Search Results

Most third party risk management (TPRM) programs stall not from a lack of effort, but because teams get stuck in routine: assessments proceed, documents are exchanged, and dashboards look fine. It all appears effective until someone asks a tougher question.  Is the program really getting better, or is it just running as usual?   Practitioners often recognize when nothing is broken, but the process feels stuck. The same issues repeat, third parties ask familiar questions, and teams rely on old workarounds to avoid disrupting the routine.  At this point, the program may seem mature from the outside, but inside it has settled into maintenance mode. The team is focused on keeping things running rather than questioning whether the process still fits. This gradual shift is when continuous improvement matters most.  The Risk of Operational Comfort  Repetition in TPRM programs can signal maturity or simply routine. Templates have passed audits, questionnaires seem complete, and the team knows where manual fixes are needed because they’ve seen these problems before.  Meanwhile, the organization is changing. Third parties may offer more products or assume larger roles. Cloud use grows, and data sharing is more complicated than when the program started. A third party that once handled a small task might now be responsible for a critical function.  If the program runs as originally designed, it can lose touch with the environment and rely on outdated assumptions, even as risks change.  Actions to Take: Once a year, bring together Security, Procurement, Legal, and business stakeholders for a practical discussion on how the program reflects the risks of current operations. Ask which third parties are more critical today than they were a few years ago, which parts of the process cause the most friction, and which risks feel harder to evaluate than they used to. Those answers usually reveal where the program has fallen out of alignment.  Continuous Improvement Is Not a Program Overhaul “Continuous improvement” can sound daunting, like a massive redesign or endless meetings. But small, steady steps are more practical and effective than big overhauls. Simple changes can help without overwhelming the team.  In reality, improvement is often much simpler. It’s about noticing what the program is already showing you and using that to make changes.  Most stalled programs don’t lack effort. They lack a way to learn from results. Lessons are recorded but rarely drive change. Onboarding problems persist, and third party incidents are treated as isolated incidents rather than as prompts for process improvement.  Pro tip: Review last year's most common third party findings. Clearly identify whether they led to changes in the program, such as revised questionnaires, clarified evidence requirements, enhancements to contracts, or altered monitoring priorities. If you identify no resulting changes, the takeaway is that the program needs a stronger improvement loop, not more automation.  The Feedback Loop Many Programs Overlook  TPRM programs naturally generate assessments, test results, follow up on incidents, and alerts that reveal how well the process works.  But most teams focus on completing tasks, rarely pausing to spot patterns.  Continuous improvement begins when practitioners see this data as feedback. Some controls get vague answers from third parties. Or maybe certain requirements tend to lead to frequent exceptions. Monitoring sometimes finds problems that assessments missed. These are not just third party actions; they show where the program needs to change.  Programs that adapt to these patterns become more effective over time. Updating the process with new insights is key.  Actions to Take: Once a quarter, review several completed assessments and ask a simple question... What did these reviews teach us about our process? Not only about the third parties, but about the program itself. To make these quarterly reflections easier, consider using questions like:  Which requirements caused the most confusion or pushback from third parties?  Did any part of our process slow down unnecessarily, and why?  Are there risks we failed to catch until after the assessment, and what signals did we overlook?   These questions highlight where the program needs to change and encourage real discussion.  Where Improvement Usually Starts  Improvement usually begins in three areas: assessments, governance, and risk communication.  Assessment questionnaires often grow over time as new questions are added but rarely removed. Eventually, they become hard to complete and review , without adding value. Mature programs review assessments, remove redundancies, clarify evidence needs, and focus on meaningful risk controls.  Pro tip: Identify the questions third parties struggle to answer most often. If responses are vague or copied from policy templates, the issue may not be the third parties. The question itself may need revision or a different validation approach.  Governance models need regular review. Current third party tiering may be outdated, and review schedules can become unbalanced. Regular checks help restore focus where it matters most.   Actions to Take: Review the third party inventory and ask a simple operational question. If this third party failed tomorrow, what would actually happen to the business? If the answer does not match the third party’s current risk tier or oversight level, the governance model likely needs adjustment.  Risk communication often requires improvement. Detailed reports may obscure key decisions. Sometimes, making reports clearer and simpler is the most valuable change.  Pro tip: In the next leadership report, replace one status slide with a single prompt: what third party risk decision requires attention this quarter? If that question is difficult to answer, the reporting model may need refinement.  Identifying When Your Program Has Plateaued Teams rarely admit that a program has stalled, even when clear patterns appear: repeated findings, recurring exceptions, and reviews that have become routine.  This plateau doesn’t mean failure. It just means it’s time to rethink improvement.  Instead of just checking whether the process is followed, the team should ask whether it still aligns with reality. The key is that moving from just maintaining to reflecting helps the program grow.  Actions to Take: Choose one program component each year and deliberately revisit its design. It might be third party tiering, assessment scope, monitoring strategy, or reporting. Improvement rarely appears on its own. Someone has to decide that it is time to look again.  Continuous Improvement as a Habit  The best TPRM programs aren’t always the ones with the longest questionnaires or the most detailed governance charts. They are the ones where people stay curious about how their process works and work to make it better.   They review their assumptions before they become outdated, learn from third party incidents instead of treating them as isolated events, and adjust oversight when business needs change.  Continuous improvement is a habit, not a project . Regular reflection is essential to maintaining the value of third party risk management as a practice.  When this habit becomes routine, maturity usually follows. It’s not because the framework is perfect, but because the program keeps learning.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Most third party incidents come to light before the third party officially reports them. Usually, the first sign is indirect; a service slows down, a business owner notices access problems, a customer-facing team spots a disruption, or an alert goes off with little detail. By the time the third party confirms the issue, internal teams are already asking key questions: what is affected, what data is involved, who manages the relationship, what does the third party need to do under contract, and what options are available if service is not restored quickly.  Here, the extended enterprise means all the outside organizations that help the business run , including both third parties and the fourth parties they depend on. This matters during incident response because the i mpact and the root cause are often in different places. For example, a fourth party might cause a disruption, but the response still goes through the third party covering contracts, communication, evidence requests, and recovery promises. Third Party Risk Management (TPRM) teams need to make this chain clear and actionable during an incident.  Incident response and recovery in the extended enterprise are just as much coordination issues as technical ones. Security teams focus on containment and investigation. Privacy and Legal teams assess notification and contractual obligations. Business owners need to keep operations running and manage third party accountability. Continuity teams need recovery assumptions and workaround options. Procurement needs contract visibility and leverage. TPRM sits in the middle, translating third party relationships into a decision-ready context, so the response does not stall while teams reconstruct basic information.   This blog shares practical ways TPRM practitioners can help with incident response and recovery when third party incidents happen across the extended enterprise. The focus is on tools and processes that work during real incidents, not just on perfect documentation. The aim is to cut down the time spent on getting oriented, escalating issues, and tracking down information, so teams can act faster on impact, third party accountability, and recovery.  Maintain third party records for use during an incident.  When a third party problem comes up, the first challenge is getting oriented. Teams need to know who manages the third party, what the third party does, and how much disruption the business can handle.  TPRM programs should ensure third party records include:  A clearly identified business owner with authority to engage the third party.  The services provided and systems involved.  The types of data accessed or processed.  Whether the service supports customer-facing, revenue-generating, or regulated activity.  If teams have to gather this information after an incident begins, the response slows down and coordination suffers.  Practitioner takeaway: Ensure third party inventories are immediately usable during real incidents, not just for onboarding or annual reviews, so teams can quickly access orienting information.  Use risk tiering and operational criticality to define response expectations.  Risk tiering sets the basic level of oversight. Operational criticality shows if a problem with this third party would have an immediate effect on the business.  Each third party should have:  An inherent risk tier  An operational criticality designation, critical or not critical  Together, these factors should guide:  Notification and response timelines  Evidence and information requests during incidents  Leadership escalation and continuity involvement  For third parties that are critical to operations, these expectations should be agreed on and documented ahead of time. This includes clear escalation paths and recovery plans the business depends on.  Practitioner takeaway: Use risk tiering to set oversight expectations. Use operational criticality to determine how quickly a third party issue becomes a business-impact decision.  Treat fourth-party involvement as a normal part of the response.  Many third party incidents involve a fourth party, like a hosting provider, cloud platform, or specialized subcontractor. During a response, teams need to know if a fourth party is part of the delivery chain and if that changes recovery options.  Programs tend to be more effective when they:  Require third parties to disclose material fourth parties that affect service delivery or data exposure.  Apply this requirement primarily to operationally critical third parties.  Require notification when material fourth parties change.  This helps teams quickly assess impact and recovery limits, avoiding the slow process of rebuilding the supply chain during an active incident.  Practitioner takeaway: Focus fourth party visibility on the most important dependencies related to service delivery and data exposure for effective response.  Monitor for service disruptions and security events.  Third party incidents often start as performance issues. Service instability, missed Service Level Agreements (SLAs), or delayed results usually show up before there is a formal incident notice.  Monitoring practices should clearly define:  Which conditions require review.  Who is responsible for follow-up.  What triggers incident escalation.  A practical way to divide responsibilities is:  Business owners monitor performance, manage day-to-day third party relationships, and escalate when a disruption appears credible.  TPRM checks the third party’s risk tier and criticality, confirms escalation paths and contacts, and sends the issue to the right internal teams based on the third party’s profile.  Security, Privacy, Legal, and Continuity teams get involved once the situation is considered an incident, either because the third party declares it or internal teams confirm a possible security, data, or continuity impact.  Practitioner takeaway: Set a defined point for when an issue escalates to a formal incident, ensuring clear responsibility transfer.  Align incident response with recovery and continuity planning.  For third parties that are critical to operations, incident response and recovery planning often overlap. A security problem can quickly turn into an availability or customer-impact issue with little warning.   Organizations are better prepared when they have a shared approach for third party response and recovery. This should include:   Notification requirements and evidence expectations.  Impact assessment inputs.  Decision authority and escalation paths.  Recovery time and recovery point assumptions.  Workaround and alternate sourcing options.  Talking through scenarios that include third party outages helps teams understand limits before a real disruption happens.  Practitioner takeaway: Integrate recovery planning into incident response so that recovery steps are considered as part of overall incident handling, not left until later.  Address AI-related incident considerations during intake and contracting  When third parties use AI, it affects data handling, control processes, and regulatory risks during incidents. These issues are hard to solve in the middle of a response.  Practical preparation includes:  Identifying where AI is used and what data it touches.  Requiring notice of material changes to AI-enabled workflows.  Aligning incident notification and investigation expectations contractually.  This helps reduce uncertainty when incidents happen.  Practitioner takeaway: Define incident response expectations for AI usage and data handling with third parties before incidents happen to avoid delays.  Consider regional and geopolitical disruption in third party recovery planning.  Regional outages, sanctions, and infrastructure failures often hit third parties before they affect your own operations.  Preparation should include:  Identifying regional concentration across operationally critical third parties.  Understanding which services can pause and which cannot.  Discussing realistic disruption scenarios with continuity stakeholders.  These talks often reveal single points of failure that might otherwise go unnoticed.  Define ownership and decision authority in advance.  Third party incidents take longer to resolve when it is unclear who is responsible. TPRM can help speed things up by making the structure clear.  Programs should ensure:  Every third party has a named business owner.  Escalation and risk acceptance authority are documented.  There is a defined forum for remediation decisions, exceptions, renewals, and exits.  Exceptions have owners and review dates.  Clear authority helps resolve incidents faster.  Practitioner takeaway: Address structural issues, like unclear ownership and escalation paths, to reduce delays during third party incidents.  Track incident-relevant measures, not activity volume.  Leadership oversight gets better when reports focus on risk exposure and follow-up, not just on program activity.  Measures that tend to support decision-making include:  Coverage of current validation for operationally critical third parties.  Known material fourth-party exposure for operationally critical third parties.  Time to initiate triage for third party incidents.  High-risk issues that exceed agreed remediation timelines.  Concentration risk across essential services.  These measures help teams focus on what matters most and escalate issues as needed.  Practitioner takeaway: Ensure reporting enables clear decision-making by emphasizing risk exposure and remediation status.  Summary   Effective incident response and recovery in the extended enterprise rely on preparation that supports coordination, clear ownership, and predictable escalation. TPRM teams add the most value when third party records are ready to use during incidents, response expectations are based on risk and criticality, and recovery planning is part of the response process. Fourth-party involvement should be seen as a normal part of third party delivery, with clear visibility into key dependencies for the most important third parties.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Leverage this list of third party risk management service providers in various categories to find the right vendor for your needs. TPRM Tools At the Third Party Risk Association, we know that finding the right vendor for your needs can be a challenge. Often, organizations may not even be aware of the potential vendors in the space. We're aiming to compile an exhaustive list of TPRM vendors across various categories to make your life a little easier. This list of TPRM Vendors is not affiliated with the TPRA, and the TPRA does not receive any monetary gain from listing them below. If you are a TPRM Vendor and would like to be included in the list below, please email Heather Kadavy at heather.kadavy@tprassociation.org . Filter by Category Select Category Filter by TPRA Membership Select Status Search by Organization Select Organization Number found: 143 Search Clear Filters Category Name TPRA Member? URL GRC Platform 360Factors Inc No https://www.360factors.com GRC Platform Acuity Risk Management No http://acuityrm.com GRC Platform Archer Integrated Risk Management No https://www.archerirm.com/third-party-governance GRC Platform CoreStream No http://corestreamplatform.com GRC Platform DVV Solutions TPRM No https://www.dvvs.co.uk GRC Platform Diligent No https://www.diligent.com/ GRC Platform Ethico No http://www.ethico.com GRC Platform LogicGate No http:// https://www.logicgate.com/solutions/third-party-risk-management/ GRC Platform LogicManager No https://www.logicmanager.com/ GRC Platform MetricStream No https://www.metricstream.com GRC Platform Navex No https://www.navex.com/en-us/products/navex-irm-integrated-risk-management/third-party-risk-management/ GRC Platform Onspring No https://onspring.com/solutions/governance-risk-compliance/third-party-risk-management/ GRC Platform OpenPages GRC by IBM No https://www.ibm.com/products/openpages-with-watson?utm_content=SRCWW&p1=Search&p4=43700070084211913&p5=p&gclid=f61d865decc71a305683e4bf26ab6b2c&gclsrc=3p.ds GRC Platform Optro (pka Auditboard) No https://optro.ai/ GRC Platform Reasonable Risk No https://www.reasonablerisk.com/ GRC Platform RiskOptics formerly Reciprocity No https://reciprocity.com/ GRC Platform SAI 360 GRC No https://www.sai360.com/ GRC Platform SAP Risk Management No https://www.sap.com/products/financial-management/risk-management.html GRC Platform ServiceNow GRC No https://www.servicenow.com/products/governance-risk-and-compliance.html GRC Platform Standard Fusion No https://www.standardfusion.com/ GRC Platform TutelaSolutions No https://www.tutela-solutions.com/ Research & Educational Community Cloud Security Alliance (CSA) Yes https://cloudsecurityalliance.org/ Research & Educational Community Dynamic Standards International (DSI) Yes https://dsi.org/about Research & Educational Community FAIR Institute Yes https://www.fairinstitute.org Research & Educational Community Global Resilience Federation (GRF) Yes https://www.grf.org/ Research & Educational Community High Risk Education Yes https://www.highriskeducation.com/ Research & Educational Community High Risk Education No https://www.linkedin.com/company/highriskeducation/posts/?feedView=all Risk Ratings/Intelligence Argos Risk No https://argosrisk.com Risk Ratings/Intelligence Bitsight Yes https://www.bitsight.com Risk Ratings/Intelligence Black Kite Yes https://blackkite.com/ Risk Ratings/Intelligence Blackwired Pte Ltd No https://www.blackwired.com Risk Ratings/Intelligence BreachSiren Yes https://breachsiren.com Risk Ratings/Intelligence Continuity Strength Yes https://continuitystrength.com/corporate-support Risk Ratings/Intelligence Cybercert.ai No https://cybercert.ai Risk Ratings/Intelligence Cyberwrite No https://www.cyberwrite.com/ Risk Ratings/Intelligence Dark Sky Technology, Inc. No http://www.darkskytechnology.com Risk Ratings/Intelligence Dun & Bradstreet No https://www.dnb.com/solutions/manage-supplier-risk.html Risk Ratings/Intelligence FortifyData No http://www.fortifydata.com Risk Ratings/Intelligence GRMS | Global Risk Management Solutions No http://www.GlobalRMS.com/Difference Risk Ratings/Intelligence ISS Corporate Solutions No https://www.isscorporatesolutions.com/solutions/security-suite/ Risk Ratings/Intelligence Interos Yes https://www.interos.ai/ Risk Ratings/Intelligence Ionix previously Cyberpion No https://www.ionix.io/ Risk Ratings/Intelligence KHARON No https://www.kharon.com/ Risk Ratings/Intelligence Ncontracts No https://www.ncontracts.com/ Risk Ratings/Intelligence Nova Technology Limited No https://nova-doc.com/ Risk Ratings/Intelligence Orpheus Cyber No https://www.orpheus-cyber.com Risk Ratings/Intelligence Owlin No http://www.owlin.com Risk Ratings/Intelligence Panorays No https://www.panorays.com Risk Ratings/Intelligence PromptArmor Yes https://www.promptarmor.com Risk Ratings/Intelligence RapidRatings No https://www.rapidratings.com/ Risk Ratings/Intelligence Recorded Future No https://www.recordedfuture.com Risk Ratings/Intelligence RiskRecon by Mastercard Yes https://www.riskrecon.com Risk Ratings/Intelligence Semantic Visions Yes https://www.semantic-visions.com/ Risk Ratings/Intelligence Sentrisk No https://www.marshmclennan.com/sentrisk.html Risk Ratings/Intelligence Supply Wisdom Yes https://www.supplywisdom.com/ Risk Ratings/Intelligence TRaiCE No https://www.traice.io Risk Ratings/Intelligence Tenchi Security No https://www.tenchisecurity.com/en Risk Ratings/Intelligence The Smart Cube, a WNS company No https://www.thesmartcube.com/solutions/procurement-supply-chain/supplier-risk-intelligence/ Risk Ratings/Intelligence UpGuard No https://www.upguard.com/ Risk Ratings/Intelligence Vendict No https://www.vendict.com/ Risk Ratings/Intelligence Veridion No https://veridion.com/ TPRM Platform Aprovall Yes https://www.aprovall.com/en/ TPRM Platform Aravo Yes https://www.aravo.com TPRM Platform Atlas Systems Yes https://www.atlassystems.com/solutions/third-party-risk-management TPRM Platform Blue Umbrella No http://www.blueumbrella.com TPRM Platform Censinet No https://www.censinet.com TPRM Platform Certa.ai Yes https://certa.ai TPRM Platform Clarity360 (Kroll) No https://www.krollclarity.com/ TPRM Platform Coverbase Yes https://coverbase.ai/ TPRM Platform Crossword Cybersecurity No https://www.crosswordcybersecurity.com/ TPRM Platform CyberGRX (now ProcessUnity) No https://www.cybergrx.com TPRM Platform DSALTA No https://www.dsalta.com/ TPRM Platform DocuBark Yes https://docubark.com/ TPRM Platform DoubleCheck Software No http://www.doublechecksoftware.com TPRM Platform EthixBase360 (formerly EthixBase) No https://ethixbase360.com/ TPRM Platform Exiger Yes https://www.exiger.com/ TPRM Platform Fabrik Yes https://www.thetrustfabrik.com/ TPRM Platform Findings No https://findings.co/ TPRM Platform FlowForma No http://www.flowforma.com/flowassure TPRM Platform Fortress No https://fortress.ai/ TPRM Platform Gatekeeper No https://www.gatekeeperhq.com TPRM Platform GraphiteConnect No https://www.graphiteconnect.com/ TPRM Platform Hellios Information No https://hellios.com/ TPRM Platform Kobalt Labs No https://www.kobaltlabs.com/ TPRM Platform Lema Yes https://www.lema.ai/ TPRM Platform Locktivity Yes https://www.locktivity.com/ TPRM Platform Mirato Yes https://mirato.com/ TPRM Platform MyRiskShield No https://www.myriskshield.com/ TPRM Platform OneTrust No https://www.onetrust.com TPRM Platform Perimeter (formally ProcessBolt) No https://perimeter.net/ TPRM Platform Prevalent No https://www.prevalent.net TPRM Platform ProcessUnity Yes https://www.processunity.com TPRM Platform Protecht No https://www.protechtgroup.com/en-us/ TPRM Platform Resilinc No http://www.resilinc.ai TPRM Platform Risk Ledger No https://riskledger.com/ TPRM Platform Safe Security Yes https://safe.security/ TPRM Platform SecurityScorecard Yes https://www.securityscorecard.io TPRM Platform Shift Security Yes https://www.shift.security/ TPRM Platform Smarsh (formerly Privva) No https://www.smarsh.com/platform/cybersecurity-risk-management/vendor-risk-management TPRM Platform Sphera (formerly RiskMethods) No https://sphera.com/supply-chain-risk-management/ TPRM Platform Start No https://www.startvrm.com/ TPRM Platform TDI No https://tdinternational.com/ TPRM Platform TEKRiSQ Yes http://TEKRiSQ.com TPRM Platform ThirdPartyTrust (a Bitsight company) No https://www.thirdpartytrust.com TPRM Platform ThirdŌrbit Yes https://thirdorbit.io TPRM Platform Trust Your Supplier No https://trustyoursupplier.com/ TPRM Platform TrustExchange No https://www.trustexchange.com TPRM Platform VISO TRUST No https://www.visotrust.com TPRM Platform Vanta Yes https://vanta.com TPRM Platform Velocity (Stern Security) No https://www.velocitysec.com/ TPRM Platform VendorRisk No https://www.vendorrisk.com TPRM Platform Vendorly No https://www.vendorly.com/ TPRM Platform Venminder, an Ncontracts Company No https://www.venminder.com TPRM Platform Whistic No https://www.whistic.com TPRM Platform myCYPR No https://www.mycypr.com/ TPRM Services AML RightSource No http://www.amlrightsource.com TPRM Services BDO USA No https://www.bdo.com TPRM Services CRFQ Yes https://www.crfqnow.com/ TPRM Services Cadre No https://www.cadre.net TPRM Services CastleHill Risk No https://www.castlehillrisk.com TPRM Services Certificial, Inc. No http://www.certificial.com TPRM Services ComplyScore No https://www.complyscore.com TPRM Services Copeland BUHL No https://www.copelandbuhl.com/ TPRM Services Crowe No https://www.crowe.com/services/consulting/third-party-risk-management TPRM Services Defentrix No https://www.defentrix.com/ TPRM Services Dixon Hughes Goodman No https://www.dhg.com/services/advisory TPRM Services Evident ID No https://www.evidentid.com TPRM Services Grant Thorton No https://www.grantthornton.com/services/advisory-services/cybersecurity-and-privacy/third-party-risk TPRM Services GuidePoint Security No http://www.guidepointsecurity.com TPRM Services HITRUST Yes https://hitrustalliance.net/ TPRM Services ITPN No http://www.ITPeopleNetwork.com TPRM Services PRAXIS Technology Escrow, LLC No https://praxisescrow.com TPRM Services RSM US Yes https://rsmus.com/ TPRM Services S&P Global Market Intelligence Yes https://www.spglobal.com/marketintelligence/en/mi/products/ky3p.html TPRM Services Schneider Downs No https://www.schneiderdowns.com/third-party-risk-management TPRM Services SecureCrest No https://www.securecrest.com TPRM Services Securis360 Inc. Yes https://securis360.com TPRM Services Sidekick Security No https://sidekicksecurity.io/third-party-risk-management/ TPRM Services Source Callé No https://www.sourcecalle.com TPRM Services TUV OpenSky No https://www.tuvopensky.com TPRM Services Truvo Cyber No http://www.Truvo.ca TPRM Services VIVIDedge No https://www.vivid-edge.com/ TPRM Services Vendor Centric No https://www.vendorcentric.com

Explore jobs in third party risk management from organizations hiring TPRM professionals. New listings added regularly. Start your search today. TPRM Job Listings Searching for a TPRM-specific job? Check out the listings below from organizations looking for talented TPRM professionals! Note: TPRA reserves the right to remove any job listing for any reason and without communication to the contact. Post a Job Western Alliance Bank Third-Party Cyber Risk Engineer III View Job Columbus OH Capital One Principal Risk Specialist, Third Party Strategy | Retail Bank View Job Richmond, VA (Hybrid) Capital One Principal Risk Specialist, Third Party Strategy | Retail Bank View Job McLean, VA (Hybrid) Pinnacle Method Consulting Third Party Risk Analyst/Banking View Job Remote Toyota North America IT Analyst, Vendor Management View Job Plano, TX (Onsite) Western Alliance Bank Third-Party Cyber Risk Engineer II View Job Columbus OH National Real Estate Insurance Group Third Party Risk Specialist View Job Columbus, OH (Hybrid) Bechtel Corporation Cyber TPRM Lead View Job Reston, VA (Remote) Ztek Consulting GRC Consultant - TPRM View Job US (Remote) KPMG Director, TPRM View Job Chicago, IL (Hybrid) OnePay Third Party Risk Analyst View Job U.S. (remote) Zoom Senior Counsel, TPRM View Job Denver, CO LOAD MORE

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Thursday, March 12, 2026 10:00 – 11:00 AM CT Roundtable: Continuous Improvement and Program Maturity Register > Tuesday, March 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Register > Tuesday, April 7, 2026 10:00 – 10:30 AM CT New & Potential Member Call Register > Thursday, April 9, 2026 10:00 – 11:00 AM CT Panel: Emerging Risks and Geopolitical Uncertainty Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit