Search Results

Most third-party risk management (TPRM) practitioners understand that managing risks associated with third parties can be like sailing a ship through sometimes dangerous waters. Just as a captain must chart a detailed course and remain alert to changing weather conditions, TPRM professionals need a straightforward strategy to navigate risks. They must continually identify, assess, and mitigate potential issues while recognizing the importance of monitoring the horizon for emerging storms that could threaten the organization or its customers.   Managing third-party risks can be challenging because these risks evolve, similar to how ocean waves change due to various factors. Effective TPRM requires proactive identification, management, and continuous monitoring of risks to prevent the proverbial ship from sinking.  Unfortunately, some organizations limit their risk monitoring solely to scheduled intervals, which undermines the goal of continuous oversight. Others take a more relaxed approach, assuming everything is fine until it isn't. Delaying monitoring until a third party faces a serious issue, such as a data breach or a significant decline in performance, puts your organization at a disadvantage. Addressing problems reactively usually leads to chaos and missed opportunities. It's like trying to repair your boat when it’s already taking on water.  So, how can your organization stay safely afloat with proactive and effective continuous monitoring? Let's delve into the essential activities within the third-party risk management lifecycle that lay the groundwork for continuous monitoring and some best practices to implement.    Foundations for effective continuous monitoring   The third-party risk management lifecycle is a blueprint for managing third-party risks effectively. Key activities in this lifecycle create a strong foundation for effective continuous monitoring.  Inherent Risk Assessments Effective risk management begins with identifying risks. A thorough inherent risk assessment allows your organization to pinpoint and quantify risks related to specific products, services, and third-party relationships. Understanding these risks—whether in cybersecurity, privacy, compliance, finance, or reputation—establishes a baseline for monitoring and identifying new or emerging risks over time.  Due diligence After identifying the risks, the next step is to assess how adequate the existing controls are in mitigating them. Experts in cybersecurity and compliance should review the vendor's documented controls to evaluate their effectiveness and identify any gaps that require additional attention in the future.   Well-written contracts Third-party contracts define the roles and responsibilities of both parties and outline the specific terms and conditions that the third party must adhere to. This includes compliance with technical, security, financial, regulatory standards, and service level agreements (SLAs).   Risk reassessment and periodic due diligence When it comes to third-party risks, it's crucial to understand that this isn't a "set it and forget it" situation. Establishing protocols for reassessing inherent risks and validating third-party controls is essential. It involves reviewing the last inherent risk assessment to identify new or changing risks and performing due diligence by collecting up-to-date vendor documentation to re-verify their controls. Best practices for continuous monitoring  While every organization is different, there are best practices for continuous monitoring that can enhance the effectiveness of your efforts.  Use a risk-based approach. Not all third-party engagements carry the same risk level, so it's essential to identify effective monitoring strategies based on risk types and amounts. Critical or high-risk relationships like cloud providers require robust monitoring, while lower-risk providers, like office supply vendors, need less scrutiny. A risk-based approach ensures resources are allocated to manage the highest risks effectively.  Monitor both risk and performance. Understanding the importance of monitoring specific third-party risks is straightforward for most practitioners. However, performance monitoring is often seen as a secondary concern. Subpar performance not only prevents your organization from receiving the value it is paying for, but it can also signal emerging or increased third-party risks. Poor performance may indicate underlying issues such as declining financial health, ineffective controls, or operational and managerial problems before they are identified through other risk assessments or periodic due diligence.  Establish and stick to formal monitoring routines. Set appropriate intervals for re-evaluating risk, due diligence, and performance reviews. Document and publish these routines and ensure stakeholders are accountable for adhering to them. Increase monitoring when necessary. It's reasonable to increase monitoring when issues with third parties arise or performance declines. It may also be necessary due to declines in financial health, data breaches, or regulatory changes.  Consider using risk intelligence tools to assist your monitoring efforts. Continuous monitoring requires daily vigilance to detect changes in a third party's risk profile. But, depending solely on internet news alerts or third-party vendors for daily updates can be risky. Instead, consider utilizing subscription-based risk intelligence services to receive targeted alerts regarding changes in your third party's cybersecurity, financial health, compliance, reputation, and industry developments.   In conclusion, third-party risks are constantly changing, and organizations that want to manage them must engage in proactive, continuous monitoring to identify potential threats and reduce their impact on the organization and its customers. By following the third-party risk management lifecycle and implementing best practices for continuous monitoring, your organization can more effectively navigate the complexities of third-party risks and prepare for upcoming challenges.

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

Learn about and register for events outside of the TPRA that are applicable to TPRM. Vendor-Hosted Events The TPRA promotes the industry of third party risk, which includes events conducted by other third party risk-related groups and organizations. Check back here regularly to see our list of vendor-hosted events. If you would like to promote your next third party risk-specific event, please complete the form below . Disclaimer: TPRA does not endorse or sponsor the products/services of one particular organization; however, we do communicate training opportunities for the benefit of the community. Filter by Organization Select Organization Filter by Event Type Select Event Type Filter Download OneTrust Live Webinar Laying the foundation: The why and how of privacy automation Thursday, April 17, 2025 11 AM EST As privacy programs evolve, moving from foundational compliance to scalable automation is essential for success. This session explores the value privacy automation can bring to your organization and provides practical steps to begin your journey. We’ll introduce the Data Privacy Maturity Model, explaining its importance in identifying where your organization stands today and how to strategically advance. Register Cloud Security Alliance (CSA) Live Webinar Top Cloud Threats within AI Security Friday, April 18, 2025 11 AM EDT Join us for an exclusive fireside chat with Oasis Security, where industry experts will share insights, experiences, and perspectives on today’s most pressing topics. This informal yet informative session is designed to provide valuable takeaways in a conversational setting. Register Venminder, an Ncontracts Company Live Webinar Onboarding Critical Vendors: How to Plan, Assess Risk, & Choose the Right Partner Tuesday, April 22, 2025 1 PM CT Before signing on the dotted line with a critical vendor, organizations need to take a step back and think strategically. Why is outsourcing the right move? What risks come with it? And how can you ensure you’re selecting a vendor that won’t create more problems than solutions? This webinar will walk you through the first two phases of the vendor risk management lifecycle: Planning and Due Diligence & Selection. We’ll break down these foundational steps in simple, practical terms, so you can confidently approach vendor onboarding with a risk-aware mindset. Register now to learn: How to develop a clear business case for outsourcing a function Identifying and assessing potential risks before engaging a vendor What to look for in vendor due diligence (and how to tailor it based on risk) Tips for comparing vendors and making informed decisions The role of regulatory expectations in the vendor selection process Register SecurityScorecard Live Webinar Navigating Supply Chain Cyber Hygiene: DORA & NIS2 in the Spotlight Thursday, April 24, 2025 8 AM EDT DORA and NIS2 reinforce best practices for managing supply chain cyber hygiene, emphasizing a structured and compliant approach to information security. Join SecurityScorecard as we explore how these frameworks guide organizations in strengthening third-party risk management, enhancing resilience, and ensuring compliance. Gain practical insights on implementing effective security measures that align with regulatory expectations while proactively safeguarding your business. Register Ncontracts Live Webinar Navigating the Unknown: A Proactive Blueprint for High-Impact Risk Management Thursday, April 24, 2025 1 PM CT In a world where risk is constantly evolving, financial institutions need more than just a reactive approach — they need a blueprint for success. This webinar will explore proactive strategies for building a high-impact risk management program, equipping you with the tools to anticipate challenges, adapt to change, and strengthen resilience. You'll learn: How to identify and mitigate emerging risks before they become crises Strategies for embedding risk management into decision-making for long-term success Practical steps to enhance agility and resilience in an unpredictable environment Insights from industry experts on best practices for a high-impact risk management program Register Aravo In-Person Workshop TPRM by Design Workshop Wednesday, May 21, 2025 9:30 a.m. to 4:30 p.m. GMT | Covent Garden, London, UK Aravo invites you to join your peers for an interactive workshop dedicated to third-party risk management strategies and methodologies. GRC 20/20 analyst Michael Rasmussen will be facilitating this workshop focused on: Establishing a business case for TPRM that unifies the extended enterprise. Building your own blueprint for effective third-party management. The core components of the third-party management lifecycle. How technology can further enable your program and promote collaboration. Delivering effective third-party governance and assurance. Don't miss this opportunity to learn best practices from experts and exchange ideas with your peers. Gain a deep understanding of the challenges and pitfalls associated with managing third-party risk, and bring back actionable strategies and methodologies that will help transform and mature your TPRM program. Register Global Resilience Federation (GRF) Virtual Conference BRC Virtual Summit on Resilience & Security Wednesday, June 4, 2025 10 AM - 4 PM ET Join the Business Resilience Council for the second annual Virtual Summit on Resilience & Security. The online, multi-sector event will feature speakers discussing topics relevant to all-hazards threats, including: Emerging security threats Global supply chain risk Risks to business infrastructure from nation-state actors Third-party management and resilience Tackling a major service outage without operational down time Join us for this complimentary half-day event! Registration and the Call for Presentations are now live. Register ProcessUnity Live Webinar Third-Party Risk: Conducting Emergency Assessments After the CrowdStrike Incident Friday, August 1, 2025 11 AM ET If the recent CrowdStrike incident taught us anything it's that we need to drastically change how we assess our third-party service providers in the face of emerging threats and vulnerabilities. There are too many vendors to assess, compounded by the increasing volume of threats we face each year. On a normal day, TPRM teams already have too much to do. When an incident like this occurs, they need to stop what they're doing and conduct an emergency assessment -- an ugly process that overburdens companies and their vendors, and typically takes weeks, if not months. It doesn't have to be that way. Join ProcessUnity for a 50-minute webcast on Thursday, August 1 at 11:00 AM ET as we discuss Best Practices for Threat and Vulnerability Response. Register Global Resilience Federation (GRF) In-Person Conference 8th annual Summit on Security & Third-Party Risk Monday, November 3, 2025 Starting at 7 PM PT | The Palms Las Vegas The 8th annual Summit on Security & Third-Party Risk will take place at the Palms in Las Vegas, November 3-5, 2025. Each year, the conference features dozens of speakers on third-party risk management, cloud security, emerging cybersecurity threats, and AI/machine learning threat mitigation and management. Attendees will gain an understanding of how some of the largest and most sophisticated organizations in the world are managing risk and leave the conference better armed to defend their company, regardless of its size or the status of its security or risk mitigation program. Register Submit an External Event TPRA Practitioner Members can submit upcoming events they'd like displayed on this page using the form below. Some events may also be shared via our monthly events emails and/or quarterly newsletter. TPRA does not post on-demand/recorded events to this page. TPRA Vendor Members can submit their upcoming events through the Vendor Member Submissions form . Submitter Information First name* Last name* Email* Event Information Event Title* Event Host* Event Type* Event Description* Event Date* Event Time (please include time zone)* Link to learn more and/or register for the event* Anything else we should know? Submit

The Third Party Risk Association (TPRA) is the all-in-one source for Third Party Risk Management (TPRM) tools, resources, templates, training, networking, certifications, and industry best practices. Join a community of professionals dedicated to advancing TPRM strategies and building resilient partnerships. The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. Join a diverse community of thousands of TPRM professionals worldwide. Learn More Join Now Furthering the profession of third party risk management through knowledge-sharing & networking. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Tuesday, April 15, 2025 10:00 - 10:30 AM CT Q2 New & Potential Member Call Register > Tuesday, April 15, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Register > Thursday, April 24, 2025 10:00 - 11:00 AM CT Panel: Continuous Monitoring: From Reactive to Proactive Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

Join TPRA’s Women in TPRM program to uplift and support women in the industry through mentorship, leadership development, and recognition. Empowering the next generation of women leaders in TPRM. Our Goals Our Goals The Women in TPRM (WNTPRM) Program is dedicated to empowering women in the Third Party Risk Management (TPRM) industry. This program is open to all , regardless of TPRA membership status or gender identity. Through collaborative efforts, we aim to: Uplift Women in TPRM : Advocate for professional growth and recognition. Provide Access to Higher-Paying Roles: Break barriers to equitable opportunities in TPRM careers. Facilitate Mentorships: Connect women with seasoned professionals to foster guidance and growth. Celebrate & Support Women: Establish a platform to spotlight achievements and nurture community. Cultivate Future Leaders: Develop the next generation of trailblazers in TPRM. What We Do What We Do We meet monthly to strategize on achieving these goals and to address challenges within the field. You do not need to be a TPRA member to participate in this program, but some facets of this program are member-specific, such as our 'Women in TPRM' Slack Channel, where TPRA Practitioner Members can continue meaningful conversations, share resources, and collaborate. Standard Practitioner Membership is free , and all TPRA Practitioner Members are invited to join our Slack Forum here . Members and non-members can join our LinkedIn group to stay connected. Our Initiatives Include: Advocating for the importance of women in TPRM through educational resources and outreach. Providing access to tools, techniques, and insights that uplift and empower women in the field. Showcasing and celebrating women leaders who inspire and shape the TPRM landscape. Sharing job opportunities from organizations committed to supporting women in TPRM. Join us as we drive change, foster leadership, and build a brighter future for women in TPRM! Meetings Upcoming Meetings Watch On-Demand Meetings April 15, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Read All May 20, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Read All June 3, 2025 1:00 - 2:00 PM CT WNTPRM Work Group Meeting Read All Programs & Resources WNTPRM Work Group The WNTPRM Work Group is a collaborative forum dedicated to empowering and advancing women in third-party risk management (TPRM) through education, leadership development, mentorship, and career advancement, fostering a supportive community for women professionals and leaders. Register for Meetings Mentorship Program Our mentorship program is focused on women within the field of Third-Party Risk Management. Our goal for this program is to align mentors and mentees to address and support the needs of our membership. If interested in becoming a mentor or mentee, please fill out the interest form. Interest Form Women Lead Spotlights Our Women Lead Program is dedicated to showcasing inspiring leaders by highlighting their stories. Our goal for this program is to learn from and be inspired by women leaders in the field of Third Party Risk Management (TPRM) throughout various industries. View our Leaders and learn how to nominate and/or apply to become a spotlight. View Spotlights Resource Sharing Library Our Women in TPRM Resource Sharing Library contains a variety of women in business-related materials. Included are reports on the latest women in business trends and statistics, blogs and articles on relevant and current happenings, and TED Talks featuring inspiring women in business educating others on how to navigate the business world and find success in their careers. View Library Leadership Ladders Originally developed by TPRA's Women in TPRM "Lead" work group, this training activity is designed for all current & aspiring leaders within the Third Party Risk Management (TPRM) industry. Inspired by the classic "Shoots and Ladders" game, it is an all-in-one roadmap to leadership in the form of a nostalgic, virtual board game! E ach box on the board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity. Check It Out Resources Statistics Women only represent 15-20% of the Governance, Risk and Compliance profession (GRC World Forums, 2021). Read Full Article Only about 25% of every 100 security and risk management (SRM) executives are women (Gartner Inc., 2019). Read Full Article Gender-diverse and inclusive teams outperform gender-homogeneous, less-inclusive teams by an average of 50 % (Gartner Inc., 2019). Read Full Article According to one survey, 24% of global cybersecurity employees are women, and 18% of CIOs/CTOs are female (Deloitte, 2021 ). Read Full Article Quotes "Diversity matters not just because increasing representation of minorities and women in a fast growing and critical field is the right thing to do, but because a variety of viewpoints are key to solving hard problems." SVP, General Counsel - Legal, Bitsight Johanna Werbach “...change must come from within the industry and not be mandated from external parties.” Chief Data and Privacy Officer, MeritB2B Karie Burt "With different backgrounds and perspectives and voices at the table and in an environment where their contributions are really valued, you benefit from a much more expansive conversation and one that’s much more likely to uncover the full range of possibilities and solutions." VP & GM, TPRM, BitSight Vanessa Jankowski Read "Women in CyberSecurity"