Search Results

Blog was inspired by the January 2024 TPRA Practitioner Member roundtable facilitated by TPRA CEO Julie Gaiaschi. (To watch the full presentation, TPRA Members can visit our On-Demand meetings and navigate to the January 2024 meeting recording.)   The management of third party risks has become a major priority and area of focus for companies across a variety of industries because of the constantly changing nature of business operations. Recognizing the nuances and challenges that come with this field, the Third Party Risk Association (TPRA), along with a dedicated team of TPRM practitioners and service provider organizations, worked towards creating a comprehensive guidebook that assists in navigating the creation and implementation of a comprehensive Third Party Risk Management (TPRM) program.  The Development of the Guidebook  TPRA’s “Third Party Risk Management 101 Guidebook” was created not as a standalone project but as a collaborative effort that included feedback from an extensive group of TPRM professionals and service providers from a diverse range of industries. Over monthly meetings spanning three years, this group discussed various subjects related to TPRM tools, topics, and trends. Each aspect of a strong TPRM program was carefully examined and discussed by TPRA’s focus group members, from clarifying best practices to anticipating emerging risks and aligning with regulatory guidelines.     This comprehensive process of discussion, analysis, and synthesis is where the guidebook originated. With input from numerous stakeholders, the guidebook gradually took shape, undergoing a year-long editing process to condense the vast number of materials into a user-friendly format enhanced with graphics, insights, and real-world examples.  Unveiling the Guidebook: A Deep Dive  Building a TPRM program is not unlike building a house. The first step is always to make sure it’s built on a solid foundation so that it may withstand the inevitable storms to come. The TPRA guidebook gives you the tools and materials needed to begin building a successful and productive TPRM program brick by brick.    The TPRM guidebook's foundation is a lifecycle approach, outlining a strategy and framework that encompasses the entire spectrum of TPRM. Let’s dive into its key phases:  1. Planning and Oversight   Planning and oversight are the cornerstones of any TPRM program and create the conditions for success. Important topics covered in this phase include:  Establishing governance structures  Executive support  Budgeting  Policy Formulation  Metrics & Reporting  This phase supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. It also ensures the program can address third party risk at the highest level, while also warranting governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phase will make certain key stakeholders are aware of, support, and help implement program requirements. This phase ensures your entire organization is on-board with the TPRM program. After all, this program will touch every department within your organization (from Business Owners to Legal and Security).  2. Pre-contract Due Diligence   This phase emphasizes the importance of conducting comprehensive due diligence before an agreement is signed.  Key objectives during this phase include, but are not limited to:   Formalizing contractual agreements   Developing a robust third party profile  Performing Inherent risk assessments  Executing risk-based evaluations    In this phase, organizations thoroughly assess and mitigate potential third party risk before signing and committing to a contractual relationship. A company conducting this phase can minimize risks, avoid legal issues, and build and maintain a more secure partnership with their third party. The house metaphor comes back into play, allowing for that solid foundation to be secured, which in turn allows for more productive and compliant business partnerships.   3. Contract Review   As they say, the devil lies in the details, and the contract review process is where potential problems are addressed. This stage involves:  Negotiating contract terms  Examining key clauses  communicating expectations   This is to ensure that contracts match your organizational goals and risk tolerance.    The contract review phase is one of the most essential steps in the TPRM process, ensuring that any expectations for your third party relationship can hold up in a court of law. It also can address risks identified during the previous phase, Pre-contract Due Diligence, and ensures that all enforceable language is clear and specific. It is crucial for TPRM practitioners to collaborate with legal counsel to ensure their contracts include the necessary remedies in the case of a third party failure. Regular contract review and upkeep is essential to maintain and reflect the organization’s risk tolerance.  4. Continuous Monitoring   In the TPRM field, where risks are dynamic and ever-changing, continuous monitoring is essential. To maintain situational awareness and responsiveness, this phase uses mechanisms like site visits, triggered reviews, and the use of monitoring tools to mitigate risks within an always changing environment.    This phase is crucial for organizations to better assess third party risk in order to meet contract terms, business obligations, legal and regulatory requirements, and performance expectations. It also allows organizations to stay informed about changes in operations, financial stability, cybersecurity posture, and compliance status that may affect their risk exposure. This also enables swift action when risk mitigation is required and ensures full compliance with any legal and regulatory requirements.  5. Disengagement   The disengagement phase, which is frequently overlooked, ensures a smooth exit strategy, reduces lingering risk, and protects sensitive and valuable assets when third party relationships conclude.    Disengagement is the process of transitioning away from a third party with minimal impact if the relationship ends due to contract expiration or when certain adverse conditions are met. This phase can be complex and challenging due to the need of the business wanting to end the relationship quickly. Organizations and companies don’t often disengage with third parties, which can lead to rushed and overlooked processes.   If the third party maintains sensitive data post-disengagement, your organization should continue to assess the third party from a cybersecurity perspective (potentially in a limited capacity).   6. Continuous Improvement   TRPM is a journey marked by constant change and evolution. The concept of continuous improvement emphasizes the importance of flexibility and adaptability, calling for regular evaluation and adjustment to keep up with changing laws, emerging risks, and technical advancements.     This phase overlaps all other phases within the TPRM lifecycle as continuous improvement is necessary in all phases. It allows organizations to adapt to regulatory requirements, respond to new business practices, and incorporate technological advancements. This phase allows organizations to remain agile in a complex environment.  Navigating the Guidebook  Navigating the TPRM guidebook is easy due to its informative graphics, detailed definitions, intuitive sections, and helpful resources. The implementation of this guidebook will vary depending on your organization’s size, industry, and types of third party relationships. While the guidebook provides you with standards from which to begin crafting your TPRM program, careful consideration must be paid to your organization's established risk appetite when determining how to implement said standards. Your program should be rigid enough to have established criteria for the review and mitigation of third party risk, but also flexible enough to consider the variability of third party relationships, regulations, geographic locations, and emerging risks.      Accessing the Guidebook  TPRA’s first draft of our Third Party Risk Management 101 Guidebook is currently available as a free, downloadable eBook to all TPRM professionals. Visit the TPRA website and complete a short form to access this body of knowledge.    By downloading the guidebook, stakeholders can effortlessly delve into its contents, leveraging its insights to fortify their TPRM endeavors.     Conclusion: Charting the Course Ahead  The TPRM 101 Guidebook provides organizations with comprehensive guidance, tools, and resources as they navigate the complex terrain of third party risks. It enables stakeholders to navigate relationship complexities, mitigate risks and foster resilience in a dynamic environment. The guidebook is considered the golden standard for the Third Party Risk Management industry and ignites a culture of vigilance, adaptability, and continuous improvement.     In the dynamic realm of business operations, where risks lurk at every turn, the TPRM guidebook emerges as a steadfast companion, illuminating the path to success amidst uncertainty and complexity. The journey of TPRM is not merely a destination but a perpetual odyssey of discovery, resilience, and excellence, and the guidebook serves as a trusted compass, guiding stakeholders towards the shores of   resilience in an ever-changing sea of risks. But the journey doesn’t end here. TPRM Practitioners are welcome to join the TPRA for free to continue their learning journey by benchmarking off their fellow peers, participating in engaging webinars and conferences, and contributing thought leadership to roundtables and future published guidance. To join, please visit www.tprassociation.org/join .

Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page and navigate to the July 2022 meeting recording.) Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss: The common goals and challenges to integrating TPRM processes across the organization Tips for improving process integration with business stakeholders Different stakeholders and how TPRM can work with each Key aspects of TPRM governance needed to make integration work Provide a TPRM lifecycle-based framework that enables better integration of people, processes, and systems Goals and Challenges with TPRM Process Integration When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives. But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk? TPRM Challenges with Integration Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint. What is Needed to Evaluate Risk Understand what inherent risks exist As your organization enters into a new third-party relationship, what are the inherent risks (or risks before controls are considered) that the third party is potentially bringing into the business? Understanding those potential risks will drive your due diligence efforts. Evaluate controls and mitigate residual risks After inherent risk is determined, it is then time to evaluate the controls the third party has in place to mitigate the inherent risk. Findings that come from testing these controls determine the residual risk of a third party. Action plans should then be established with the third party to mitigate said residual risk. If risk cannot be mitigated, then risk must either be accepted (at the appropriate level within your organization) or you may determine that it is too risky to move forward with the relationship. Monitor for new risks and ensure remediation is effective Once the relationship is established, it is important to continuously monitor the risks of your third party. Therefore, it is vital to implement continuous monitoring activities to evaluate third party risk on an ongoing basis. It is key in this phase to use a risk-based approach and not treat every vendor the same. This will ensure a long-lasting relationship, while also addressing third party risk at the highest level. Ensure risk is mitigated even when the relationship is coming to an end It is important to continue with risk-mitigation efforts even when you are terminating a third-party relationship. You want to ensure a smooth transition away from the third party, while also ensuring all of your organization’s data the third party housed is appropriately handled (i.e., returned and/or destroyed). This can be accomplished through a strong exit strategy, including an offboarding checklist, as well as the acceptance of a certificate of destruction. If you plan for the third party to maintain your data for a specific period of time (i.e., for a legal hold), then you will want to continue to evaluate the third party from a security perspective on an ongoing basis. But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration. Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to: Start working with the third party immediately Speed to market (they have a project that has a tight deadline) Security concerns they need to address will be mitigated by the onboarding of the new third party Reaching a niche market Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place. Some of the activities you can participate in to ensure integration into the business process is to: Help the business understand Help your business understand why certain processes exist and what the steps are to reach the business’ ultimate goal. Consider meeting with the business owner on a regular basis (at least quarterly), to walk them through your process, set target dates and goals, update them on where you are at within certain due diligence processes, and to follow up on findings and where the vendor is at within their "get to green" plans. Understand the relationship Gain a better understanding of the relationship between the business and third party, and work within the context of the existing relationship. This means work with your business in obtaining what you need from the third party. If the relationship is strained, then find ways to communicate with the third party as efficiently as possible. The business, as well as the third party, want as little effort and disruption as possible. Only ask for what is needed Make sure you know what you want to ask the third party and only ask what is needed of them. Do not reach out 100 times because you did not include everything within your first request. This also provides your business with trust in what you are requesting because they know you will only ask for what is needed. Have an exit strategy As the relationship is ending, the business owner has other things they need to tend to, so they’ll want the relationship closed out as quickly as possible. There are still activities which need to happen on the back end of the relationship, such as data returned and/or destroyed appropriately. If the third party will maintain data, then security reviews are required until the data is returned and/or destroyed. While the business owner recognizes those necessary activities, they may not always want to put energy into them. To alleviate this step, ensure you think through termination and create an exit strategy before the contract is signed during the pre-contract phase. This ensures a smooth transition away from the third party on the back end of the relationship. In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process. TPRM Challenges with the Rest of the Team But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met. Below are some examples of additional stakeholders and how TPRM can work with each: Procurement This team is responsible for bringing in new third parties or renewing current contracts. They are the “gate-keepers” for third party relationships. TPRM will want to integrate into the Procurement process so they can 1) be notified when new third-party relationships are formed and can adequately review said relationships and third-party controls before contracts are signed, and 2) review contract redlines that relate to security or other third-party risks. This way they can ensure the contract has set the right level of expectations with regard to what controls the third party must have implemented and will also ensure TPRM receives what they need in order to perform the reviews. Redlining the contract can also ensure TPRM is able to review the third party on an ongoing basis. Compliance This team ensures the organization is appropriately following regulations and meeting compliance objectives. TPRM will want to work with this team to ensure their third parties are also meeting regulatory compliance objectives. Compliance can also assist TPRM in determining what regulations should be followed for offshore resources. Legal This team works through contract templates and ensures agreements can be held up within a court of law. TPRM can work with this team to develop contract templates and addendums (which are crucial to ensuring you get the most out of your third-party relationship). Other Operational Teams Depending on how your TPRM program is set up (centralized vs. decentralized) there may be other teams TPRM works with to accomplish specific pieces of their review(s). For example, they may work with the Finance team to review the financials of a higher-risk vendor. TPRM should be aware of the current workload of these teams and strategically request reviews for higher-risked vendors so as not to overload other operational teams. Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes. Executive support Ensure you have the support of your executives . This is crucial for ensuring processes are followed across the enterprise. Business and stakeholder champions Find business and stakeholder champions . Determine who makes the decisions within your organization and ensure they are on your side with regards to TPRM implementation. This can greatly increase your chances for success when integrating TPRM processes into the business, as the loudest and most important decision makers agree with your approach and share that agreement with others. Ensure everyone has a seat at the table Ensure everyone has a seat at the table. This allows all necessary players to be heard, provide input, and agree to TPRM processes. They are also more likely to follow the process if they have input into it. Strong TPRM policy and procedures Develop a strong TPRM policy, as well as procedures, and ensure it aligns with a TPRM framework. This ensures everyone is aware of the process and can follow appropriately. Risk committee Develop a risk committee. Now that your TPRM program is set up, ensuring risks are reviewed at the right level is the next step. You do not want the business accepting high risk on behalf of the organization. Therefore, this committee can help you determine the next steps in your risk mitigation efforts, as well as approve risk escalations and acceptance. Develop RACIs Develop a Responsibility Assignment Matrix (RACI) to clarify roles and responsibilities of the different stakeholder groups. This helps to not only break out what the different activities are, but to also ensure the different stakeholders are aligned in their roles in the process. Oversight and reporting Align oversight and reporting, key performance indicators (KPIs)/key risk indicators (KRIs), to create holistic governance and accountability for managing third parties. Ensure risks are reported all the way up to the Board. Periodic assessments and testing Perform periodic assessments and testing to ensure TPRM process are working as designed. Automate - Optional Automate for better transparency, process integration, workflow, and reporting. Systems should have the ability to automatically notify relevant stakeholders when an action needs to be taken. Third Party Lifecycle Management Framework But what should your TPRM Program include? Below is a diagram a TPRM framework. Source: TPRA Third Party Risk Management Lifecycle (c) The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.” Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes. Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships. Conclusion There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.

Third Party Risk Management (TPRM) is a critical process for organizations that rely on third parties to provide goods or services. It involves identifying, assessing, and mitigating risks associated with these third parties, in order to ensure that they do not negatively impact the organization's operations or reputation. As the number of third parties and the complexity of their relationships with organizations increase, managing third party risk has become a more difficult and time-consuming task. This is where automation comes in. Areas to Automate in the TPRM Lifecycle Automation can streamline and improve the process by eliminating human completion of repetitive tasks, reducing error, and increasing efficiency. There are several key areas where automation can be applied in the TPRM process, including: 1. Third Party Onboarding Third Party onboarding is the process of evaluating and accepting new third parties into the organization's TPRM program. It can be a time-consuming and resource-intensive process, involving a significant amount of paperwork and documentation. Automation can help streamline this process by handling the collection and verification of third party information, such as tax IDs, business licenses, and insurance certificates. This can significantly reduce the time and resources required to onboard new third parties. 2. Risk Assessment Risk assessment is the process of identifying and evaluating the risks associated with a third party. This can be a complex and time-consuming process, involving a significant amount of data collection and analysis. Automation can help simplify this process by performing data collection and analysis and providing an objective and consistent approach to risk assessments. Automation can also help identify and evaluate risks that may not be immediately obvious to human reviewers. 3. Continuous Monitoring Continuous monitoring is the ongoing process of monitoring a third party's performance, as well as compliance with the organization's TPRM program. This can involve monitoring the financial stability, regulatory compliance, and incident reporting of third parties. Automation can assist with simplifying this stage by creating a real-time data collection and analysis process and providing alerts of any potential issues. This then helps organizations to quickly identify and respond to any potential risks in a shorter period of time. 4. Reports and Communication Reports and communication are important aspects of the TPRM lifecycle, as they provide decision-makers with the information they need to make informed decisions about their third parties. Automation can help to simplify this process by removing the need for a human to generate reports and ensure real-time updates on third party performance and compliance. As with continuous monitoring, this can help organizations to quickly identify and respond to any potential risks. Benefits of Automation in TPRM The use of automation can provide several benefits to organizations, including: 1. Increased Efficiency Automation can help to streamline and simplify the TPRM process, reducing the time and resources required to manage third party risk. This can help organizations to focus on more important tasks, such as identifying and mitigating high-priority risks. 2. Improved Accuracy Automation can help to reduce human error and provide a more objective and consistent approach to risk assessment. This then helps organizations to make more informed decisions about their third parties. 3. Increased Visibility Automation can provide organizations with real-time visibility into third party performance and compliance. This then helps organizations to quickly identify and respond to any potential risks. 4. Compliance Automation can also help organizations to comply with regulatory requirements by providing real-time alerts of any potential issues, as well as provide an audit trail for the alerts. Challenges of Automation in TPRM Despite the many benefits of automation, there are also some challenges that organizations may face when implementing automation. These challenges include: Challenge 1: Lack of Flexibility One of the biggest challenges of using automation in the TPRM process is the lack of flexibility. Automated systems are often inflexible and may not be able to adapt to the unique needs of different organizations, as well as third party relationships. This can make it difficult for organizations to customize their TPRM processes to meet their specific requirements. Additionally, automated systems may not be able to handle unexpected situations or changes in third party risk levels. Challenge 2: Data Quality and Integrity Another challenge of using automation in the TPRM process is data quality and integrity. Automated systems rely on accurate and up-to-date data to function properly. However, TPRM data can be complex and difficult to collect and maintain. Organizations may struggle to ensure the accuracy and completeness of their TPRM data, which can lead to inaccuracies and inconsistencies in their automated systems. This can make it difficult to accurately assess third party risks and develop effective mitigation strategies. Challenge 3: Security Concerns Security is a major concern when it comes to using automation in the TPRM process. Automated systems may be vulnerable to cyber threats, such as hacking and malware. This can put sensitive TPRM data at risk and make it difficult for organizations to protect themselves against potential data breaches. Additionally, automated systems may not be able to detect and respond to advanced threats, such as social engineering and phishing attacks. Challenge 4: Limited Human Involvement Another challenge of using automation in the TPRM process is limited human involvement. Automated systems may not be able to fully replicate the expertise and judgement of human analysts. This can make it difficult for organizations to identify and assess third party risks, while also developing effective mitigation strategies. Additionally, automated systems may not be able to provide the same level of transparency and accountability as human-led processes. Challenge 5: Cost and Complexity Finally, using automation in the TPRM process can be expensive and complex. Organizations may need to invest in expensive software and hardware to implement and maintain automated systems. Additionally, organizations may need to hire specialized personnel to manage and maintain their automated systems. This can make it difficult for organizations to justify the cost and complexity of using automation in TPRM processes. Conclusion Automation can be a powerful tool for improving the TPRM process, but it also presents several challenges. These challenges may include a lack of flexibility, data quality and integrity issues, security concerns, limited human involvement, and cost and complexity. Organizations need to carefully consider these challenges when deciding whether to use automation in their TPRM processes. By understanding these challenges and taking steps to address them, organizations can improve their TPRM processes and better protect themselves against potential risks.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s March 2025 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page   and navigate to the March 2025 meeting recording.)     Now-a-days, artificial intelligence (AI) seems to be involved in nearly every type of business activity. It is reshaping business operations by offering increased efficiency, automation, and data-driven insights. Within third party networks, AI driven technologies are influencing how third party risk management (TPRM) practitioners identify and assess risks. This is due to third parties using these AI technologies in critical areas like supply chain management, financial transactions, and cybersecurity. From this increased use of AI, the risks associated with AI are also growing. However, it is important to know that not all AI is the same.  In addition, not everything labeled as AI truly fits the definition.  The first step in managing AI risks is to have an understanding of what AI is, and what it is not. According to NIST’s AI Risk Management Framework (RMF) , AI is “an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.” A custom model is typically not considered AI if it is rule-based or uses simpler statistical methods because the custom model lacks learning or adaptive capabilities.  In this blog we will explore:  Types of AI & Use Cases    Risks Related to AI    Risks Related to AI Metrics    What Should Occur Before Assessing AI Risk   Assessing AI in Third Party Networks  Types of AI & Use Cases    AI systems can be classified based on their functionality, level of intelligence, and application. The list below is not all encompassing, but breaks down some common types of AI.  Expert Systems Mimic human expertise in specific domains by following a set of programmed rules. Examples include diagnostic tools in medicine and legal analysis systems. Natural Language Processing (NLP) AI that processes and understands human language, such as chatbots, translation tools, and virtual assistants (i.e., Chat-GPT).  Computer Vision Enables machines to interpret and make decisions based on visual data, used in facial recognition, autonomous driving, and object detection (i.e., FaceID).  Robotics AI integrated with robotics to perform tasks in industries like manufacturing, healthcare, and service sectors. Recommendation Systems Common in e-commerce and entertainment (like Netflix and Amazon), these AI systems analyze user behavior to suggest products or content.   Generative AI Creates new content or data (like text, images, or music) based on learned patterns (i.e., DeepFake & DALL-E models). Cognitive Computing Mimics human thought processes, often used in fields requiring decision-making under uncertain conditions (i.e., IBM’s Watson).   Predictive Analytics Uses historical data to make predictions about future events, used widely in finance, marketing, and supply chain management.  Risks Related to AI    Compared to other risks that TPRM practitioners assess, AI technologies have the capability to impact more than just your company. AI technologies pose risks that can negatively impact individuals, groups, organizations, communities, society, the environment, and the planet. Below are some risks that are related to AI, but this is not an exhaustive list. Due to AI technology being so new, risks are still being identified as threat actors use AI for their own personal gain.   AI systems can be trained on data that changes over time, sometimes significantly and unexpectedly, affecting system functionality and trustworthiness.   AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur.   AI systems are inherently socio-technical in nature, meaning they are influenced by societal dynamics and human behavior.   Without proper controls, AI systems can amplify, perpetuate, or exacerbate inequitable or undesirable outcomes for individuals and communities.   AI risks or failures that are not well-defined or adequately understood are difficult to measure quantitatively or qualitatively. This means that if you aren't aware of how the AI operates or is being trained, then you may not see a failure or a risk.  Risks Related to AI Metrics    When it comes to AI and understanding how it works, transparency is a key theme. Part of being transparent is thoroughly understanding the metrics that you're using to evaluate AI. There are risks tied to those metrics, and it’s important to recognize how they impact AI performance and decision-making. Some risks related to AI metrics are:  Risk metrics or methodologies used by the organization developing the AI system may not align with the risk metrics or methodologies used by the organization deploying or operating the system. In addition, the organization developing the AI system may not be transparent about the risk metrics or methodologies it used.   Another AI risk metric challenge is the current lack of industry consensus on robust and verifiable measurement methods for risk and trustworthiness, as well as its applicability to different AI use cases.   Approaches for measuring AI decision impacts on a population work if they recognize that contexts matter, that harms may affect varied groups or sub-groups differently, and that communities or other sub-groups who may be harmed are not always direct users of a system.   Measuring risk at an earlier stage in the AI lifecycle may yield different results than measuring risk at a later stage.   While measuring AI risks in a laboratory or a controlled environment may yield important insights pre-deployment, these measurements may differ from risks that emerge in operational, real-world settings.  What Should Occur Before Assessing AI Risk in Third Party Networks?   Before assessing AI risks in third party networks, it is critical to lay the groundwork within your own organization. Establishing clear guidelines and considerations beforehand helps ensure a more effective risk assessment process.   The following steps should be considered:   Create an Acceptable Use Policy  to define how AI will be leveraged within the organization, as well as how data will be leveraged within third party AI systems.   Train Employees  on what AI is and the acceptable use of AI.   Leverage an AI Framework  to inform contracts & assessments (i.e., NIST AI Risk Management Framework is a great example).   Contract for AI  - Specify data usage allowed, AI type allowed, ethical considerations, decision-making responsibilities, and data ownership in contracts.   Think through an Exit Strategy  for Critical & High risk third parties (consider data retrieval and deletion activities when terminating, model and algorithm ownership, intellectual property rights, data privacy, knowledge transfer, and continuity of operations).  Assessing AI in Third Party Networks   Now that you’ve established AI policies within your own organization, you are ready to assess AI within third party networks. As we assess third-party networks, it's important to recognize that nearly every company today is leveraging AI, whether directly or through their partners. Assessing AI involves similar principles to other information security evaluations, but with distinct challenges. Unique concerns, such as data quality, model interpretability, and the potential for bias, add complexity to AI assessments. Consequently, it’s essential for organizations to prioritize responsible AI development. Developing AI responsibly requires a comprehensive approach that balances innovation with ethical considerations, social impact, and sustainability.    When assessing AI in third party networks, it is important to review the risks related to:  The AI’s Capabilities & Models  to determine how effectively and ethically AI systems operate.  Data Quality & Protection  to safeguard against ethical, legal, and operational risks, foster trust, and ensure that AI systems operate accurately and securely.  Security & Access Controls  to ensure the protection of sensitive data, maintaining model integrity, and ensuring compliance with regulatory standards.  Performance & Reliability to ensure the AI system is operating as intended, adapt to real-world conditions, and deliver dependable outcomes.  Governance & Oversight to ensure the AI system is used responsibly, safely, and effectively.  For third party networks, strong governance and oversight help ensure that external partners adhere to the same high standards, preserving the integrity of the organization’s AI ecosystem and protect against external threats.  Conclusion   AI is becoming an integral part of third party networks, and it might be safest to assume that your third parties are using AI in some capacity. This means it is crucial to understand how they are using AI, as well as the potential risks that come from AI and the metrics used to evaluate it. By understanding AI and the risks it poses in third party networks, you can make more informed decisions and strengthen your risk management strategies.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

By: Halle Reynolds, TPRA Marketing & Social Media Internship The Third Party Risk Management Lifecycle (noted below within "Starting a TPRM Program") is recommended for every organization seeking to implement a TPRM program. How programs implement the lifecycle is dependent upon their organization’s risk appetite (or the level of risk they are willing to accept), as well as the complexity of their third party relationships. After an organization has established an initial TPRM program, consideration should then be given to enhancements that will accelerate TPRM program efficiency and effectiveness in addressing third party risk. The incorporation of the following best practices is contingent upon an organization's overall objectives, budget, and size. STARTING A TPRM PROGRAM TPRM programs begin with a blueprint—a plan for how your program will function. This layout should include aspects from the Third Party Risk Management Lifecycle: Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring, Disengagement, and Continuous Improvement. At a minimum, it is best practice to have the following processes in place if you are just beginning your program: Planning and Oversight - Establish program governance, budget, policies and procedures, third party inventory, and risk rating methodology. Pre-Contract Due Diligence - Integrate into the Procurement process and ensure due diligence/risk assessment reviews are performed before contracts are signed. Contracting - Develop a contract template that defines expectation of third party controls that need to be in place, as well as allow for the review of said controls by your organization. Continuous Monitoring - Run all third parties through an Inherent Risk Questionnaire (IRQ) and establish third party re-assessment triggers and cycle times based on the inherent risk ratings. TPRA Members can access our Inherent Risk Questionnaire (IRQ) Template on our TPRM Resource page . The IRQ can be used to identify due diligence requirements and determine the inherent risk rating of each engagement with your Third Party Service Provider (TPSP). Disengagement – Establish a termination checklist, to include the handling/destruction of data and transition to another third party. Continuous Improvement – Communication and education are key when starting a program. Ensure you have top-down support, as well as the support of the business. The value you receive from a basic TPRM program can be invaluable. It allows your organization to create a holistic risk lens into your organization’s risk landscape and proactively address and mitigate third party risk in a timely manner. TPRM programs are also required by many regulators, Board members, and customers. ENHANCING YOUR TPRM PROGRAM Once you’ve established your TPRM program, then you can begin to enhance and/or automate certain activities to ensure you are focusing on what matters most in a timely and efficient manner. Below are some examples of enhancements you could make to your program. We will work through the same TPRM lifecycle and discuss enhancements to each phase. Planning and Oversight - Develop a steering committee to address highest level of risk. Ensure a risk escalation and acceptance process is in place (you may what to do this at a foundational level as well). Pre-Contract Due Diligence - Ensure you have a seat at the table with those making third party risk-based decisions, such as Procurement, Legal, Compliance, and others. Actively participating in conversations will ensure your program gains the support it needs, as well as ensures you are able to obtain the necessary evidence and documentation to perform your reviews. Contracting - You may want to “own” certain contract clauses to ensure that any redlines to specific clauses are reviewed by your team. Small changes could affect what evidence you receive from third parties and how you can assess them. You may also want to add noncompliance triggers to your contracts. These triggers ensure you can take action against contract non-compliance. Continuous Monitoring - Once your program is established, you can then begin to work through nth party reviews. An nth party is a 4th or 5th party (or your third party’s third parties). It’s important to also review nth parties, especially if they will access your organization’s data, are customer facing, or support a key activity related to the product/service you are purchasing from your third party. Disengagement – Begin to maintain a data inventory (by requesting a data flow diagram from your third party) so that you can more accurately pinpoint data destruction requirements, to include data at nth party locations. Another process enhancement for the disengagement phase is to establish exit strategies during the pre-contract phase to leverage during the disengagement phase. If the third party supports a critical function for your business, it is a good idea to have a transition plan in place before entering into an agreement with the third party. Continuous Improvement – Continuously re-evaluate risk domains and enhance as the risk environment changes (e.g., Environmental Social Governance (ESG), Ransomware, Pandemic). It is also important to benchmark off peers. Chances are, you're not the first to go through something. Benchmarking is the best way to quickly learn tips and tricks for implementing process enhancements. The value of continually enhancing your TPRM program is staying up to date on risk trends and ensuring your program is flexible enough to incorporate when/were needed. AUTOMATING YOUR TPRM PROGRAM At this point, your program may be gaining momentum quickly as you’ve established the foundational building blocks of your TPRM program and incorporated certain program enhancements. You may now be interested in seeking out ways to automate your program by incorporating tools that can lessen the strain on resources and allow for scalability. We will again work through the same TPRM lifecycle and discuss activities you can automate within each phase. Planning and Oversight - Consider a governance, risk, and compliance (GRC) or TPRM platform that provides workflow, assessment, and reporting for third party risk. A comprehensive tool can also allow you to look across third party risk to determine key risk indicators and trends. Pre-Contract Due Diligence - A GRC or TPRM platform can also assist with automating the questionnaire process and allow you to obtain evidence quicker during the pre-contract due diligence phase. You may also consider joining a third party risk assessment collective (where third parties share the responses to one questionnaire with several organizations) to assist with third party response time. Contracting - Consider implementing a tool that will notify you when contracts are no longer in compliance with updated contract templates. This helps you ensure that you are maintaining contract compliance with your third parties. Continuous Monitoring - A tool that can proactively monitor your third parties is a risk rating/intelligence tool. These tools scan the parameter of third party networks and look for public facing vulnerabilities. They are non-intrusive and can often provide you with accurate information on an organization’s vulnerability management and technology refresh program. More innovative tools can also scan the dark web and look for stolen data and/or accounts that belong to third parties. They can also tell you if a third party has offshore locations, as well as the geo-political environment of said offshore location. Disengagement – Certain tools can assist with identifying when non-compliance triggers are met (which could ultimately lead to a relationship termination). They can also assist with the data transition process. Continuous Improvement – Automatically feeding into your organization's overall risk management program can help make more informed decisions when looking across the enterprise. Many tools can integrate into risk management tools your organization may already have, thus providing your organization with a more holistic risk lens. This would also allow your organization to focus on efforts to address more critical risk. Automation can lead to better collaboration, improved transparency around risk, program scalability, quicker response to threats, and provides less burden on resources. But if you do not have an established program, automating too soon can lead to accelerated issues and misalignment on risk-based decisions. You can find value in automating workflows, assessments, continuous monitoring activities, risk follow-up and validation, reporting, and other third party lifecycle activities. CONCLUSION Most TPRM programs start out small and work their way up to more advanced risk management techniques. When beginning, it won’t be necessary to incorporate most tools right away. You may also want to consider current tools your organization already utilizes and determine if/how you can incorporate them into your TPRM program. You should also consider your program's overall objectives, budget, and size when considering which enhancements and tools to implement. The key to evaluating TPRM program maturity vs associated value is understanding your organization's risk appetite to further develop your TPRM program's risk-based approach to assessing, monitoring, and mitigating third party risk. For more information on this topic, check out the TPRA's YouTube series "TPRM Explained - TPRM Program Maturity vs. Associated Value" .

By: Heather Kadavy, Sr. Membership Success Coordinator for TPRA In the ever-evolving landscape of Third Party Risk Management (TPRM), sometimes called Vendor Risk Management (VRM), staying ahead of the game is crucial. One tool that has gained recognition and attention in recent times is the SPARK Matrix™, an assessment and ranking framework. About the SPARK Matrix™ The SPARK Matrix™ includes, but is not limited to: 1.      Informed Decision-Making : One of the primary benefits of the SPARK Matrix™ is its ability to provide organizations with a benchmark for selecting VRM solutions. With the complexities of vendor-related risks growing, it is crucial to have a standardized framework for evaluating the available options. The SPARK Matrix™ facilitates informed decision-making by comparing capabilities, features, and performance across different solutions. 2.      Risk Mitigation : Effective VRM is all about identifying and mitigating risks associated with third party vendors. The SPARK Matrix™ helps organizations to understand the landscape of VRM solutions and their capabilities, allowing them to tailor their risk mitigation strategies effectively. It can be a valuable tool for staying proactive in the face of evolving risks. 3.      Regulatory Alignment : As regulations around data protection and privacy evolve, it is essential for VRM solutions to stay aligned with these changing requirements. The SPARK Matrix™ assesses the level of alignment with regulations, reducing the risk of non-compliance and associated penalties. This is particularly crucial for organizations handling sensitive data.   Congratulations to Our TPRM Vendor Members Noted on the Matrix We would like to extend our warmest congratulations to TPRA's current Vendor Members who were recognized in the SPARK Matrix™: Vendor Risk Management (VRM), 2023 . These companies (listed below in alphabetical order) have demonstrated their commitment to excellence and innovation in the TPRM space: Aravo Solutions : has consistently been at the forefront of TPRM innovation, offering robust solutions to manage third-party risks effectively. Ncontracts : has been a valuable partner in helping organizations streamline their vendor management processes and mitigate risks. OneTrust : is known for its comprehensive privacy, security, and third-party risk management solutions, which align with the evolving regulatory landscape. ProcessUnity : integrated risk and compliance management solutions continue to empower organizations to proactively manage vendor risks. Venminder : dedication to third party risk management has been unwavering, providing organizations with tools and expertise to enhance their TPRM programs.   What Sets VRM Groups Apart? The SPARK Matrix™ is an assessment and ranking framework designed to evaluate and rank Vendor Risk Management (VRM) solutions based on numerous factors, including capabilities, features, and performance. It aims to provide organizations with a benchmark for selecting the most suitable VRM solution for their unique requirements. While the SPARK Matrix™ is a valuable resource, we want to emphasize that it does not represent a comprehensive list of all TPRM vendors in the market. Instead, it reflects those vendors who participated in the evaluation process. The TPRM landscape is diverse and continually evolving, with numerous vendors offering specialized solutions to meet the unique needs of different organizations. Therefore, it is crucial that TPRM teams look for competitive factors & differentiators when evaluating potential technology partnerships: 1.      Tailored Solutions : Exceptional VRM groups recognize that one size does not fit all. They offer tailored solutions that align with the specific needs and risk profiles of their clients. Customization and flexibility are key. End to End Vendor Lifecycle Management to enable cost optimization, operational excellence, and growth through vendor selection, contract negotiation, vendor onboarding, vendor continuous monitoring of performance and risk management. Issue & Incident Management: to enable event identification, assessment and resolution of issues or incidents with third party vendors to maintain the security, compliance, and reliability of the vendor relationships. Compliance with Laws & Regulations: to keep organizations aligned with changing regulations and ensure that vendors comply with application laws, and industry standards. [e.g., cloud computing, APIs (Application Programming Interface), RPA (robotic process automation), cognitive automation, big data analytics, blockchains, etc.] Reporting, Dashboarding & Analytics: to provide comprehensive reporting, visualization, and analytics capabilities to business owners, risk committees, executive management and/or an organization’s board of directors.  These powerful visualizations are derived by deep insights and assist leadership in making informed business decisions. 2.      Continuous Innovation : Stagnation is the enemy of progress. The best VRM groups are constantly innovating, integrating automation, AI (artificial intelligence), and emerging technologies to improve the efficiency and effectiveness of their solutions. 3.      Proactive Risk Monitoring: The ability to proactively identify and mitigate risks is a significant differentiator. VRM groups that offer real-time monitoring and alerts are better equipped to tackle the dynamic nature of vendor-related risks. 4.      Scalability and Adaptability:  The ability to scale and adapt to an organization's evolving needs is another distinguishing factor. VRM groups that offer scalability and flexibility ensure that their solutions grow with the businesses they serve.   TPRM Teams should take note of the Technology Excellence & Customer Impact factors that each market participant was analyzed against when designing their own TPRM Service Provider analysis components:   Technology Excellence: Vendor Lifecycle Management: Ability to handle the end-to-end vendor lifecycle management process. Risk-Scoring and Assessment: Evaluate and quantify potential risks associated with vendors. Usability: Quality of a product or system in terms of how easy it is to use, learn, and navigate. Continuous Monitoring and Remediation: Actively monitor and respond to events and issues as they occur. SLA (Service level agreements) & Performance Monitoring: Outlines the level of service expected, the metrics used to measure performance, and the consequences for not meeting the agreed-upon standards. Configurability and Scalability: Ability of a system or software to be easily customized or configured and scalable to meet specific requirements without requiring extensive changes. Dashboarding, Reporting and Analytics: Insights into various aspects of the business, customer behavior, and performance. Workflow and Process Automation: Automate and streamline manual tasks and processes. Integration & Interoperability: Ease of integration with other internal modules and API-based integration with third-party data providers and partners, extent of operability with third party partners. Competition Differentiation: Set it apart from its competitors and give it a competitive advantage in the marketplace. Vision & Roadmap: To what extent does the product vision align with its buyers’ needs in terms of acquiring, satisfying, and retaining customers? Does the vision promote a strong focus on the customer and a positive customer experience? How well does the vision align with current and future customer preferences? Does the company have a clear plan in place for implementing its vision through product improvements, innovation, and partnerships within the next year? Does the company possess the necessary resources and abilities to accomplish its planned roadmap? Customer Impact Product Strategy & Performance: Evaluation of multiple aspects of product strategy and performance in terms of product availability, price to performance ratio, excellence in GTM strategy, and other product-specific parameters. Market Presence: The ability to demonstrate revenue, client base, and market growth along with a presence in various geographical regions and industry verticals. Proven Record: Evaluation of the existing client base from SMB, mid-market and large enterprise segment, growth rate, and analysis of the customer case studies. Ease of Deployment & Use: The ability to provide superior deployment experience to clients supporting flexible deployment or demonstrate superior purchase, implementation, and usage experience. Additionally, vendors’ products are analyzed to offer user-friendly UI and ownership experience. Customer Service Excellence: The ability to demonstrate vendors capability to provide a range of professional services from consulting, training, and support. Additionally, the company’s service partner strategy or system integration capability across geographical regions is also considered. Unique Value Proposition: The ability to demonstrate unique differentiators driven by ongoing industry trends, industry convergence, technology innovation, and such others. Trust the Data, Verify the Path Forward In an era where data reigns supreme, the Spark Matrix™ provides TPRM practitioners with a compass for navigating the intricate vendor landscape. The insights derived from this research empower practitioners to make informed decisions, ensuring that the partnerships they forge are not just built on trust but are also fortified by a robust verification process. Empowered by this, the practitioner is now responsible for practicing their Risk Management skills when leading their organizations forward. Resources: TPRA’s TPRM Tools List:   https://www.tprassociation.org/tprm-vendor-list TPRA’s Service Provider Profiles: https://www.tprassociation.org/service-provider-profiles SPARK Matrix™ Domain Link:   https://quadrant-solutions.com/ SPARK Matrix™ Link to the Report (Payment Required):   https://quadrant-solutions.com/market-research/spark-matrix-vendor-risk-management-vrm-q4-2023-2990     Note:  SPARK Matrix™ is NOT Sponsored by TPRA.

Most third-party risk management (TPRM) practitioners understand that managing risks associated with third parties can be like sailing a ship through sometimes dangerous waters. Just as a captain must chart a detailed course and remain alert to changing weather conditions, TPRM professionals need a straightforward strategy to navigate risks. They must continually identify, assess, and mitigate potential issues while recognizing the importance of monitoring the horizon for emerging storms that could threaten the organization or its customers.   Managing third-party risks can be challenging because these risks evolve, similar to how ocean waves change due to various factors. Effective TPRM requires proactive identification, management, and continuous monitoring of risks to prevent the proverbial ship from sinking.  Unfortunately, some organizations limit their risk monitoring solely to scheduled intervals, which undermines the goal of continuous oversight. Others take a more relaxed approach, assuming everything is fine until it isn't. Delaying monitoring until a third party faces a serious issue, such as a data breach or a significant decline in performance, puts your organization at a disadvantage. Addressing problems reactively usually leads to chaos and missed opportunities. It's like trying to repair your boat when it’s already taking on water.  So, how can your organization stay safely afloat with proactive and effective continuous monitoring? Let's delve into the essential activities within the third-party risk management lifecycle that lay the groundwork for continuous monitoring and some best practices to implement.    Foundations for effective continuous monitoring   The third-party risk management lifecycle is a blueprint for managing third-party risks effectively. Key activities in this lifecycle create a strong foundation for effective continuous monitoring.  Inherent Risk Assessments Effective risk management begins with identifying risks. A thorough inherent risk assessment allows your organization to pinpoint and quantify risks related to specific products, services, and third-party relationships. Understanding these risks—whether in cybersecurity, privacy, compliance, finance, or reputation—establishes a baseline for monitoring and identifying new or emerging risks over time.  Due diligence After identifying the risks, the next step is to assess how adequate the existing controls are in mitigating them. Experts in cybersecurity and compliance should review the vendor's documented controls to evaluate their effectiveness and identify any gaps that require additional attention in the future.   Well-written contracts Third-party contracts define the roles and responsibilities of both parties and outline the specific terms and conditions that the third party must adhere to. This includes compliance with technical, security, financial, regulatory standards, and service level agreements (SLAs).   Risk reassessment and periodic due diligence When it comes to third-party risks, it's crucial to understand that this isn't a "set it and forget it" situation. Establishing protocols for reassessing inherent risks and validating third-party controls is essential. It involves reviewing the last inherent risk assessment to identify new or changing risks and performing due diligence by collecting up-to-date vendor documentation to re-verify their controls. Best practices for continuous monitoring  While every organization is different, there are best practices for continuous monitoring that can enhance the effectiveness of your efforts.  Use a risk-based approach. Not all third-party engagements carry the same risk level, so it's essential to identify effective monitoring strategies based on risk types and amounts. Critical or high-risk relationships like cloud providers require robust monitoring, while lower-risk providers, like office supply vendors, need less scrutiny. A risk-based approach ensures resources are allocated to manage the highest risks effectively.  Monitor both risk and performance. Understanding the importance of monitoring specific third-party risks is straightforward for most practitioners. However, performance monitoring is often seen as a secondary concern. Subpar performance not only prevents your organization from receiving the value it is paying for, but it can also signal emerging or increased third-party risks. Poor performance may indicate underlying issues such as declining financial health, ineffective controls, or operational and managerial problems before they are identified through other risk assessments or periodic due diligence.  Establish and stick to formal monitoring routines. Set appropriate intervals for re-evaluating risk, due diligence, and performance reviews. Document and publish these routines and ensure stakeholders are accountable for adhering to them. Increase monitoring when necessary. It's reasonable to increase monitoring when issues with third parties arise or performance declines. It may also be necessary due to declines in financial health, data breaches, or regulatory changes.  Consider using risk intelligence tools to assist your monitoring efforts. Continuous monitoring requires daily vigilance to detect changes in a third party's risk profile. But, depending solely on internet news alerts or third-party vendors for daily updates can be risky. Instead, consider utilizing subscription-based risk intelligence services to receive targeted alerts regarding changes in your third party's cybersecurity, financial health, compliance, reputation, and industry developments.   In conclusion, third-party risks are constantly changing, and organizations that want to manage them must engage in proactive, continuous monitoring to identify potential threats and reduce their impact on the organization and its customers. By following the third-party risk management lifecycle and implementing best practices for continuous monitoring, your organization can more effectively navigate the complexities of third-party risks and prepare for upcoming challenges.

Third party risk management (TPRM) is a comprehensive process that involves identifying, assessing, managing, and continuously monitoring the risks faced by your organization and its customers due to business relationships with external vendors, suppliers, and service providers. In the past few years, TPRM has evolved beyond just managing direct relationships with your third parties; it now also includes identifying, assessing, and mitigating risks related to fourth-party or Nth-party relationships—essentially, the vendors of your vendors and beyond. This layered approach is crucial, as risks within the supply or service chain can propagate through your third parties, potentially impacting your organization unexpectedly. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks.  To illustrate what fourth and nth party relationships are, imagine your organization is utilizing a third party customer service call center experiencing an outage with its call management software provider (your fourth party). Even though you do not have a contract with the vendor providing the call management software, this outage can still lead to operational disruptions for your organization, resulting in service delays and dissatisfied customers. Consider another scenario where that same software provider suffers a data breach from their contracted data center (your Nth party), ultimately impacting your customers' data. In both situations, the issues do not originate directly from your third party, but rather from their vendors (and the vendors of those vendors) who are engaged to deliver products and services to your organization.   Just thinking about fourth and nth-party risks can be overwhelming, especially as the risk landscape seems to grow with each additional layer of a relationship. And many regulatory requirements now include effectively identifying and managing these risks. However, there is no need to panic. There are effective strategies you can implement to address them, even with limited resources.  How To Manage Fourth- and Nth-Party Risks  It's essential to recognize that managing all fourth-party and nth-party risks is neither feasible nor practical. Your organization has limited time and resources. And, you do not have direct contracts with these fourth and nth parties, so they are not legally obligated to you. Furthermore, your visibility into their operations may be limited, making oversight difficult. A strategic approach is essential, so defining what "managing" these risks entails and how it is implemented in practice is important. For many organizations, this means identifying where fourth-party and nth-party risks exist and ensuring that the third party manages those extended relationships effectively.   Consequently, having strong third party risk management practices at your organization is crucial for success. This includes conducting thorough risk assessments, assigning risk ratings, identifying critical vendors, performing due diligence, establishing contracts, and implementing continuous monitoring. These processes are vital for effectively identifying and managing fourth-party and nth-party risks.  Take a stepwise approach and start with your own critical third party vendors and service providers. Critical third parties are those relationships that can seriously impact your operations if there should be a business interruption. Critical third parties are those that access, process, transmit, or store Personally Identifiable Information (PII) or confidential data, or any vendor or service provider that interacts with your customers. Targeting your critical third parties first can help you narrow your scope and concentrate on where the most significant risks are.   Build your 4th and nth party inventory  Once you have your list of Critical third parties, you’ll need to understand which of their vendors and service providers are essential for delivering products and services to you, or those that could cause regulatory issues or customer dissatisfaction.  Here are some tips for accomplishing that task.  Ask your third parties to list their critical vendor and service provider relationships.  This should be a requirement in your critical third party contracts, but if it isn’t, schedule a meeting to discuss your objectives and criteria so they can report back to you. Ensure they provide the organization’s name, location, and product or service. It’s also important to ask if they have additional relationships through their vendors (your nth parties) that can impact your organization or its customers.  Check your critical vendors’ third party SSAE 18 (SOC reports)  to find relevant fourth-party vendors. Look in the “Subservice Organizations” section for this information. These vendors provide the controls needed to meet your third party’s system requirements or commitments to you.  After you have identified these fourth and nth party relationships, keeping the inventory current and organized is essential. Remember to look for fourth and nth parties servicing more than one of your third parties. For example, if all your cloud, data, and analytics providers are using AWS, you may need to consider and address that additional nth-party concentration risk.  Review Your Vendor’s TPRM Policy And Practices  You must rely on third parties to effectively manage their vendor and service provider relationships. A key aspect of successfully addressing third party risk is understanding how your vendors and service providers are managing their third party risks. Never assume that they have it under control. You must see evidence that their TPRM practices meet your requirements. Always review the following:  Policy : Review their internal third party or vendor risk management policy. Is it comprehensive? Does it clearly outline roles and responsibilities? Who is ultimately accountable for TPRM? Does the policy address each part of the TPRM lifecycle?  Risk assessments: Request their inherent risk assessments, risk ratings (including the methodology for rating), how they define critical risks, and the frequency of risk assessments conducted.  Due Diligence : Request real examples of due diligence conducted on critical third parties and review the vendor risk control assessments provided by qualified subject matter experts.  Contracts: Understand if minimum contract terms and conditions are utilized to reduce or mitigate risks. Ensure that there are legally binding contracts that are managed appropriately for critical 4th and nth parties. Ongoing Monitoring : Ask about their requirements for ongoing monitoring. Confirm if they are performing both risk and performance monitoring for their vendors. Ask for proof of monitoring and see if there have been any incidents or performance failures. Issue Management : Inquire about the processes for managing issues, which include reporting, remediation, and escalation related to TPRM. When you understand how your third parties manage vendor relationships and can see proof of effective and timely processes, you will be able to address nth-party risk more confidently.  Update your contracts  It is essential to recognize that your organization relies heavily on third parties to identify and manage risks associated with fourth and nth parties. If your current third party contracts do not require the disclosure of critical nth parties or do not include provisions for managing third party risks, it may be time to amend those contracts. If immediate changes aren't feasible, it's crucial to document the necessary improvements so your organization can effectively negotiate them before renewing the contracts.  Monitor nth party risk.  Like other risks, you need to stay aware of third-party and fourth-party risks that could impact your organization or its customers. You should require your third party vendors to provide monitoring information about their vendors and service providers, and review this information regularly, especially if any issues have arisen. Ensuring that you receive proof of remediation for these issues is essential. Additionally, consider utilizing risk intelligence services to monitor critical or high-risk fourth and nth parties.  In conclusion, although addressing fourth and nth-party risks may seem complex, they become more manageable with a strategic approach. By focusing on your critical third parties, building an inventory of their essential vendors, and requiring them to uphold robust TPRM practices, you create a solid framework for proactively identifying and mitigating risks. Committing to continuous monitoring and maintaining open communication with your third parties will enable you to identify and address the risks in your service or supply chains more effectively.

Compliance doesn’t wait—and neither should you.   Regulators aren’t sitting idle, and neither are the risks buried in your third-party ecosystem. As more organizations outsource critical services, the scrutiny around how those relationships are managed has grown sharper, faster, and more complex. Vendor oversight is no longer a back-office function; it’s a frontline defense in your regulatory playbook.  Whether it’s cybersecurity, consumer privacy, operational resilience, or responsible banking, compliance expectations now extend well beyond your own four walls. They travel with your data, systems, and customers straight into the hands of your vendors.  So, how do you keep pace without burning out your risk and compliance teams? By treating regulatory alignment as an active, continuous part of your third-party risk program, not a once-a-year fire drill. The good news? You can get ahead of the curve and stay there with the right approach.  Here are five practical strategies to make that happen:  1. Know the Rules—And Where They Apply  You don’t need to memorize every regulatory acronym, but you do need a solid grasp of which ones affect your third-party relationships. That includes direct regulations like:  GLBA, if your vendors access customer financial data.  HIPAA, if they touch health records.  GDPR and CPRA, if you’re dealing with global or California-based personal data.  Plus, there is a growing patchwork of cybersecurity and operational risk standards like NIST, OCC, and FFIEC guidance.  Start with a risk-regulatory mapping exercise. Connect the dots between your critical vendors, their services, and the applicable laws or guidance. Then build a compliance checklist for each category, so you're not scrambling the next time a regulator wants evidence.  2. Make Compliance Part of Your DNA, Not Just a Checkbox   You're likely missing something if your due diligence templates haven’t changed in the last 18 months. Regulatory expectations evolve, and your assessment process should too.  That means asking smarter questions and requiring supporting evidence. A “yes” on a self-assessment doesn’t cut it anymore. Ask for:  Recent SOC reports, penetration tests, or certifications (ISO 27001, PCI-DSS).  Policy documents that reflect specific regulatory controls (like data retention or breach notification).  Contractual language showing compliance with laws like GDPR or HIPAA.  If a vendor claims they’re compliant, they should be able to show you how. And if they can’t? That’s a conversation worth having before an examiner starts asking the same question.  3. Monitor, Document, Repeat  Initial due diligence is only the starting point. Regulatory compliance should be present day-to-day, not just during onboarding.  Set up a monitoring cadence that makes sense for the risk level, quarterly check-ins for your critical and high-risk vendors, and annual refreshes for the rest. Don’t wait for a contract renewal to find out if a vendor has changed sub-processors, moved data centers, or had a cyber event.  Key actions to build into your process:  Trigger-based reviews (e.g., regulatory changes, vendor incidents, service scope shifts).  Control monitoring, especially for data privacy, cybersecurity, and financial controls.  Evidence logging, saving emails, reports, certifications, and attestations. Document as you go, not in hindsight.  Well-organized documentation is not only essential during audits but also demonstrates that your program has meaningful substance.  4. Use Frameworks—and Foundational Guidance—as Your North Star   You don’t need to start from scratch. Established frameworks and regulatory guidance provide the scaffolding your program needs to stay aligned, scalable, and defensible. Used well, they’re more than checklists—they’re strategic tools that guide smart decision-making and help you demonstrate maturity.  A strong foundation starts with the Interagency Guidance on Third-Party Relationships: Risk Management ,  issued by the OCC, FDIC, and Federal Reserve. This guidance outlines key lifecycle elements—planning, due diligence, contract structuring, ongoing monitoring, and termination—and serves as a gold standard for banks and any organization managing critical vendor relationships.  Not a financial institution? The Third Party Risk Association provides the standard for Third Party Risk Management in their free, comprehensive  TPRM 101 Guidebook  that will walk you through all phases of the TPRM lifecycle in detail and provide you with practical tools, tips, and examples for its implementation.  Once that foundation is established, you can layer in frameworks tailored to your specific risk domains and industry. For example:  Financial Services :  Use the FFIEC Cybersecurity Assessment Tool (CAT)  to benchmark third-party cyber risk, and align your broader program with NIST 800-53  or the NIST Cybersecurity Framework (CSF)  to strengthen control mapping and monitoring.  Healthcare : Look to HIPAA Security and Privacy Rules   when evaluating vendors handling protected health information (PHI). Ensure Business Associate Agreements (BAAs) are in place—these are legally required contracts that outline each party’s responsibilities when handling PHI and help ensure HIPAA compliance. Vendor controls should also align with HITECH Act  provisions.  Insurance: Frameworks like NAIC Model Laws  and Guidance on Third-Party Administrators (TPAs)  help shape due diligence expectations, especially for claims processors, brokers, and customer data handlers.  Technology and Software Supply Chain : Adopt software-specific frameworks like SLSA (Supply-chain Levels for Software Artifacts )  and the NIST Secure Software Development Framework (SSDF)  to manage risks from open-source components, CI/CD pipelines, and outsourced developers.  Cross-Industry or Global Operations : To scale assessments across geographies and vendor types, use certifications like ISO 27001 . The goal here isn’t to follow all  frameworks—it’s to select the ones that make sense for your organization, risk profile, regulatory exposure, and operational reality.    By combining lifecycle-based regulatory guidance with targeted frameworks, you build a tailored and resilient TPRM program. This shows regulators, auditors, and your own leadership that you understand not just the “what” but the “why” behind your oversight approach.    Proactive risk programs stand out by effectively anticipating potential challenges and implementing strategic measures to mitigate them before they escalate.  5. Make TPRM Everyone’s Business   Even the best-designed compliance framework will fall apart if no one uses it. Training and communication aren’t optional—they’re how you operationalize your program.  Risk and compliance teams can’t do it alone. Your business stakeholders need to understand:  When a vendor relationship triggers regulatory requirements.  What documentation or approvals need collection.  How to recognize and escalate red flags.  Keep it simple, repeatable, and relevant. Offer live sessions, recorded refreshers, or just-in-time guidance during intake or onboarding. Compliance works best when built into the workflow, not bolted on as an afterthought.  Final Word: Stay Ready So You Don’t Have to Get Ready  Proactive regulatory compliance isn’t about predicting the future but building the muscle to adapt. When your program is designed to flex, monitor, and evolve, you’re not just reacting to audits or enforcement actions. You’re leading with confidence, clarity, and control.  And that’s what true TPRM maturity looks like.  MEMBER EXCLUSIVE  To learn more on this topic, watch our June TPRM Webinar, “Staying Compliant: Proactively Addressing New Regulations.” This roundtable focused on proactive strategies to navigate the dynamic regulatory landscape impacting third-party risk management.   AUTHOR BIO Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third-Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

If you're tired of scrambling for documentation, chasing down vendors for evidence, or rewriting the same compliance answers every exam cycle, this is for you. This one-page infographic is built with real TPRM pain points in mind: inconsistent monitoring, reactive audits, evolving regulations, and the pressure to prove your program’s worth with limited resources. It distills five actionable strategies into a visual format you can actually use—with your stakeholders, during training, or as a north star for revamping your vendor oversight. You’ll find guidance on mapping regulations, upgrading due diligence, monitoring with intention, and embedding compliance into your daily operations, not just during audit season. Because real TPRM maturity isn’t about checking boxes—it’s about building a program that works when things go wrong. This infographic helps you start there. Perfect for sharing with your team, your boss, or anyone who still thinks compliance is a once-a-year event.

Introduction   In the modern business landscape, Third-Party Risk Management (TPRM) has become a focal point for organizations aiming to safeguard their operations. While much attention is given to assessing and managing the risks associated with third-party vendors using questionnaires, Boards of Directors are asking CISOs what the business is doing to protect the organization from third parties. Access Management in Complementary User Entity Controls (CUECs) is a crucial internal control often overlooked by TPRM when performing asses sments. Additional access protections are available through the organization’s implementation of a Zero Trust strategy  and utilizing Artificial Intelligence (AI) and Machine Learning (ML) applications.  Access Management in Complementary User Entity Controls (CUECs)  CUECs represent the controls that service providers expect you (as the customer) to implement to complement their own control environment. In the context of third-party management, these controls are crucial for maintaining a secure and effective relationship. Critical access management CUECs that organizations often overlook when managing third parties include the following:  Access provisioning and deprovisioning controls : According to a Black Kite study, 54% of all third-party breaches were due to unauthorized network access. ( 1) Monitoring of third-party activities : According to a Ponemon Institute study, only 34% of organizations effectively monitor third-party access to critical systems. (2)  This creates significant blind spots in security posture. Regular reassessment of third-party access needs : A Wiz Research study indicates that 82% of companies unknowingly provide third-party vendors with highly privileged roles. (3) Validation of CUEC controls : Conventional CUEC validation, if performed, focuses only on control existence and design effectiveness but not control operation and operating effectiveness, creating a false sense of security. Access Management in a Zero Trust Strategy  Zero Trust is fundamentally about “never trust, always verify” – a principle that can significantly enhance the protection of an organization's network and systems when granting third-party access. The implementation of Zero Trust requires a shift away from the traditional security models that rely on perimeter defenses and instead focus on securing individual assets and data. Traditional models grant broad network access once a user is authenticated; however, Zero Trust gives only the minimum access needed for a task. (4)  Zero Trust identity and access management controls are implemented using a risk-based approach and may include the following:  Multi-factor authentication (MFA): Third-party users are required to authenticate using at least two factors (something they know, have, or are). According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, MFA can stop 30% to 50% of account compromise attacks. (5)   Just-in-time (JIT) access: Third party users are provided temporary, time-limited access only when needed rather than persistent access. This minimizes the potential for attackers to exploit vulnerabilities and gain unauthorized access. Privileged access management (PAM): Session recording and monitoring is implemented   for all third-party privileged access. According to Gartner, organizations that implement PAM can reduce the risk of privileged credential abuse by 75%. (6) Micro-segmentation: Third-party access is limited to only specific network segments or applications required for their function. By isolating critical systems and sensitive data, detecting and responding to threats becomes easier. Device posture assessment: The security posture of third-party devices is monitored before granting access. Third-party devices must meet minimum security requirements (patches, endpoint protection, etc.) Leveraging Artificial Intelligence (AI) and Machine Learning (ML) in a Zero Trust Strategy  Organizations using AI-powered security tools have an 85% success rate at predicting cyberattacks. (7)  Examples of AI and ML applications used in a Zero Trust strategy include the following:  Anomaly detection: AI and ML algorithms can be trained to detect unusual patterns or behaviors within the organization’s network. Deviations from normal activity may indicate potential security threats, for example spikes in access requests from unfamiliar locations may trigger alerts for further investigation. (8) Behavioral analysis: ML models can analyze user behavior and establish a baseline of normal activities for each user. Any deviations from these patterns can raise flags for potential insider threats or compromised accounts. (8) Threat intelligence integration: By analyzing threat intelligence feeds alongside internal network data, organizations can make more informed decisions regarding access control and threat mitigation strategies. ML algorithms can prioritize and contextualize threat intelligence data, helping security teams focus on the most critical risks. (8) Adaptive access controls: ML-driven access control mechanisms can dynamically adjust permissions based on real-time risk assessments. By continuously evaluating factors such as user behavior, device health, and network conditions, these systems can grant or revoke access privileges dynamically. (8) Case Studies   Case Study 1:  Implementing Complementary User Entity Controls in a Retail Environment  A leading retail company implemented Complementary User Entity Controls to enhance its third-party risk management. This involved establishing strict access controls and clear usage policies for third-party vendors accessing its systems. By doing so, the company improved its ability to detect and respond to unauthorized access attempts, significantly reducing the risk of data breaches. The implementation of these controls also led to better accountability and adherence to security protocols among third-party vendors.    Case Study 2:  Adopting Zero Trust Controls in a Technology Firm  A technology firm adopted a Zero Trust strategy to manage third-party access to its network and critical systems. The approach required verification of every access request, regardless of the source, and continuous monitoring of user activities. By using multi-factor authentication and least-privilege access principles, the firm ensured that only authorized users could access sensitive data. This strategy not only prevented unauthorized access but also provided granular visibility into third-party activities, enabling proactive threat detection and response.  Conclusion  While third-party assessments remain a cornerstone of TPRM, it is essential to recognize and implement broader access controls that contribute to a more comprehensive risk management strategy. By validating both the design and operating effectiveness of critical access management CUECs and implementing Zero Trust access controls, organizations can enhance their resilience and better protect themselves against the myriad risks associated with third-party relationships. AI and ML applications can also play a crucial role to ensure access controls remain robust and responsive to evolving threats. TPRM is not just about the third party; it is about creating a holistic approach to risk management that safeguards the organization from within and beyond.    References:   Black Kite, “Third-Party Breach Report” Vol.5, 2024. [Online]. Available: https://blackkite.com/wp-content/uploads/2024/03/third-party-breach-report-2024.pdf .   Imprivata, “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year,” February 13, 2025. [Online]. Available: https://www.imprivata.com/company/press/imprivata-study-finds-nearly-half-organizations-suffered-third-party-security .    Security Magazine, “82% of companies give third parties access to all cloud data,” January 26, 2021. [Online]. Available:  https://www.securitymagazine.com/articles/94435-of-companies-give-third-parties-access-to-all-cloud-data .    Cipher, Alex, “Zero Trust: Redefining Cybersecurity,” 2024  Cybercrime Magazine , “Mult-Factor Authentication is (Not) 99 Percent Effective,” February 23, 2023.   [Online] . Available:   https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/ .  CTO (Core Team One),   “Did you know? 74% of data breaches start with the abuse of privileged credentials,”  Wednesday, 12 June 2024. [Online]. Available:   https://www.bing.com/search?pglt=297&q=74%25+of+data+breaches+start+with+the+abuse+of+privileged+credentials&cvid=5411e708f64447b8b8e91782242cba48&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQRRg80gEKMTYxMzY2ajBqMagCALACAA&FORM=ANNTA1&adppc=EDGEBRV&PC=EDGEBRV .   Furness, Dylan, Emerj, November 9, 2024. [Online]. Available:  https://emerj.com/an-ai-cybersecurity-system-may-detect-attacks-with-85-percent-accuracy/#:~:text=An%20AI%20Cybersecurity%20System%20May,Accuracy%20%7C%20Emerj%20Artificial%20Intelligence%20Research .   Goraga , Zemelak, Dr., “AI and ML Applications for Decision-Making in Zero Trust Cyber Security,” Volume 1, SkyLimit Publishing, 2024, p. 2-3