports a critical function for your business, it is a good idea to have a transition plan in place before entering into an agreement with the third party. Continuous Improvement – Continuously re-evaluate risk domains and enhance as the risk environment changes (e.g., Environmental Social Governance (ESG), Ransomware, Pandemic). It is also important to benchmark off peers. Chances are, you're not the first to go through something. Benchmarking is the best way to quickly learn tips and tricks for implementing process enhancements. The value of continually enhancing your TPRM program is staying up to date on risk trends and ensuring your program is flexible enough to incorporate when/were needed. AUTOMATING YOUR TPRM PROGRAM At this point, your program may be gaining momentum quickly as you’ve established the foundational building blocks of your TPRM program and incorporated certain program enhancements. You may now be interested in seeking out ways to automate your program by incorporating tools that can lessen the strain on resources and allow for scalability. We will again work through the same TPRM lifecycle and discuss activities you can automate within each phase. Planning and Oversight - Consider a governance, risk, and compliance (GRC) or TPRM platform that provides workflow, assessment, and reporting for third party risk. A comprehensive tool can also allow you to look across third party risk to determine key risk indicators and trends. Pre-Contract Due Diligence - A GRC or TPRM platform can also assist with automating the questionnaire process and allow you to obtain evidence quicker during the pre-contract due diligence phase. You may also consider joining a third party risk assessment collective (where third parties share the responses to one questionnaire with several organizations) to assist with third party response time. Contracting - Consider implementing a tool that will notify you when contracts are no longer in compliance with updated contract templates. This helps you ensure that you are maintaining contract compliance with your third parties. Continuous Monitoring - A tool that can proactively monitor your third parties is a risk rating/intelligence tool. These tools scan the parameter of third party networks and look for public facing vulnerabilities. They are non-intrusive and can often provide you with accurate information on an organization’s vulnerability management and technology refresh program. More innovative tools can also scan the dark web and look for stolen data and/or accounts that belong to third parties. They can also tell you if a third party has offshore locations, as well as the geo-political environment of said offshore location. Disengagement – Certain tools can assist with identifying when non-compliance triggers are met (which could ultimately lead to a relationship termination). They can also assist with the data transition process. Continuous Improvement – Automatically feeding into your organization's overall risk management program can help make more informed decisions when looking across the enterprise. Many tools can integrate into risk management tools your organization may already have, thus providing your organization with a more holistic risk lens. This would also allow your organization to focus on efforts to address more critical risk. Automation can lead to better collaboration, improved transparency around risk, program scalability, quicker response to threats, and provides less burden on resources. But if you do not have an established program, automating too soon can lead to accelerated issues and misalignment on risk-based decisions. You can find value in automating workflows, assessments, continuous monitoring activities, risk follow-up and validation, reporting, and other third party lifecycle activities. CONCLUSION Most TPRM programs start out small and work their way up to more advanced risk management techniques. When beginning, it won’t be necessary to incorporate most tools right away. You may also want to consider current tools your organization already utilizes and determine if/how you can incorporate them into your TPRM program. You should also consider your program's overall objectives, budget, and size when considering which enhancements and tools to implement. The key to evaluating TPRM program maturity vs associated value is understanding your organization's risk appetite to further develop your TPRM program's risk-based approach to assessing, monitoring, and mitigating third party risk. For more information on this topic, check out the TPRA's YouTube series "TPRM Explained - TPRM Program Maturity vs. Associated Value" .

By: Heather Kadavy, Sr. Membership Success Coordinator for TPRA In the ever-evolving landscape of Third Party Risk Management (TPRM), sometimes called Vendor Risk Management (VRM), staying ahead of the game is crucial. One tool that has gained recognition and attention in recent times is the SPARK Matrix™, an assessment and ranking framework. About the SPARK Matrix™ The SPARK Matrix™ includes, but is not limited to: 1.      Informed Decision-Making : One of the primary benefits of the SPARK Matrix™ is its ability to provide organizations with a benchmark for selecting VRM solutions. With the complexities of vendor-related risks growing, it is crucial to have a standardized framework for evaluating the available options. The SPARK Matrix™ facilitates informed decision-making by comparing capabilities, features, and performance across different solutions. 2.      Risk Mitigation : Effective VRM is all about identifying and mitigating risks associated with third party vendors. The SPARK Matrix™ helps organizations to understand the landscape of VRM solutions and their capabilities, allowing them to tailor their risk mitigation strategies effectively. It can be a valuable tool for staying proactive in the face of evolving risks. 3.      Regulatory Alignment : As regulations around data protection and privacy evolve, it is essential for VRM solutions to stay aligned with these changing requirements. The SPARK Matrix™ assesses the level of alignment with regulations, reducing the risk of non-compliance and associated penalties. This is particularly crucial for organizations handling sensitive data.   Congratulations to Our TPRM Vendor Members Noted on the Matrix We would like to extend our warmest congratulations to TPRA's current Vendor Members who were recognized in the SPARK Matrix™: Vendor Risk Management (VRM), 2023 . These companies (listed below in alphabetical order) have demonstrated their commitment to excellence and innovation in the TPRM space: Aravo Solutions : has consistently been at the forefront of TPRM innovation, offering robust solutions to manage third-party risks effectively. Ncontracts : has been a valuable partner in helping organizations streamline their vendor management processes and mitigate risks. OneTrust : is known for its comprehensive privacy, security, and third-party risk management solutions, which align with the evolving regulatory landscape. ProcessUnity : integrated risk and compliance management solutions continue to empower organizations to proactively manage vendor risks. Venminder : dedication to third party risk management has been unwavering, providing organizations with tools and expertise to enhance their TPRM programs.   What Sets VRM Groups Apart? The SPARK Matrix™ is an assessment and ranking framework designed to evaluate and rank Vendor Risk Management (VRM) solutions based on numerous factors, including capabilities, features, and performance. It aims to provide organizations with a benchmark for selecting the most suitable VRM solution for their unique requirements. While the SPARK Matrix™ is a valuable resource, we want to emphasize that it does not represent a comprehensive list of all TPRM vendors in the market. Instead, it reflects those vendors who participated in the evaluation process. The TPRM landscape is diverse and continually evolving, with numerous vendors offering specialized solutions to meet the unique needs of different organizations. Therefore, it is crucial that TPRM teams look for competitive factors & differentiators when evaluating potential technology partnerships: 1.      Tailored Solutions : Exceptional VRM groups recognize that one size does not fit all. They offer tailored solutions that align with the specific needs and risk profiles of their clients. Customization and flexibility are key. End to End Vendor Lifecycle Management to enable cost optimization, operational excellence, and growth through vendor selection, contract negotiation, vendor onboarding, vendor continuous monitoring of performance and risk management. Issue & Incident Management: to enable event identification, assessment and resolution of issues or incidents with third party vendors to maintain the security, compliance, and reliability of the vendor relationships. Compliance with Laws & Regulations: to keep organizations aligned with changing regulations and ensure that vendors comply with application laws, and industry standards. [e.g., cloud computing, APIs (Application Programming Interface), RPA (robotic process automation), cognitive automation, big data analytics, blockchains, etc.] Reporting, Dashboarding & Analytics: to provide comprehensive reporting, visualization, and analytics capabilities to business owners, risk committees, executive management and/or an organization’s board of directors.  These powerful visualizations are derived by deep insights and assist leadership in making informed business decisions. 2.      Continuous Innovation : Stagnation is the enemy of progress. The best VRM groups are constantly innovating, integrating automation, AI (artificial intelligence), and emerging technologies to improve the efficiency and effectiveness of their solutions. 3.      Proactive Risk Monitoring: The ability to proactively identify and mitigate risks is a significant differentiator. VRM groups that offer real-time monitoring and alerts are better equipped to tackle the dynamic nature of vendor-related risks. 4.      Scalability and Adaptability:  The ability to scale and adapt to an organization's evolving needs is another distinguishing factor. VRM groups that offer scalability and flexibility ensure that their solutions grow with the businesses they serve.   TPRM Teams should take note of the Technology Excellence & Customer Impact factors that each market participant was analyzed against when designing their own TPRM Service Provider analysis components:   Technology Excellence: Vendor Lifecycle Management: Ability to handle the end-to-end vendor lifecycle management process. Risk-Scoring and Assessment: Evaluate and quantify potential risks associated with vendors. Usability: Quality of a product or system in terms of how easy it is to use, learn, and navigate. Continuous Monitoring and Remediation: Actively monitor and respond to events and issues as they occur. SLA (Service level agreements) & Performance Monitoring: Outlines the level of service expected, the metrics used to measure performance, and the consequences for not meeting the agreed-upon standards. Configurability and Scalability: Ability of a system or software to be easily customized or configured and scalable to meet specific requirements without requiring extensive changes. Dashboarding, Reporting and Analytics: Insights into various aspects of the business, customer behavior, and performance. Workflow and Process Automation: Automate and streamline manual tasks and processes. Integration & Interoperability: Ease of integration with other internal modules and API-based integration with third-party data providers and partners, extent of operability with third party partners. Competition Differentiation: Set it apart from its competitors and give it a competitive advantage in the marketplace. Vision & Roadmap: To what extent does the product vision align with its buyers’ needs in terms of acquiring, satisfying, and retaining customers? Does the vision promote a strong focus on the customer and a positive customer experience? How well does the vision align with current and future customer preferences? Does the company have a clear plan in place for implementing its vision through product improvements, innovation, and partnerships within the next year? Does the company possess the necessary resources and abilities to accomplish its planned roadmap? Customer Impact Product Strategy & Performance: Evaluation of multiple aspects of product strategy and performance in terms of product availability, price to performance ratio, excellence in GTM strategy, and other product-specific parameters. Market Presence: The ability to demonstrate revenue, client base, and market growth along with a presence in various geographical regions and industry verticals. Proven Record: Evaluation of the existing client base from SMB, mid-market and large enterprise segment, growth rate, and analysis of the customer case studies. Ease of Deployment & Use: The ability to provide superior deployment experience to clients supporting flexible deployment or demonstrate superior purchase, implementation, and usage experience. Additionally, vendors’ products are analyzed to offer user-friendly UI and ownership experience. Customer Service Excellence: The ability to demonstrate vendors capability to provide a range of professional services from consulting, training, and support. Additionally, the company’s service partner strategy or system integration capability across geographical regions is also considered. Unique Value Proposition: The ability to demonstrate unique differentiators driven by ongoing industry trends, industry convergence, technology innovation, and such others. Trust the Data, Verify the Path Forward In an era where data reigns supreme, the Spark Matrix™ provides TPRM practitioners with a compass for navigating the intricate vendor landscape. The insights derived from this research empower practitioners to make informed decisions, ensuring that the partnerships they forge are not just built on trust but are also fortified by a robust verification process. Empowered by this, the practitioner is now responsible for practicing their Risk Management skills when leading their organizations forward. Resources: TPRA’s TPRM Tools List:   https://www.tprassociation.org/tprm-vendor-list TPRA’s Service Provider Profiles: https://www.tprassociation.org/service-provider-profiles SPARK Matrix™ Domain Link:   https://quadrant-solutions.com/ SPARK Matrix™ Link to the Report (Payment Required):   https://quadrant-solutions.com/market-research/spark-matrix-vendor-risk-management-vrm-q4-2023-2990     Note:  SPARK Matrix™ is NOT Sponsored by TPRA.

Most third-party risk management (TPRM) practitioners understand that managing risks associated with third parties can be like sailing a ship through sometimes dangerous waters. Just as a captain must chart a detailed course and remain alert to changing weather conditions, TPRM professionals need a straightforward strategy to navigate risks. They must continually identify, assess, and mitigate potential issues while recognizing the importance of monitoring the horizon for emerging storms that could threaten the organization or its customers.   Managing third-party risks can be challenging because these risks evolve, similar to how ocean waves change due to various factors. Effective TPRM requires proactive identification, management, and continuous monitoring of risks to prevent the proverbial ship from sinking.  Unfortunately, some organizations limit their risk monitoring solely to scheduled intervals, which undermines the goal of continuous oversight. Others take a more relaxed approach, assuming everything is fine until it isn't. Delaying monitoring until a third party faces a serious issue, such as a data breach or a significant decline in performance, puts your organization at a disadvantage. Addressing problems reactively usually leads to chaos and missed opportunities. It's like trying to repair your boat when it’s already taking on water.  So, how can your organization stay safely afloat with proactive and effective continuous monitoring? Let's delve into the essential activities within the third-party risk management lifecycle that lay the groundwork for continuous monitoring and some best practices to implement.    Foundations for effective continuous monitoring   The third-party risk management lifecycle is a blueprint for managing third-party risks effectively. Key activities in this lifecycle create a strong foundation for effective continuous monitoring.  Inherent Risk Assessments Effective risk management begins with identifying risks. A thorough inherent risk assessment allows your organization to pinpoint and quantify risks related to specific products, services, and third-party relationships. Understanding these risks—whether in cybersecurity, privacy, compliance, finance, or reputation—establishes a baseline for monitoring and identifying new or emerging risks over time.  Due diligence After identifying the risks, the next step is to assess how adequate the existing controls are in mitigating them. Experts in cybersecurity and compliance should review the vendor's documented controls to evaluate their effectiveness and identify any gaps that require additional attention in the future.   Well-written contracts Third-party contracts define the roles and responsibilities of both parties and outline the specific terms and conditions that the third party must adhere to. This includes compliance with technical, security, financial, regulatory standards, and service level agreements (SLAs).   Risk reassessment and periodic due diligence When it comes to third-party risks, it's crucial to understand that this isn't a "set it and forget it" situation. Establishing protocols for reassessing inherent risks and validating third-party controls is essential. It involves reviewing the last inherent risk assessment to identify new or changing risks and performing due diligence by collecting up-to-date vendor documentation to re-verify their controls. Best practices for continuous monitoring  While every organization is different, there are best practices for continuous monitoring that can enhance the effectiveness of your efforts.  Use a risk-based approach. Not all third-party engagements carry the same risk level, so it's essential to identify effective monitoring strategies based on risk types and amounts. Critical or high-risk relationships like cloud providers require robust monitoring, while lower-risk providers, like office supply vendors, need less scrutiny. A risk-based approach ensures resources are allocated to manage the highest risks effectively.  Monitor both risk and performance. Understanding the importance of monitoring specific third-party risks is straightforward for most practitioners. However, performance monitoring is often seen as a secondary concern. Subpar performance not only prevents your organization from receiving the value it is paying for, but it can also signal emerging or increased third-party risks. Poor performance may indicate underlying issues such as declining financial health, ineffective controls, or operational and managerial problems before they are identified through other risk assessments or periodic due diligence.  Establish and stick to formal monitoring routines. Set appropriate intervals for re-evaluating risk, due diligence, and performance reviews. Document and publish these routines and ensure stakeholders are accountable for adhering to them. Increase monitoring when necessary. It's reasonable to increase monitoring when issues with third parties arise or performance declines. It may also be necessary due to declines in financial health, data breaches, or regulatory changes.  Consider using risk intelligence tools to assist your monitoring efforts. Continuous monitoring requires daily vigilance to detect changes in a third party's risk profile. But, depending solely on internet news alerts or third-party vendors for daily updates can be risky. Instead, consider utilizing subscription-based risk intelligence services to receive targeted alerts regarding changes in your third party's cybersecurity, financial health, compliance, reputation, and industry developments.   In conclusion, third-party risks are constantly changing, and organizations that want to manage them must engage in proactive, continuous monitoring to identify potential threats and reduce their impact on the organization and its customers. By following the third-party risk management lifecycle and implementing best practices for continuous monitoring, your organization can more effectively navigate the complexities of third-party risks and prepare for upcoming challenges.