Search Results

In many Third Party Risk Management (TPRM) programs, contracts and service-level agreements (SLAs) are signed, filed, and then forgotten. That is, until a renewal deadline sneaks up, or a vendor fails to meet a critical performance standard, whereby no one can prove whether the vendor was or wasn’t held accountable.  If that sounds familiar, you’re not alone.  Contract and SLA management are two of the most underrated yet high-impact areas for TPRM automation. And the good news? You don’t need a massive system overhaul to start reaping the benefits.  Why Contract & SLA Monitoring Matters in TPRM  Contracts contain the DNA of your third party relationships. They note:  What services are being delivered  What controls are expected  When the agreement expires or renews  What happens if something goes wrong  If this information lives in static PDFs or folders, and relies on someone to remember key dates or terms, you’re exposing your organization to real risk. Such risks include, but are not limited to:  Missed renewals that may auto-renew unfavorable terms  SLA violations that go undetected and un-remediated  Unenforced obligations that weaken your risk posture  Automation can help solve this problem. And it doesn’t have to be complex.  What You Can Automate  Here are several key elements of contract and SLA management you can automate today:    1. Key Date Reminders  Renewal and termination notice deadlines  Compliance documentation expiry (e.g., updated SOC 2 required every 12 months)  Review cycles (e.g., quarterly performance check-ins)  Automation example:  Auto-alerts at 90/60/30 days before renewal, with owner assignment and status tracking.     2. Obligation Tracking  Ensure third parties deliver required evidence (e.g., updated pen test results)  Auto-track performance standards (e.g., response times, uptime, ticket resolution)  Flag when obligations aren’t met  Automation example:  Use automated tools to extract obligations from contracts and load them into a tracker that flags upcoming deliverables.     3. SLA Monitoring Integration  Link with operational data (e.g., help desk platforms, uptime monitors) to auto-validate whether SLA commitments are being met.  Set automated thresholds for escalation if a third party exceeds a defined limit (e.g., >3 late response tickets in a month).  Automation example:  When help desk tickets tied to a third party cross a certain age threshold, an alert is triggered to the TPRM team.  Real-World Example: Automating Renewal Notifications in a Mid-Sized Bank  A regional U.S. bank had thousands of third parties with contracts stored across multiple departments. Renewal dates were tracked in spreadsheets, and deadlines were frequently missed, resulting in automatic renewals that locked the organization into poor terms.  “We didn’t realize how often we were defaulting to auto-renewal until we missed our shot at renegotiating a major payment vendor,” the TPRM manager shared.   The team implemented a contract tracker tied to their TPRM tool that extracted and logged:  Contract expiration dates  Required notice periods  Assigned contract owners  Automated alerts were triggered on 90, 60, and 30 days before key dates, with color-coded status dashboards.  Impact:   100% of critical third party renewals reviewed on time  Saved ~$300K through renegotiated terms in Year 1  Improved coordination with Legal and Procurement  Getting Started: Tools You Can Use  You don’t need a custom platform to get going. Some automation options include:  GRC/TPRM platforms  with contract modules   Contract lifecycle tools  (e.g., Ironclad, LinkSquares, DocuSign CLM)  Workflows in MS365 or Google Workspace  using reminders and task lists  Low-code platforms like Airtable or Monday.com for custom trackers    Key Takeaways:  Contracts are a goldmine of risk and performance data. Don't let them sit untouched.  Automating reminders and tracking obligations keep your third parties accountable and your TPRM program compliant.  Start small: even a shared tracker with auto-reminders can reduce missed deadlines and drive savings.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In the early morning of October 20, 2025, Amazon Web Services, the backbone of much of the modern internet, experienced a widespread outage in its Northern Virginia region. Within hours, popular apps, business platforms, and government services began to slow or fail. By evening, AWS reported that services were operating normally, with some backlogs clearing after that. This was not some minor hiccup. It took much of the day to resolve, and by the time systems steadied, the outage had already reminded everyone how deeply daily life depends on the same shared foundations.  The Impact  The outage originated in AWS’s US-EAST-1 region, which supports a significant portion of global cloud activity. That single region underpins countless tools and services used every day by businesses, governments, and consumers alike. Well-known platforms such as Zoom, Venmo, and Alexa saw interruptions, but the effects reached much farther than that.  For many organizations, the disruption was one step removed. Their own systems appeared stable, yet vendors or downstream providers that relied on AWS began to falter. Even companies with no direct contract felt the slowdown through partners and service integrations that quietly depend on the same infrastructure.  The Cause  AWS said the incident stemmed from DNS resolution issues that affected DynamoDB service endpoints in US-EAST-1, and they began mitigation after identifying the problem ( AWS update ). In parallel, traffic health checks did not behave as expected, which complicated rerouting and recovery. The combination created a chain of disruptions that took most of the day to unwind.  In short, one lookup broke, one database stalled, and everything built on top of them learned what “shared dependency” really means.   The Response  AWS posted regular updates, isolated the DNS issue, and restored service, with some queues taking longer to clear. By evening, operations were mostly normal.  AWS confirmed that the outage was not the result of a cyberattack  and said a detailed incident analysis would be released. The company’s updates through its status page and social channels provided transparency but were highly technical, which made it difficult for non-technical teams to interpret and share meaningful updates inside their organizations .   What This Illustrates About Concentration Risk  This was concentration risk in practice, too much dependency in one place. The AWS US-EAST-1 region is popular because it is large, efficient, and cost-effective. That popularity concentrates demand, which can magnify impact during an incident.  When multiple organizations and their vendors depend on the same region, a single problem can become a multi-industry event. Many companies that felt diversified discovered their vendors were sitting on the same underlying infrastructure.  What It Reveals About Fourth- and Nth-Party Risk  Even companies far removed from AWS saw disruptions. That is extended vendor risk, where your vendor’s vendor, or their vendor’s vendor, fails and causes impact for you.  A payment platform might use AWS directly, while your billing software depends on that platform. Your HR system’s analytics add-on might sit on AWS even if the core platform does not. The farther down the chain the issue occurs, the harder it is to see, yet the business effect is the same.  The Broader Lesson: Shared Infrastructure Means Shared Consequences  Cloud services and computing have made business faster and more connected. It has also made it interdependent. When one provider falters, entire industries can feel the shock.  Technical events become business events quickly. Disruptions affect customer access, transactions, revenue, and regulatory expectations. For TPRM programs, resilience is not about predicting every outage. It is about understanding dependency risk and being ready to respond calmly when it appears.  What TPRM Practitioners Should Be Doing Now  The AWS outage was a free stress test. Even if your organization stayed upright, it showed how much depends on a handful of cloud providers. Now it’s time to turn awareness into action.  1. Revisit your dependency map   Trace your direct, fourth-party, and nth-party exposure. You do not need to document every sub-vendor, but you should know where critical systems live and who connects them.  Review your direct vendors and note hosting provider and region.  Identify shared dependencies across your portfolio.  Flag any service that leans on a single region.  Share this with cybersecurity and IT partners to align contingency plans.    2. Strengthen collaboration between TPRM and Cybersecurity/Information Technology  When an outage hits, both perspectives are essential.  Cyber professionals (which may include the incident response team) focus on the how, root cause, technical exposure, and data integrity.  TPRM focuses on the so what, business impact, vendor accountability, and continuity of services.  Confirm with IT which systems can run from more than one location. Confirm with TPRM which vendors must maintain uptime and notify you. If this partnership is informal, formalize a simple workflow that defines who watches vendor status, how alerts move to business leaders, and who decides when to communicate with executives or customers.  3. Update due diligence and contracting  Bake resilience into every step of the vendor lifecycle.  During due diligence   Ask where systems are hosted, including backup regions.  Require disclosure of key sub-vendors such as cloud hosts and data processors.  Confirm that failover is tested and recent.  Check that downtime tolerance matches your business needs.  In contracts   Add notification timelines for incidents that affect your data or operations.  Require vendors to maintain and test continuity and disaster recovery plans on a regular basis (at least annually).  Define how credits or remedies apply during regional incidents.  Include data portability and exit terms so you can migrate if reliability declines.  For existing contracts, capture this through an addendum or vendor questionnaire. The goal is alignment between your expectations and actual capabilities.  4. Treat vendor resilience as an ongoing metric  Do not let resilience live in a one-time questionnaire.  Track uptime and incident response quarterly.  Watch how vendors communicate during industry-wide disruptions.  Follow up with any vendor that takes more than a business day to confirm whether they were affected.  Transparency and communication matter as much as uptime.  5. Bring the lesson to leadership  Executives and boards care about continuity, not DNS details. Use this event as a case study.  Keep it in business terms.  How long could you operate if your main region failed?  Which vendors share that region?  How long does recovery actually take in hours, not in theory?  Boards and regulators should already be asking about cloud concentration and systemic risk. Showing mapped dependencies and credible plans signals maturity and foresight.  Not Ready for All That Yet? Try This Instead  If your program is not ready for the full list above, start smaller. A one-hour tabletop can surface the most important gaps before you redesign your program.  A One-Hour Tabletop: “When the Cloud Falters”  Scenario:  Your most important customer-facing service is degraded for six hours because your cloud provider’s main region is down.  Prompts:   What fails first, and who notices?  Who owns communication with leadership and customers?  What do you tell executives in the first 30 minutes?  What data confirms whether the issue is internal or supplier-related?  If the outage lasts more than four hours, how do you continue operations?  When and how do you tell customers you are stable again?  What good looks like:   Clear ownership of communication and impact analysis.  Named roles for executive updates and recovery coordination.  A realistic recovery time, not a guess.  Two improvement items assigned for follow-up within 30 days.  Start here. Capture where confusion happens and what slows decisions. The results will show you where to strengthen communication, contracts, and coordination next.  Conclusion   The AWS outage was not just about downtime. It was about concentration risk and dependency, and how quietly it grows until something forces everyone to see it. What looked like one point of failure was really a network of shared reliance across vendors, industries, and geographies.  For TPRM professionals, the lesson is to stop treating concentration as abstract and start treating it as operational reality. Every vendor, every contract, and every dependency tells part of that story. The work ahead is not to eliminate risk, it is to ensure that when one link breaks, which it inevitably will, the rest of the chain holds.  Additional Resource Explore our certificate, Securing SaaS Applications: A Comprehensive Approach to Cloud Risk Management , which provides an in-depth look at evaluating and managing risks associated with cloud-based SaaS solutions. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

When a vendor relationship ends, the risk doesn’t.  Too often, vendor offboarding is treated as an afterthought, left to chance, split between departments, or buried in a never-used checklist. The problem? An incomplete or inconsistent termination process exposes your organization to some of the highest risks in the TPRM lifecycle.   These risks include, but are not limited to, access that was never revoked, assets that were never returned, and/or data that was never deleted.  The good news: these risks are avoidable, and automation can help.  Why Offboarding Matters More Than You Think  In many organizations, onboarding gets all the attention, due diligence, approvals, kickoff meetings, and security reviews.  But what about the end of the relationship?  "You wouldn’t let an employee walk out the door without collecting their badge and shutting off system access. Why do we do it with vendors?"   Poor offboarding can lead to:  Lingering system access and potential unauthorized activity  Unreturned data or devices , especially in hybrid/cloud environments  No formal record of what actions were completed or by whom  Compliance gaps if data disposal or security controls were contractual  The Automation Opportunity  Here’s where automation can drastically improve vendor offboarding, making it faster, repeatable, and auditable.  1. Triggering the Offboarding Workflow Automatically  When a contract is marked as terminated or not renewed, the system will kick off automated offboarding activities.  It can route these activities to IT, InfoSec, Procurement, and TPRM automatically.  Tool tip: Use a trigger from your TPRM tool, GRC system, or contract lifecycle platform to launch this sequence.    2. Auto-Assigning Offboarding Tasks  Such offboarding tasks can include, but are not limited to:  Revoking system access and credentials  Collecting physical or virtual assets  Confirming data destruction or secure transfer  Archiving vendor risk files and workpapers  Tool tip:  Use tools like ServiceNow, Jira, or Monday.com to assign tasks and track completion status in real time.    3. Generating & Storing Offboarding Evidence  The system can require documentation uploads or confirmations (e.g., screenshot of deprovisioned access, destruction certificates) of completed offboarding tasks  It can also store all evidence in the third party profile for audit purposes  Tool tip:  Attach offboarding steps to a third party profile in your TPRM platform or centralize storage in a secure SharePoint folder.    4. Post-Termination Reviews  Set up a short internal review form to capture any final third party risks or lessons learned.  Optionally trigger a survey to business owners to assess third party performance.  Update the third party’s profile to note if the third party can be used again or if it is recommended to not do business with the third party.  Tool tip: Use Microsoft Forms or Google Forms and auto-send based on the third party status change.  Real-World Example: Offboarding Automation at a Global Fintech  A fintech company with over 1,200 third parties discovered that more than 30% of “inactive” third parties still had some form of residual access, including access to shared cloud folders and legacy single sign-on (SSO) profiles.  The organization then implemented a third party offboarding checklist built into their TPRM platform, which auto-triggered when a contract end date was reached or when a business owner marked a third party as "no longer in use."  Each task, such as deprovisioning access, collecting assets, confirming data deletion, was auto-assigned to pertinent stakeholders with deadlines and owner accountability.  Results in the first 6 months:   Reduced open-access risk by 78%  100% of offboarding steps documented and accessible for audits  Gained stronger alignment between TPRM, InfoSec, and Procurement  Getting Started: Questions to Ask  Do we have a standard offboarding checklist for third parties?  Who owns each task, and how do we know the tasks were completed?  Can we identify all third parties with system access that may still be active post-contract?  Do we store evidence of data destruction or handover?    Quick Win to Try  Start by creating a centralized third party offboarding checklist with due dates and owner fields. Even if you use Excel or a Google Form at first, link this to third party termination triggers and build consistency from there.  Then, explore how your existing tools (TPRM platform, ticketing system, workflow automation) can formalize and automate the process.    For additional information on the third party Termination process, view TPRA’s TPRM 101 Guidebook.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Explore jobs in third party risk management from organizations hiring TPRM professionals. New listings added regularly. Start your search today. TPRM Job Listings Searching for a TPRM-specific job? Check out the listings below from organizations looking for talented TPRM professionals! Note: TPRA reserves the right to remove any job listing for any reason and without communication to the contact. Post a Job Gartner Sr. Director Analyst, IT Vendor RIsk Management View Job Remote US Western Alliance Bank Third Party Risk Professional View Job Phoenix, AZ Intuit Staff Analyst, TPRM View Job Mountain View, CA lululemon Program Manager - Cyber Security ,TPRM View Job Seattle WA (onsite) DoorDash Senior Analyst, TPRM View Job Remote KeyBank TPRM, Shared Services & Regulation W Officer View Job Cleveland, OH (Remote) Roblox Senior Manager, Vendor Operations & Compliance View Job San Mateo, CA (Hybrid) American Express Director & Counsel TPRM View Job New York, NY (Hybrid) Software Guidance & Assistance Inc (SGA, Inc) Third Party Risk Management View Job Portsmouth, NH (Remote) Amtex Systems Inc GRC (3rd Party Risk) Analyst View Job United State (Remote) Fremont Bank Vendor Management Administrator View Job Livermore, CA (onsite) Vertex Pharmaceuticals Senior Manager, TPRM View Job Boston, MA (hybrid) LOAD MORE

Watch Women in TPRM recordings of past monthly meetings. Hear insights from women leaders and practitioners driving change in third party risk management. Meetings WNTPRM On-Demand Meetings Tuesday, November 18, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, September 16, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, July 15, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, June 17, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, May 20, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, April 15, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video LOAD MORE

Join TPRA’s Women in TPRM program to uplift and support women in the industry through mentorship, leadership development, and recognition. Empowering the next generation of women leaders in TPRM. Our Goals Our Goals The Women in TPRM (WNTPRM) Program is dedicated to empowering women in the Third Party Risk Management (TPRM) industry. This program is open to all , regardless of TPRA membership status or gender identity. Through collaborative efforts, we aim to: Uplift Women in TPRM : Advocate for professional growth and recognition. Provide Access to Higher-Paying Roles: Break barriers to equitable opportunities in TPRM careers. Celebrate & Support Women: Establish a platform to spotlight achievements and nurture community. Cultivate Future Leaders: Develop the next generation of trailblazers in TPRM. What We Do What We Do We meet monthly to strategize on achieving these goals and to address challenges within the field. You do not need to be a TPRA member to participate in this program, but some facets of this program are member-specific, such as our 'Women in TPRM' Slack Channel, where TPRA Practitioner Members can continue meaningful conversations, share resources, and collaborate. Standard Practitioner Membership is free , and all TPRA Practitioner Members are invited to join our Slack Forum here . Members and non-members can join our LinkedIn group to stay connected. Our Initiatives Include: Advocating for the importance of women in TPRM through educational resources and outreach. Providing access to tools, techniques, and insights that uplift and empower women in the field. Showcasing and celebrating women leaders who inspire and shape the TPRM landscape. Sharing job opportunities from organizations committed to supporting women in TPRM. Join us as we drive change, foster leadership, and build a brighter future for women in TPRM! Meetings Upcoming Meetings Watch On-Demand Meetings December 16, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Read All January 20, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Read All February 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Read All Programs & Resources Women Lead Spotlights Our Women Lead Program is dedicated to showcasing inspiring leaders by highlighting their stories. Our goal for this program is to learn from and be inspired by women leaders in the field of Third Party Risk Management (TPRM) throughout various industries. View our Leaders and learn how to nominate and/or apply to become a spotlight. View Spotlights Resource Sharing Library Our Women in TPRM Resource Sharing Library contains a variety of women in business-related materials. Included are reports on the latest women in business trends and statistics, blogs and articles on relevant and current happenings, and TED Talks featuring inspiring women in business educating others on how to navigate the business world and find success in their careers. View Library Leadership Ladders Originally developed by TPRA's Women in TPRM "Lead" work group, this training activity is designed for all current & aspiring leaders within the Third Party Risk Management (TPRM) industry. Inspired by the classic "Shoots and Ladders" game, it is an all-in-one roadmap to leadership in the form of a nostalgic, virtual board game! E ach box on the board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity. Check It Out Recorded Meetings View meeting recordings and PowerPoints from our monthly Women In TPRM Meetings. Recorded Meetings Resources Statistics Women only represent 15-20% of the Governance, Risk and Compliance profession (GRC World Forums, 2021). Read Full Article Only about 25% of every 100 security and risk management (SRM) executives are women (Gartner Inc., 2019). Read Full Article Gender-diverse and inclusive teams outperform gender-homogeneous, less-inclusive teams by an average of 50 % (Gartner Inc., 2019). Read Full Article According to one survey, 24% of global cybersecurity employees are women, and 18% of CIOs/CTOs are female (Deloitte, 2021 ). Read Full Article Quotes "Diversity matters not just because increasing representation of minorities and women in a fast growing and critical field is the right thing to do, but because a variety of viewpoints are key to solving hard problems." SVP, General Counsel - Legal, Bitsight Johanna Werbach “...change must come from within the industry and not be mandated from external parties.” Chief Data and Privacy Officer, MeritB2B Karie Burt "With different backgrounds and perspectives and voices at the table and in an environment where their contributions are really valued, you benefit from a much more expansive conversation and one that’s much more likely to uncover the full range of possibilities and solutions." VP & GM, TPRM, BitSight Vanessa Jankowski Read "Women in CyberSecurity"