Search Results

In today’s third party risk management (TPRM) environment, time is a scarce resource, and risk teams are feeling the pressure. As organizations grow their third party ecosystems and regulatory expectations rise, TPRM programs are expected to scale without receiving more people or budget.  That’s where automation can help.  But before jumping into technology solutions, practitioners often ask a crucial question:   “How do I know what to automate?”   Not everything is a good candidate. Some processes rely on deep judgment or require hands-on communication. But others, the repetitive, rules-based, time-consuming tasks, are perfect opportunities to automate and free up your team’s time for strategic risk management activities.  Let’s walk through how to spot automation use cases inside your own program, and hear how one risk leader turned hours of manual work into minutes of automated flow.  What Makes a Good Candidate for Automation?  Start with a simple lens. The best automation processes usually have these qualities:  High volume: Happens frequently across many third parties  Repetitive: Same steps followed every time  Rule-based: Decisions based on set criteria or logic  Low variation: Minimal case-by-case customization  Trackable: Easily measurable in terms of success or failure  If you’re doing a task over and over, and it doesn’t require nuanced human decision-making, it’s probably a strong automation candidate.  Common TPRM Automation Use Cases    Here are some of the most common areas where automation delivers real value:  1. Initial Third Party Intake & Risk Tiering   Automating the intake form and feeding third party and business owner responses directly into a tiering model saves time and reduces manual scoring errors. You can set rules to automatically assign low, medium, or high risk based on responses like data sensitivity or criticality.  2. Due Diligence Questionnaire Distribution   Rather than tracking who received what questionnaire; use automation to send the right assessment based on third party type and level of risk, trigger reminder emails, and flag when a response is overdue.  3. Policy & Document Collection   Stop chasing third parties manually for SOC reports, insurance certs, or data mapping. Use tools that auto-request, validate expiration dates, and flag missing documents before you notice.  4. Issue Remediation Workflows   If a third party fails a control assessment, automation can generate a ticket, assign it to the right risk owner, and send periodic follow-ups until it’s resolved or escalated.  5. Continuous Monitoring   Set thresholds and rules so that alerts from external monitoring platforms are filtered, prioritized, and routed to the right business owner and/or third party. Not every continuous monitoring alert needs to land in your inbox.  Real-World Example: Automating Third Party Risk Tiering  Case Study: Financial Services TPRM Team (Mid-Sized U.S. Bank)     A TPRM team supporting over 1,000 third parties struggled to keep up with onboarding. Each third party was manually risk-tiered by reviewing spreadsheets, pasting data into a scoring tool, and then having it double-checked by a second analyst.  “It was taking us 2 to 3 hours per vendor, just to assign a tier,” the risk lead told us.   By implementing an automation workflow using a TPRM platform, they built a rules engine tied to their intake questionnaire. Now, as third parties fill out intake forms, their answers auto-feed into a tiering model based on categories like access to sensitive data, cloud usage, and financial impact. The automation generates a tier instantly, flags high-risk vendors for human review, and logs everything for audit readiness.  Result:  Manual effort dropped from 3 hours to under 10 minutes  Analyst hours saved = ~50/month  More consistent tiering = stronger regulator confidence  How to Identify Automation Opportunities in Your Program  Start simple. Ask yourself and your team:  What process eats up the most time?  Are there tasks we do the same way every time?  Where do errors or delays occur?  What are we manually tracking in Excel or email?  What do we wish we had more time for (but don’t)?  Then, map out the steps. If you can diagram it on paper, chances are you can automate it.  Avoid These Common Pitfalls  Before automating, take these precautions:  Don’t automate a broken process. Fix inefficiencies first.  Avoid black-box logic [ a system or algorithm where the internal workings are not easily understood or accessible to the user ]. You still need visibility and traceability.  Keep humans in the loop for judgment calls or escalations.  Test in small batches before going wide.  Final Thought: Start Small, Scale Smart  You don’t need a full digital transformation to begin automating. Choose one use case, something your team is tired of doing manually, and experiment. Measure the time saved. Show impact.  Remember in TPRM, every minute you save on manual administration is a minute you can spend mitigating actual risk.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In the early morning of October 20, 2025, Amazon Web Services, the backbone of much of the modern internet, experienced a widespread outage in its Northern Virginia region. Within hours, popular apps, business platforms, and government services began to slow or fail. By evening, AWS reported that services were operating normally, with some backlogs clearing after that. This was not some minor hiccup. It took much of the day to resolve, and by the time systems steadied, the outage had already reminded everyone how deeply daily life depends on the same shared foundations.  The Impact  The outage originated in AWS’s US-EAST-1 region, which supports a significant portion of global cloud activity. That single region underpins countless tools and services used every day by businesses, governments, and consumers alike. Well-known platforms such as Zoom, Venmo, and Alexa saw interruptions, but the effects reached much farther than that.  For many organizations, the disruption was one step removed. Their own systems appeared stable, yet vendors or downstream providers that relied on AWS began to falter. Even companies with no direct contract felt the slowdown through partners and service integrations that quietly depend on the same infrastructure.  The Cause  AWS said the incident stemmed from DNS resolution issues that affected DynamoDB service endpoints in US-EAST-1, and they began mitigation after identifying the problem ( AWS update ). In parallel, traffic health checks did not behave as expected, which complicated rerouting and recovery. The combination created a chain of disruptions that took most of the day to unwind.  In short, one lookup broke, one database stalled, and everything built on top of them learned what “shared dependency” really means.   The Response  AWS posted regular updates, isolated the DNS issue, and restored service, with some queues taking longer to clear. By evening, operations were mostly normal.  AWS confirmed that the outage was not the result of a cyberattack  and said a detailed incident analysis would be released. The company’s updates through its status page and social channels provided transparency but were highly technical, which made it difficult for non-technical teams to interpret and share meaningful updates inside their organizations .   What This Illustrates About Concentration Risk  This was concentration risk in practice, too much dependency in one place. The AWS US-EAST-1 region is popular because it is large, efficient, and cost-effective. That popularity concentrates demand, which can magnify impact during an incident.  When multiple organizations and their vendors depend on the same region, a single problem can become a multi-industry event. Many companies that felt diversified discovered their vendors were sitting on the same underlying infrastructure.  What It Reveals About Fourth- and Nth-Party Risk  Even companies far removed from AWS saw disruptions. That is extended vendor risk, where your vendor’s vendor, or their vendor’s vendor, fails and causes impact for you.  A payment platform might use AWS directly, while your billing software depends on that platform. Your HR system’s analytics add-on might sit on AWS even if the core platform does not. The farther down the chain the issue occurs, the harder it is to see, yet the business effect is the same.  The Broader Lesson: Shared Infrastructure Means Shared Consequences  Cloud services and computing have made business faster and more connected. It has also made it interdependent. When one provider falters, entire industries can feel the shock.  Technical events become business events quickly. Disruptions affect customer access, transactions, revenue, and regulatory expectations. For TPRM programs, resilience is not about predicting every outage. It is about understanding dependency risk and being ready to respond calmly when it appears.  What TPRM Practitioners Should Be Doing Now  The AWS outage was a free stress test. Even if your organization stayed upright, it showed how much depends on a handful of cloud providers. Now it’s time to turn awareness into action.  1. Revisit your dependency map   Trace your direct, fourth-party, and nth-party exposure. You do not need to document every sub-vendor, but you should know where critical systems live and who connects them.  Review your direct vendors and note hosting provider and region.  Identify shared dependencies across your portfolio.  Flag any service that leans on a single region.  Share this with cybersecurity and IT partners to align contingency plans.    2. Strengthen collaboration between TPRM and Cybersecurity/Information Technology  When an outage hits, both perspectives are essential.  Cyber professionals (which may include the incident response team) focus on the how, root cause, technical exposure, and data integrity.  TPRM focuses on the so what, business impact, vendor accountability, and continuity of services.  Confirm with IT which systems can run from more than one location. Confirm with TPRM which vendors must maintain uptime and notify you. If this partnership is informal, formalize a simple workflow that defines who watches vendor status, how alerts move to business leaders, and who decides when to communicate with executives or customers.  3. Update due diligence and contracting  Bake resilience into every step of the vendor lifecycle.  During due diligence   Ask where systems are hosted, including backup regions.  Require disclosure of key sub-vendors such as cloud hosts and data processors.  Confirm that failover is tested and recent.  Check that downtime tolerance matches your business needs.  In contracts   Add notification timelines for incidents that affect your data or operations.  Require vendors to maintain and test continuity and disaster recovery plans on a regular basis (at least annually).  Define how credits or remedies apply during regional incidents.  Include data portability and exit terms so you can migrate if reliability declines.  For existing contracts, capture this through an addendum or vendor questionnaire. The goal is alignment between your expectations and actual capabilities.  4. Treat vendor resilience as an ongoing metric  Do not let resilience live in a one-time questionnaire.  Track uptime and incident response quarterly.  Watch how vendors communicate during industry-wide disruptions.  Follow up with any vendor that takes more than a business day to confirm whether they were affected.  Transparency and communication matter as much as uptime.  5. Bring the lesson to leadership  Executives and boards care about continuity, not DNS details. Use this event as a case study.  Keep it in business terms.  How long could you operate if your main region failed?  Which vendors share that region?  How long does recovery actually take in hours, not in theory?  Boards and regulators should already be asking about cloud concentration and systemic risk. Showing mapped dependencies and credible plans signals maturity and foresight.  Not Ready for All That Yet? Try This Instead  If your program is not ready for the full list above, start smaller. A one-hour tabletop can surface the most important gaps before you redesign your program.  A One-Hour Tabletop: “When the Cloud Falters”  Scenario:  Your most important customer-facing service is degraded for six hours because your cloud provider’s main region is down.  Prompts:   What fails first, and who notices?  Who owns communication with leadership and customers?  What do you tell executives in the first 30 minutes?  What data confirms whether the issue is internal or supplier-related?  If the outage lasts more than four hours, how do you continue operations?  When and how do you tell customers you are stable again?  What good looks like:   Clear ownership of communication and impact analysis.  Named roles for executive updates and recovery coordination.  A realistic recovery time, not a guess.  Two improvement items assigned for follow-up within 30 days.  Start here. Capture where confusion happens and what slows decisions. The results will show you where to strengthen communication, contracts, and coordination next.  Conclusion   The AWS outage was not just about downtime. It was about concentration risk and dependency, and how quietly it grows until something forces everyone to see it. What looked like one point of failure was really a network of shared reliance across vendors, industries, and geographies.  For TPRM professionals, the lesson is to stop treating concentration as abstract and start treating it as operational reality. Every vendor, every contract, and every dependency tells part of that story. The work ahead is not to eliminate risk, it is to ensure that when one link breaks, which it inevitably will, the rest of the chain holds.  Additional Resource Explore our certificate, Securing SaaS Applications: A Comprehensive Approach to Cloud Risk Management , which provides an in-depth look at evaluating and managing risks associated with cloud-based SaaS solutions. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

When a vendor relationship ends, the risk doesn’t.  Too often, vendor offboarding is treated as an afterthought, left to chance, split between departments, or buried in a never-used checklist. The problem? An incomplete or inconsistent termination process exposes your organization to some of the highest risks in the TPRM lifecycle.   These risks include, but are not limited to, access that was never revoked, assets that were never returned, and/or data that was never deleted.  The good news: these risks are avoidable, and automation can help.  Why Offboarding Matters More Than You Think  In many organizations, onboarding gets all the attention, due diligence, approvals, kickoff meetings, and security reviews.  But what about the end of the relationship?  "You wouldn’t let an employee walk out the door without collecting their badge and shutting off system access. Why do we do it with vendors?"   Poor offboarding can lead to:  Lingering system access and potential unauthorized activity  Unreturned data or devices , especially in hybrid/cloud environments  No formal record of what actions were completed or by whom  Compliance gaps if data disposal or security controls were contractual  The Automation Opportunity  Here’s where automation can drastically improve vendor offboarding, making it faster, repeatable, and auditable.  1. Triggering the Offboarding Workflow Automatically  When a contract is marked as terminated or not renewed, the system will kick off automated offboarding activities.  It can route these activities to IT, InfoSec, Procurement, and TPRM automatically.  Tool tip: Use a trigger from your TPRM tool, GRC system, or contract lifecycle platform to launch this sequence.    2. Auto-Assigning Offboarding Tasks  Such offboarding tasks can include, but are not limited to:  Revoking system access and credentials  Collecting physical or virtual assets  Confirming data destruction or secure transfer  Archiving vendor risk files and workpapers  Tool tip:  Use tools like ServiceNow, Jira, or Monday.com to assign tasks and track completion status in real time.    3. Generating & Storing Offboarding Evidence  The system can require documentation uploads or confirmations (e.g., screenshot of deprovisioned access, destruction certificates) of completed offboarding tasks  It can also store all evidence in the third party profile for audit purposes  Tool tip:  Attach offboarding steps to a third party profile in your TPRM platform or centralize storage in a secure SharePoint folder.    4. Post-Termination Reviews  Set up a short internal review form to capture any final third party risks or lessons learned.  Optionally trigger a survey to business owners to assess third party performance.  Update the third party’s profile to note if the third party can be used again or if it is recommended to not do business with the third party.  Tool tip: Use Microsoft Forms or Google Forms and auto-send based on the third party status change.  Real-World Example: Offboarding Automation at a Global Fintech  A fintech company with over 1,200 third parties discovered that more than 30% of “inactive” third parties still had some form of residual access, including access to shared cloud folders and legacy single sign-on (SSO) profiles.  The organization then implemented a third party offboarding checklist built into their TPRM platform, which auto-triggered when a contract end date was reached or when a business owner marked a third party as "no longer in use."  Each task, such as deprovisioning access, collecting assets, confirming data deletion, was auto-assigned to pertinent stakeholders with deadlines and owner accountability.  Results in the first 6 months:   Reduced open-access risk by 78%  100% of offboarding steps documented and accessible for audits  Gained stronger alignment between TPRM, InfoSec, and Procurement  Getting Started: Questions to Ask  Do we have a standard offboarding checklist for third parties?  Who owns each task, and how do we know the tasks were completed?  Can we identify all third parties with system access that may still be active post-contract?  Do we store evidence of data destruction or handover?    Quick Win to Try  Start by creating a centralized third party offboarding checklist with due dates and owner fields. Even if you use Excel or a Google Form at first, link this to third party termination triggers and build consistency from there.  Then, explore how your existing tools (TPRM platform, ticketing system, workflow automation) can formalize and automate the process.    For additional information on the third party Termination process, view TPRA’s TPRM 101 Guidebook.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In today’s increasingly interconnected enterprise landscape, third-party vendors are no longer just peripheral—they are central to how organizations operate, deliver value, and respond to change. Despite their critical role, many companies lack a clear understanding of how these external relationships align with strategic goals, operational dependencies, and risk tolerance. This lack of visibility can leave organizations vulnerable to disruption, inefficiency, and unmanaged risks. One of the most effective tools for closing this gap is the business capability map—a structured representation of what the business does to create value. When enriched with vendor, contract, and procurement data, this map shifts from a planning artifact into a strategic framework for enterprise resilience.  A business capability map outlines the core functions of an organization independently of its structure, technology, or processes. It offers a stable view of what the business can do—such as “Customer Onboarding,” “Revenue Management,” or “Supply Chain Visibility”—regardless of how those capabilities are currently implemented. This abstraction is powerful because it enables leaders to focus on what the business needs to accomplish, rather than how it does it. When third-party vendors are mapped to the capabilities they support, the organization gains a clear, contextual understanding of external dependencies. This mapping shows which vendors are connected to specific business functions, identifies redundancies or gaps, and illustrates how vendor relationships affect operational resilience.  The value of this approach becomes especially clear when viewed through the lens of risk awareness and resilience analysis. For example, if a single vendor supports a mission-critical capability like “Data Protection,” the organization may face a concentration risk. Conversely, if multiple vendors support the same capability without a strategic reason, it could indicate vendor sprawl—an inefficiency that can weaken accountability and add complexity. By visualizing these relationships, organizations can identify where intentional redundancy is necessary for resilience and where consolidation could lower risk and cost.  This capability-vendor mapping also supports more strategic decision-making. Leaders can pose targeted questions such as: Are high-risk vendors supporting high-value or mission-critical functions? Are there capabilities without vendor support, indicating over-reliance on internal resources or potential single points of failure? Do current contracts and procurement strategies align with the organization’s future capability roadmap and resilience objectives? These questions help shift the focus from reactive vendor management to proactive resilience planning.  The advantages of this approach are clear. For example, during a vendor outage or cybersecurity incident, the capability map helps teams quickly determine which business functions are affected and prioritize response efforts. During periods of organizational change—such as mergers, acquisitions, or digital transformation—the map offers a stable reference point for evaluating vendor dependencies and maintaining continuity. Procurement teams can use the map to negotiate contracts that include resilience clauses, like service-level guarantees, disaster recovery provisions, and data portability. Business owners gain clarity on which capabilities are externally supported and can plan accordingly for performance, continuity, and scalability.  Building and maintaining this resilience-focused capability map requires collaboration among several key roles. Third-party risk managers contribute insights into vendor criticality, exposure, and compliance. Business owners provide operational context and performance expectations. Procurement teams align sourcing strategies with business priorities and resilience objectives. And business architects ensure the capability framework remains accurate, relevant, and adaptable to future needs. Together, these stakeholders create a shared understanding of how external relationships support the business—and how those relationships can be optimized for resilience.  Ultimately, mapping third-party vendors to business capabilities is more than just a technical task—it’s a strategic necessity. It enables organizations to manage complexity confidently, reduce risk, and build a more resilient enterprise. By defining ownership, dependencies, and risks across the capability landscape, businesses can make better decisions, respond more effectively to disruptions, and ensure that external partnerships support long-term strategic objectives.  Author Bio Keith Stouder VP, Data Privacy and Protection Keith Stouder is an experienced executive with over 30 years of experience in enterprise architecture, data privacy, and security. He began his career in state procurement, where he handled complex technical RFPs, and has established a notable record in third-party risk management (TPRM), successfully launching two TPRM programs and developing two others. Keith consistently takes a strategic and practical approach to balancing risk with business value. He currently serves as Vice President of Data Privacy and Protection at ACT, Inc. , where he leads a cross-functional, innovative team focused on using automation and AI to enhance third-party due diligence and streamline the vendor approval process. Keith ensures that vendor value is delivered throughout the contract lifecycle—managing vendors both individually and as part of the broader enterprise portfolio. Through strategic oversight of vendors and applications, he aligns portfolio management with business goals to maximize operational and financial impact.

Most TPRM programs start risk management after the contract is signed, or worse, after the third party is already active.  But by that point, you're already behind.  The best TPRM teams are shifting left, embedding automation into the intake and triage process to capture the right information, assign the right risk level, and route the right review at the very start.   Done right, intake automation helps you:  Stop sending redundant questions to the third party  Avoid missed high-risk third parties  Improve turnaround time  Make procurement and business units your partners, not your adversaries  The Intake Problem   Manual third party intake often looks like this:  Business user of the third party product/service emails TPRM team: “Can we use this third party?”  TPRM team asks for a basic description of products/services that will be offered  A general questionnaire is sent (regardless of third party type or data sensitivity)  Multiple follow-ups and clarifications are performed  Everyone’s frustrated  This is inefficient and does not take into account a risk-based approach. Low-risk third parties get over-scrutinized, and high-risk third parties may slip through the cracks.  What You Can Automate   Let’s look at how automation can transform intake into a structured, repeatable process that gathers key risk insights and triggers the right next steps, without creating bottlenecks.   1. Smart Intake Forms  Use an online form (e.g., in your GRC, TPRM platform, or tool like Microsoft Forms) that business users fill out   before  engaging with a third party.  Questions to include:  What services will the third party provide?  Will they access customer data or company systems?  What types of data will be accessed (PII, PHI, PCI, IP)?  Where will the services be delivered from?  What’s the contract value or term length?  Is this third party replacing an existing one?  Tool Tip : Conditional logic can adjust questions based on prior answers, keeping the form short and relevant.    2. Automated Risk Triage  Based on responses, route the request into the appropriate track:  No Risk Identified → auto-approved or documented as "informational only"  Low Risk → minimal questionnaire or policy acknowledgment  Moderate Risk → standard due diligence questionnaire sent  High Risk  → full risk review, possibly including legal, compliance, and InfoSec reviews  Tool Tip:  Some TPRM Tools allow auto-routing of intake requests based on logic trees.  3. Trackable Intake Queue   Turn intake into a visible, trackable pipeline, not a buried inbox.  You should be able to see:  How many new third parties are awaiting review  What tier each has been assigned  What due diligence is pending or complete  Who “owns” the next step  Tool Tip: Use Trello, Jira, Monday.com , or a built-in TPRM dashboard to manage this visually if your TPRM system doesn't already.    4. Integration with Procurement or Legal Workflows   Make intake the bridge between procurement, legal, and risk, not a roadblock.  Connect your intake system to:  Contract review tools  E-signature platforms (e.g., DocuSign)  Purchase request systems  Procurement tools (e.g., Coupa, SAP Ariba)  Bonus : Add a “TPRM clearance” checkbox in your procurement tool so teams can’t finalize deals without routing through risk mitigation activities.    Real-World Example: Intake Transformation at a Healthcare Provider   A large healthcare company implemented a smart intake form tied to its procurement request portal. The form automatically tiered third parties and launched tailored workflows based on services, data access, and regulatory flags.  Results:  3x faster intake processing time  100% of high-risk third parties flagged before a contract was signed  70% reduction in unnecessary reviews for low-risk third parties  Business stakeholders started submitting requests earlier in the process  Getting Started  Here’s how you can start automating intake and triage:  Map what you want to know up front (data access, geography, system access, business impact)  Build a simple intake form, even in Google Forms or Microsoft Forms if you do not have a TPRM platform  Create decision logic to assign a risk tier based on responses  Route the third party to the appropriate review workflow  Track the intake queue so nothing falls through the cracks    Pro Tip: Make Intake the Gateway, Not the Gatekeeper  Your intake process should empower business stakeholders with clarity and speed, not add layers of friction. Automation allows you to deliver fast “yes/no/how” answers, making it easier to get the right third parties in the door and ensure risky ones are on your radar.    Key Takeaway  Automating intake and triage ensures that TPRM starts at the right moment, with the right information, and the right level of scrutiny is provided. It protects your organization while speeding up business decisions.    Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

If a third party, or their key executives, were added to a sanctions list tomorrow, how quickly would you know?  If your answer includes words like “manual process,” “periodic check,” or “we probably wouldn’t,” you’re not alone.  But in today’s geopolitical climate, real-time sanctions and watchlist screening isn’t a nice-to-have, it’s a regulatory and reputational must-have. And thankfully, it’s one of the most automation-ready functions in your Third Party Risk Management (TPRM) toolbox.  The Growing Sanctions Landscape  Governments and global bodies update sanctions and enforcement lists frequently, sometimes daily. These include:  OFAC (U.S. Treasury Department)  EU & UK Sanctions Lists  UN Sanctions List  State-level or regional enforcement databases  But what can happen if you are not actively and continually ensuring your third parties, or their executives, are not on a sanctions list?  Inaction or delayed detection can result in:  Civil or criminal penalties  Loss of government contracts  Reputational harm and media exposure  Regulatory investigations for due diligence failures  This isn’t theoretical. There are documented cases of companies continuing to work with blacklisted entities because the list was checked “once, at onboarding.”  Where Automation Fits In  Automated screening ensures you aren’t relying on point-in-time checks or someone’s memory to flag a critical compliance issue.  Here’s how it works:  1. Continuous Third Party Monitoring  Third Parties are screened continuously against real-time or nightly updated watchlists  If a match is found, it automatically triggers alerts and escalations  Tool Tip:  Many due diligence and TPRM platforms integrate with data providers like Dow Jones, Refinitiv, World-Check, or LexisNexis for live list monitoring.    2. Executive & Beneficial Ownership Checks  Automation isn’t just about third party names. It also scans key individuals tied to the third party (owners, board members, executives) for matches  Tool Tip: Use enhanced due diligence services or APIs that enrich third party profiles with corporate family trees and UBOs (ultimate beneficial owners).  3. Auto-Flagging and Escalation Workflows  Matched entries can be routed to TPRM or compliance teams for review  You can configure risk scores to increase automatically or trigger an urgent reassessment if a third party is flagged  Tool Tip: Use case management tools to document investigation steps, outcomes, and decisions for audit-readiness.  Real-World Example: Catching a Sanctions Match Before It Went Public  A pharmaceutical company’s TPRM team was using automated sanctions monitoring tied to their third party master file. When a supplier’s parent company was added to the OFAC list, the system flagged the match immediately, even though the supplier’s name hadn’t changed.  “If we had waited for the quarterly vendor review, we would’ve missed it, and been in violation,” said their Director of Compliance.   They paused all spend, conducted a rapid risk and legal review, and replaced the third party, all documented through an automated case workflow.    What to Monitor Automatically  Here’s what should be in your automation scope:  Data Type Example Vendor Name Acme Global Services LLC Parent / Subsidiary Orgs Acme Holdings Inc. Ultimate Beneficial Owners John Doe, 51% Stake Key Contacts/Executives Jane Smith, CFO Country of Registration Vendors in embargoed nations How to Get Started  You don’t need a complex setup. Start with:  Free tools:  OFAC’s online SDN check tool or World Bank debarred list  Subscription databases: World-Check, Refinitiv, LexisNexis, or Sayari  API integration: Tie real-time alerts into your TPRM platform or workflow engine (Zapier, Workato, etc.)    Key Takeaways  Sanctions and watchlist screening shouldn’t be a “once and done” task.  Automation helps you stay in compliance without increasing manual workload.  Screening third parties and their principals continuously is essential for managing modern regulatory risk.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

If you’re still relying on spreadsheets, shared drives, or email threads to collect due diligence evidence from third parties, you're not alone.  But you’re also probably:  Spending too much time sending reminders  Missing key artifacts come audit season  Duplicating efforts across assessments  Struggling to prove historical compliance  This is a ripe area for automation, one that can immediately ease TPRM fatigue and strengthen audit readiness.     The Evidence Burden is Real  In today’s TPRM environment, third parties are expected to provide dozens of artifacts, often across multiple frameworks or request types:  SOC 2 or ISO 27001 reports  Cybersecurity policies & control assessments  Insurance certificates  Penetration test summaries  Business continuity plans  Signed attestations  It’s a lot and often scattered. Multiply that by 50, 200, or 1,000 vendors, and suddenly your risk team is a full-time document chaser.  The Automation Opportunity  Here's how automation can modernize your evidence collection process, reduce back-and-forth, and give you better visibility into what's complete, and what's missing.     1. Auto-Send Evidence Requests on Schedule or Trigger  Set your TPRM application to automatically send evidence requests based on:  Vendor onboarding  Contract renewal dates  Annual or semi-annual reassessment cycles  Triggered events (e.g., scope changes or security alerts)  Tool Tip: TPRM platforms like Mirato, ProcessUnity, or Aravo can generate evidence requests tied to vendor risk tier and lifecycle stage.     2. Use Pre-Built Templates and Smart Forms  Build or reuse standardized templates by risk type or assessment purpose (e.g., privacy, InfoSec, ESG)  Use dynamic forms that adjust based on vendor responses to avoid over-requesting  Tool Tip: Tools like OneTrust or Venminder, an Ncontracts Company enabled conditional logic in assessments to streamline collection.    3. Centralize and Auto-Categorize Submissions  Route uploaded documents directly into the correct vendor profile and artifact folder  Use metadata to label evidence by type (e.g., SOC 2, PCI cert), date, and expiration  Tool Tip: Integrate SharePoint, Google Drive, or your TPRM platform’s document library with automation tags for search and retrieval.     4. Track Expirations and Send Auto-Reminders  Set calendar-based reminders before a certificate or report expires  Automatically notify both internal stakeholders and vendor point of contacts (POCs)  Tool Tip:  Use Power Automate, Zapier, or ServiceNow to flag expiring evidence and send personalized nudge emails.    5. Map Evidence to Controls or Frameworks  Auto-tag evidence to align with relevant controls (e.g., NIST CSF, ISO 27001, CAIQ)  Allow auditors or regulators to view which evidence supports each control  Tool Tip: Use tools with compliance mapping capabilities like AuditBoard, LogicGate, or TrustCloud.  Real-World Example: How a Mid-Sized Bank Reduced Audit Chaos  A regional bank with over 350 vendors had been relying on Excel trackers and shared folders to manage third party evidence. Every audit cycle brought panic, re-requests, and unclear ownership.  They introduced automated workflows that:  Sent initial evidence requests 90 days before renewal  Tracked which vendors responded and what was missing  Auto-tagged files by control area  Alerted internal teams if a document was expired or missing  Result:  85% reduction in last-minute evidence scramble  100% audit-ready vendor files  50+ hours saved per quarter    Getting Started with Evidence Automation  You don’t need a full GRC overhaul to get going. Start small with:  Standardized email templates for reminders  A centralized intake form for vendors to upload files  A shared dashboard to track evidence status by vendor or category  Then build toward automation and integration with your TPRM, GRC, or document management tools.  Pro Tip: Ask for Evidence Once. Use It Many Times.  Good automation also means good reuse. Store and tag documents so you’re not asking for the same SOC report for every new engagement.    Key Takeaway  Chasing down evidence is not a good use of your team’s time, or the vendor’s. Automating the collection, tracking, and expiration process saves effort, reduces errors, and strengthens your TPRM program’s credibility.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Blog was inspired by the presentation by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s September 2024 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the September 2024 meeting recording.)  In Third Party Risk Management (TPRM), establishing a thorough and well-structured budget allows teams to not only support their program’s current needs but also helps plan for future maturity efforts. A budget can also show the value TPRM brings to your organization. This is important because it allows executives to understand what you are doing, where you plan on going, and the return on investment (ROI) when you get there. So, how do you go about developing a strategic TPRM budget?  In this blog, we will cover:  Demonstrating Your TPRM Program’s Value   Key Budget Considerations   Resources   Operations   Travel   Program Maturity   Tools   Sample Budget Format   Demonstrating Value  It is important to first demonstrate the value of your TPRM program to executives.  There are many ways to demonstrate the value of your program and team to receive executive support on the TPRM budget. This ensures they understand the program's importance and the return on investment the organization receives from funding the TPRM program.  To start, articulate the value  of mitigating third party risks, such as protecting sensitive data, ensuring operational resilience, and minimizing financial and reputational impact. Then, tie in how the TPRM budget aligns with the organization’s strategic goals, like reducing risk exposure, ensuring compliance, and maintaining business continuity. It is important to share how the TPRM budget aligns with the organization’s goals, to ensure buy-in and support. Note the TPRM program does not relate to the main organization-wide activity and is everyone's responsibility.   Next, show how the budget is allocated  based on the level of risk posed by different third party relationships. High-risk vendors (e.g., those with access to sensitive data or critical systems) may require more scrutiny and more investment. You will also want to discuss the evolving risk environment , including cybersecurity threats, regulatory changes, and geopolitical factors, as well as how this influences the allocation of resources in the TPRM budget. Another aspect to highlight is the potential financial consequences  of failing to manage third party risks, such as regulatory fines, penalties, or breach-related costs. You can include considerations for the costs associated with responding to third party-related incidents, such as legal fees, forensic investigations, and customer notification processes. If incident response costs are included in a different budget outside of TPRM, then note that, as incident response is a big piece of managing risks.   You may also want to provide benchmarking data  to show how the organization’s TPRM budget compares to industry peers. This can justify the budget request and demonstrate that the organization is staying competitive in its risk management approach.  Lastly, discuss how the budget reflects the organization’s risk appetite and tolerance . Highlight the balance between cost and the need for adequate risk mitigation measures to protect the organization from potential third party-related failures. Be sure to provide examples of how the organization can optimize costs by focusing on the most critical third party risks and leveraging tools to reduce manual workload.     Key Budget Considerations  After you’ve demonstrated your program’s value to the organization, it’s now time to create your formal TPRM budget.  Items to consider include, but are not limited to:    Resources are centered around current and future employees, or contractors, as well as the costs associated with training them.  You may also want to note if pieces/parts of the program will be allocated to other departments (which should also have a budget for risk assessment activities), as well as the cost savings associated with the allocation for your department.  Operations include costs associated with daily tasks and running the TPRM program (such as variable and fixed costs). This also includes costs associated with regulatory compliance and incident response.   Travel can include costs associated with onsite visits, disaster recovery testing, disengaging with a third party, and other travel required. Travel costs can also include responding to incidents with in-person meetings.  Program Maturity  includes costs associated with TPRM program enhancements required, and what is needed to get there. Program maturity is important because while your budget says what you want to do, program maturity can show your executives where you are headed.  You can note what process enhancements are you looking to make and how those enhancements will improve your program.   Tools include budgeting for TPRM program automation.  You can also estimate the cost savings a tool(s) will bring to your organization.  Specific tool types you will want to consider include, but are not limited to, Governance Risk Compliance (GRC) tools, TPRM Platforms, Risk Rating/Risk Intelligence tools, and TPRM Services (such as consultants).    Sample Budget Format  Your budget should detail the value your TPRM program brings to the organization, the return on investment, and enhancements you wish to make to continuously improve program activities. Below is an example budget format that can be leveraged.   Executive Summary: Briefly explain the purpose of the TPRM budget, aligning it with the organization’s strategic goals and objectives. This should highlight why TPRM is essential to mitigating risks and ensuring compliance.   Value of TPRM Organization: Here is where you can explain how the TPRM program aligns with and supports key business objectives, such as safeguarding the organization’s reputation, maintaining compliance with regulations, and protecting against supply chain disruptions.  Cost Avoidance: Provide examples of how TPRM has helped avoid costly incidents, such as data breaches, regulatory fines, or business disruptions. This can be a bit harder to identify or call out, but it does paint a clearer picture for the board and executives.  Operational Resilience: Highlight how the program ensures the stability of operations, particularly in managing critical vendors.  Return on Investment: Share how the TPRM program is providing value to the organization by comparing the cost of managing third party risk to potential financial damage avoided, similar to operational resilience.  Budget Breakdown: Include a detailed breakdown of your budget, to include any budget subcategories.  Key Performance Indicators (KPIs) & Metrics: Lay out specific KPIs to measure the success of the TPRM program and the effectiveness of the budgeted items. Include metrics that show how the program is reducing risk exposure, such as lower incident rates, reduced financial impact from third party risks, or improved risk scores from third party risk management platforms.  Risk Assessment & Mitigation: Note potential risks to the TPRM program itself, such as lack of resources or budget constraints, and how they will be mitigated. Clearly explain the risks of underfunding the TPRM program, such as increased vulnerability to cyberattacks, compliance failures, or vendor disruptions.  Multi-Year Budget Forecast: Highlight potential areas for future investment, such as automation, artificial intelligence, or additional personnel to manage an increasing number of third party relationships.  Conclusion: Reinforce the critical role of TPRM in protecting the organization and mitigating vendor risks. Provide a clear and concise summary of the budget request, linking back to the strategic goals and value brought by the program. Then, ask for approval of the budget and support for any key investments highlighted in the report.    Conclusion  A well-crafted TPRM budget not only justifies the costs associated with managing third party risks, but also positions your program as a strategic asset to the organization. By clearly demonstrating how the budget supports business objectives, mitigates risks, and provides a solid ROI, you create a compelling case for continued and increased support. The insights and structure provided ensure that executives understand the critical role TPRM plays in protecting the organization, thereby making it easier to secure the resources needed for long-term success.    Additional Resources TPRA Offers   TPRM 101 Guidebook   TPRM Tools Site     Service Provider Profiles    Resources TPRA Offers to Members Request for Proposal (RFP) Site   The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership

You’ve built the framework. Defined the roadmap. Clarified the policies, procedures, and objectives. Now, the spotlight is on the final act before execution: the Budget .  Presenting a Third Party Risk Management (TPRM) budget isn’t just a numbers game, it’s a strategic dialogue with your C-suite. Each leader sees risk through a different lens. Your job is to make sure TPRM isn’t seen as a cost center, but as a business-critical function that protects brand value, operational continuity, and long-term growth.  When you step into the room, or join the Zoom, come prepared not only with accurate data, but also with a tailored approach that speaks each executive’s language when presenting your TPRM budget proposal.  Below is a sample budget submission  for a Third Party Risk Management (TPRM) program using estimated figures for a mid-sized organization  with around 1000 third parties , 20% of which are high or critical risk. This submission can be tailored for formal budget meetings, especially when speaking to a C-suite audience.  Sample Budget Example: TPRM Budget Submission: FY2026    Prepared by:  TPRM Program Office/Officer  Submitted to : Executive Leadership Team (CEO, CFO, CRO, CIO, COO, & CMO)  Date: June 6, 2025  Program Scope:  Covers third party onboarding, due diligence, ongoing monitoring, issue remediation, and exit/termination processes across 1000 third parties.  Executive Summary   This budget supports the implementation and maturity growth of our Third Party Risk Management (TPRM) program. It is designed to mitigate increasing third party risk exposure while enabling operational efficiency, regulatory alignment, and long-term resilience.  After aligning our budget with peer business units (e.g. IT, Procurement, etc.) to ensure no overlapping, we are requesting $1,240,000 in total TPRM program funding for FY2026, broken into the categories below.  TPRM Budget Breakdown  Category Detail Estimated Cost (USD) Personnel 3 FTEs (Manager, Analyst, Coordinator) + 1 contract assessor $450,000 Automation/Tools TPRM automation platform (e.g. onboarding, workflow, risk rating, etc.) $225,000 Training & Certification 3 staff attending TPRM conference & obtaining or maintaining certifications $15,000 Consulting Services External maturity model assessment and roadmap facilitation  $50,000  Operations Supplies, licenses, report, software, translation of vendor assessments $10,000 Travel   Site visits to top 10 critical third parties  $20,000 Risk Monitoring Services Third party financial, cyber, ESG monitoring subscriptions $150,000 Contingency Reserve For incident response or unplanned third-party reviews  $50,000 Program Development Internal awareness campaigns, playbook updates, policy refresh $25,000 Total   $1,240,000 Maturity Model Alignment  This budget enables us to progress from a TPRM Level 2 “Defined” to TPRM Level 3 “Integrated” maturity in the next 12 months. We will formalize our processes, integrate toolsets, and implement real-time monitoring with key risk indicators.  Supporting Attachments [Exhibit A-E]  Risk Appetite & Control Gap Analysis  Financial Risk Avoidance Estimator  Industry Peer Benchmarking  Sample ROI from Process Automation  5-Year Third Party Incident Tracker (Regulatory + Financial Impact)  TPRM to Corporate Alignment  This budget aligns to each of our organization’s six corporate goal:  Strategic Enablement  Risk Avoidance ROI  Risk Appetite Alignment  Efficiency Gains  Cyber & Operational Resilience  Brand Protection & ESG  As CEO,  I recognize one of your primary goals is Strategic Enablement :  Supporting secure scaling of partnerships, M&A, and outsourcing  Demonstrating proactive governance and leadership integrity    “As such, here is how TPRM aligns with our enterprise strategy and growth trajectory."    Every initiative in this budget supports not just compliance, but resilience and reputation. If we want to expand into new markets, partner with innovative vendors, and build customer trust, we must ensure that our third parties don’t introduce vulnerabilities. This budget enables proactive oversight that protects our ability to scale with confidence.    As CFO,  I recognize one of your primary goals is Risk Avoidance ROI :  Helping to avoid regulatory fines averaging $1.4M per incident (source: IBM/Ponemon)  Automate savings of ~$100K/year in reduced manual review hours    "So, Let’s talk about cost avoidance and value protection."    TPRM doesn’t generate revenue, but it shields it. Consider the financial impact of a third party data breach, regulatory fine, or supply chain disruption. We’ve included an incident impact analysis and a financial risk mitigation model. Tools like automation platforms may have upfront costs, but they reduce FTE hours and shorten due diligence cycles, providing long-term savings. This budget protects the bottom line.  As CRO: I recognize one of your primary goals is Risk Appetite Alignment:   Providing real-time risk visibility across 1,000 vendors  Improving response time to regulatory inquiries and audit findings    "As such, this is risk management at scale."    Our roadmap supports maturing the program to keep pace with emerging risks—cybersecurity, ESG, concentration, and geopolitical instability. With this budget, we gain visibility across the supply chain, build consistency in due diligence, and drive risk-informed decision making across the enterprise. Risk appetite isn’t just a principle, it’s operationalized here.    As COO:  I recognize one of your primary goals is Efficiency Gains :  Accelerating vendor onboarding timelines by ~30%  Reducing disruptions due to unknown vendor risks    "As such, TPRM budget plan enables operational efficiency and reduces friction."    Every tool and resource in this plan contributes to smoother onboarding, faster assessments, and fewer surprises post-contract. We’ve mapped resources to real operational demand, based on our third party portfolio’s inherent risk tiers. With the right investment, we reduce bottlenecks and improve our vendor lifecycle management without overburdening your teams.    As CIO: I recognize one of your primary goals is Cyber & Operational Resilience:   Detecting risk in data access and system integrations pre-contract  Supporting zero-trust third party architecture   "This budget strengthens our IT risk posture through third party visibility and integration support."   In today's interconnected ecosystem, our third parties don't just support the business, they connect to our systems, access sensitive data, and influence our security perimeter. This budget funds the tools and intelligence we need to proactively assess those relationships before they pose a risk.     Specifically, it supports:   A TPRM platform that integrates with ITSM and procurement tools for seamless intake and tracking  Ongoing cyber risk monitoring of vendors handling sensitive data or system access  Risk scoring tied to our internal architecture and controls, improving alignment with zero-trust and defense-in-depth strategies   By investing here, we’re ensuring that third party risks don’t undermine the protections we’ve worked so hard to build internally. It’s not just about compliance, it’s about maintaining system integrity, business continuity, and trust in our infrastructure.    We’re already seeing regulatory expectations shift toward shared accountability in third party breaches. This budget helps us stay ahead of those trends, and aligned with frameworks like NIST, ISO 27001, and the updated SEC guidance.    As CMO: I recognize one of your primary goals is   Brand Protection & ESG :   Assessing vendors for reputational risk, DEI, and ESG performance  Avoiding headline risk from third party failures    "We know that Brand trust is built on vendor integrity."  In a world where consumers and regulators scrutinize supply chains, a single third party misstep can create reputational headlines. Our TPRM budget supports robust assessments of vendors that touch customer data, brand experience, or ESG commitments. This is not only a risk measure, it’s a marketing safeguard.  Overall   What’s included in this Budget (and Why It Matters):   Resources: We’ve forecasted FTE and contractor needs to meet expected assessment volumes and maintain SLA targets.  Operations: This includes daily workflow support and practical tools to run an efficient program.  Training & Travel: To keep our team skilled and informed, and to support onsite reviews for critical third parties.  Maturity Investments:  We’ve aligned our asks to our current maturity level and the next step in our TPRM evolution.  Technology: We’ve assessed ROI for tools that reduce manual workloads and drive consistency.  We’ve also included benchmarking against peer organizations and a review of industry incidents and fines over the last five years to contextualize our ask. This isn’t “nice to have.” This is “mission critical.”    Bottom Line:   This is a proactive investment in resilience. It’s a shield for our brand, a hedge against regulatory and operational exposure, and a step toward a smarter, more scalable enterprise. I’m not just asking for budget, I’m asking for buy-in to protect what we’re building, the way we build it, and deliver it.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third par ty relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

If you’re sending the same full-blown risk assessment to every third party, whether they host sensitive data or simply mow your corporate lawn, it’s time for smarter automation.  Third Party tiering isn’t just a best practice, it’s a necessity. But too often, it’s handled manually or inconsistently, leading to:  Wasted time on low-risk third parties Insufficient scrutiny of high-risk partners  Frustration from internal teams and third parties alike  With automation, you can streamline how third parties are tiered, when they’re reassessed (i.e., their assessment cycle time), and whether they trigger enhanced due diligence, all without adding manual work.  Why Tiering Matters  Third Party tiering (or risk segmentation) helps you:  Prioritize time and resources  Tailor assessments based on risk  Justify lighter-touch reviews when appropriate  Align to internal policies and regulatory expectations  But the old way of doing it, with manual scoring, spreadsheet-based tiers, and ad hoc judgment, doesn’t scale. How Automation Improves Vendor Tiering & EDD  Let’s break this down into two key functions that benefit from automation:  1. Automated Vendor Tiering  Start by automatically assigning third party to tiers based on logic built into your intake or inherent risk assessment process.  Common inputs include:   Type and amount of data accessed (e.g., PII, PHI, cardholder data)  If the third party will access your organization's internal network and which environment (e.g., VPN, production environment)  Geographic presence or location of services  Regulatory exposure (e.g., HIPAA, GDPR)  Criticality to business operations    Tool Tip: Use intake forms or TPRM platforms that include conditional logic. Based on answers, third parties are automatically placed into Tier 1 (High), Tier 2 (Moderate), or Tier 3 (Low/Non-Critical).  Example Automation:   Business Owner selects “Yes” to the third party accessing customer PII → Platform sets them as Tier 1 → Full information security risk assessment initiated automatically.  2. Triggering Enhanced Due Diligence (EDD)  Once a third party is tiered, you can then set triggers to launch deeper reviews on a regular cadence, as well as if/when something changes.  EDD may include:   Expanded assessments Onsite or virtual visits Background checks on executives  Penetration testing evidence  Financial statement reviews  Crisis response documentation (e.g., BCP/DR tests)  Trigger Conditions Could Include, but not be Limited to:   A risk score threshold is exceeded  The third party is acquired by another organization and there is a change in leadership The third party will now host data offshore Contract change increases data access  Negative media or litigation is detected  Tool Tip: Connect monitoring platforms (BitSight, Security Scorecard, RiskRecon, Sayari) to your TPRM system to ensure events auto-trigger reassessment workflows.  Real-World Example: How a Tech Company Reduced Third Party Assessment Volume by 40%  A SaaS firm supporting fintech clients struggled with over-assessing third parties. Everyone received the same 200-question InfoSec review, whether they hosted client data or just helped with branding.  The organization decided to implement an automated tiering engine using a simple logic tree:  Tier 1: Hosts client data or business-critical systems → full TPRA Information Security Questionnaire + SOC 2  Tier 2: Indirectly supports regulated operations → limited questionnaire  Tier 3: No data access, non-critical → no further review  When a Tier 2 vendor’s risk rating system score dipped significantly, the system triggered an EDD workflow with an escalated assessment.  Results after 6 months:   40% fewer full assessments  Average assessment cycle time dropped 30%  Fewer third party complaints about irrelevant or overbearing reviews  What to Include in an Automated Tiering Framework  The TPRA community has created a free inherent risk questionnaire that can be leveraged within an automated tiering framework. If you are a TPRA member, you can obtain the inherent risk questionnaire template here . Getting Started  You don’t need to go from 0 to full automation in one step. Start with:  A basic inherent risk assessment that captures core risk drivers  A rules-based tiering system in Excel, Power Automate, or your TPRM tool  Clear definitions for Tier 1, 2, and 3, and what EDD should be performed for each tier Additional triggers for EDD (e.g., change in data access or poor cyber score)  Pro Tip: Automation Doesn’t Mean “Set and Forget”  You still need risk oversight. Automation just ensures your attention is focused on the third parties who need it most and when they need it most.     Key Takeaways  Treating all third parties the same is inefficient and risky  Automated tiering reduces noise and sharpens focus  Enhanced due diligence should be triggered by real risk, not just policies  You can implement this in phases with existing tools  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third par ty relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Third-party risk management (TPRM) primarily aims to safeguard the organization and its customers from potential threats, including data breaches, service interruptions, and hefty regulatory fines—particularly in heavily regulated industries. While the principles of TPRM may seem simple, putting them into action can be quite intricate, requiring a web of interconnected and sometimes complex processes and tasks. However, even the most well-crafted TPRM framework can fall flat without a strong foundation of accountability. Without accountability, the consequences can be severe, leading to increased risk exposure, regulatory non-compliance, and potential damage to the organization's reputation. Simply put, accountability is the backbone of effective TPRM; it ensures that responsibilities are clearly defined and distributed among stakeholders, with everyone playing a vital role in managing risks. To ensure effective accountability, many organizations utilize the Three Lines of Defense model established by the Institute of Internal Auditors (IIA) in 2013. This model delineates the roles in risk management: Operational Management as the first line of defense. Risk Management and Compliance as the second line. Internal Audit, which provides independent assurance, is the third line. This framework clarifies responsibilities and enhances risk management effectiveness, making it ideal for establishing accountability in TPRM. Now, let's explore each of the three lines and their roles in TPRM. First Line of Defense:  The frontline employees who directly handle and manage the products or services provided by third-party vendors and service providers. Their primary TPRM responsibilities include identifying and managing risks associated with third-party offerings, such as data security breaches, service interruptions, and regulatory non-compliance. They are also responsible for setting service level agreements (SLAs) and monitoring and managing third-party performance. They are also typically responsible for completing inherent risk assessments and are crucial in establishing exit strategies for high-risk and critical third parties should they need to end the relationship. Second Line of Defense : This group includes dedicated third-party risk management teams, the enterprise risk team, and subject matter experts from compliance, legal, finance, information security, business continuity, and more. They establish the policies, frameworks, and tools necessary for effective vendor risk management while monitoring first-line activities to ensure consistency and quality risk measurement and management Third Line of Defense : An independent assurance function, often comprised of internal auditors who assess and monitor the overall effectiveness of third-party risk management activities. Their role is crucial in providing an unbiased evaluation of the TPRM process. They evaluate the effectiveness of risk management frameworks, the quality of the risk management work, and compliance with all laws and regulations. They report any gaps or weaknesses to the board of directors and senior management and provide recommendations for improvement. Regular audits of the TPRM framework and processes are a necessary part of a healthy TPRM function. The Board of Directors and Senior Management:  When it comes to managing third-party risks, each line of defense plays a crucial role in keeping accountability in check. However, the ultimate responsibility for making sure these defenses work effectively falls on the board of directors and senior management. They’re the ones who define the company’s appetite for risk around third parties and shape the governance strategies that guide the organization. The board and executive team must be engaged to effectively manage third-party risks. This means not just approving risk management policies but also setting a strong ‘tone from the top’ that highlights the importance of TPRM at the organization. The board should also review any issues occurring from critical third parties, review independent risk assessments, and allocate sufficient resources for effective third-party risk management. By integrating these considerations into the company’s broader strategies and decision-making, they can ensure that third-party risks are addressed proactively and effectively. Whether your organization adopts the three lines of defense strategy or chooses a different structure, one thing is clear: accountability at all levels of the organization is essential for effective third-party risk management (TPRM). When everyone—from frontline employees to executives—understands their roles and responsibilities, it creates a solid foundation for managing the risks associated with using third-party products and services. This clarity not only aids in identifying and mitigating third-party issues but also fosters a culture of collaboration and vigilance, empowering everyone to contribute to safeguarding against third-party risks. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third-Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

by Third Party Risk Association & Shared Assessments As part of our ongoing support to the large global community of third-party risk practitioners and programs, the Third Party Risk Association (TPRA) and Shared Assessments have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership . At a time when many firms are planning and finalizing their annual budgets, our two organizations developed this basic guidance for senior executives and board members to encourage them either to launch new or to mature legacy third-party risk programs in the coming year. Working with hundreds of companies and thousands of risk professionals globally, our two membership organizations bring decades of collective experience with third-party risk management, including what regulators and clients routinely expect from such programs. We hope that our combined experience will help the vast and growing audience of TPRM professionals and programs gain or expand the leadership commitment and budgets they need to improve their ability to protect their firms, their clients, and the related assets they are working to safeguard. Download Now!