Search Results

In today’s third party risk landscape, the most significant incidents often don’t originate within your organization; they come from vendors, suppliers, and partners you depend on. When that happens, your team is left responding to an event you don’t control, with limited visibility and increasing pressure from leadership and regulators. In this episode of the TPRM Exchange Podcast , host Hilary Jewhurst sits down with Sagar Sudhir Behere , Enterprise (ERM) & Third Party Risk (TPRM) Oversight Senior Manager, to explore what effective incident response looks like in a third party context. Drawing from deep experience in resilience planning and complex outsourced environments, Sagar shares practical insights on how organizations can better coordinate, communicate, and respond when vendor incidents occur. “Early response is about decision-making under uncertainty—not perfect information.” Together, they discuss the key differences between internal and third party incidents, common misconceptions around vendor visibility, and why contractual protections alone aren’t enough. The conversation also dives into how to balance speed with accuracy, manage internal stakeholder tension, and build stronger recovery and resilience practices after an incident. “Move fast with awareness. Slow down with conclusions.” Whether you’re building or maturing your TPRM program, this episode offers actionable guidance to help you improve incident response coordination and strengthen your organization’s readiness. What You’ll Learn How third-party incidents differ from internal incidents—and why that matters What information is critical in the first hours of an incident Common blind spots, including fourth-party dependencies Why contracts don’t guarantee effective incident response How to balance speed, uncertainty, and communication What defines a truly successful recovery A practical exercise to improve vendor incident readiness “You’ll learn more in one hour of a vendor scenario than months of questionnaires.” About the Guest Sagar Sudhir Behere is a recognized thought leader in Third Party Risk Management (TPRM) and Enterprise Risk Management (ERM), with decades-long years of experience implementing innovative risk frameworks across Fortune 100s, Tech, FinTech, and FAANG organizations. As Head of TPRM at Circle Internet Financial, he has built Circle’s TPRM program from the ground up, achieving industry-leading efficiency and automation, including reducing vendor risk assessment processes by over 90%. His work integrates blockchain, AI, and automation to optimize compliance, risk oversight, and operational resilience. Sagar is an active contributor to industry standards and best practices, mentoring emerging leaders in risk management. He regularly shares his expertise at global conferences and the customer advisory board, influencing how organizations worldwide approach AI, automation, and blockchain integration in risk programs. His contributions are recognized for driving original, impactful solutions that redefine efficiency, governance, and innovation in global risk management. Have a question or topic idea? Send us your suggestions at: pod@tprassociation.org

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Most third party risk management (TPRM) programs stall not from a lack of effort, but because teams get stuck in routine: assessments proceed, documents are exchanged, and dashboards look fine. It all appears effective until someone asks a tougher question.  Is the program really getting better, or is it just running as usual?   Practitioners often recognize when nothing is broken, but the process feels stuck. The same issues repeat, third parties ask familiar questions, and teams rely on old workarounds to avoid disrupting the routine.  At this point, the program may seem mature from the outside, but inside it has settled into maintenance mode. The team is focused on keeping things running rather than questioning whether the process still fits. This gradual shift is when continuous improvement matters most.  The Risk of Operational Comfort  Repetition in TPRM programs can signal maturity or simply routine. Templates have passed audits, questionnaires seem complete, and the team knows where manual fixes are needed because they’ve seen these problems before.  Meanwhile, the organization is changing. Third parties may offer more products or assume larger roles. Cloud use grows, and data sharing is more complicated than when the program started. A third party that once handled a small task might now be responsible for a critical function.  If the program runs as originally designed, it can lose touch with the environment and rely on outdated assumptions, even as risks change.  Actions to Take: Once a year, bring together Security, Procurement, Legal, and business stakeholders for a practical discussion on how the program reflects the risks of current operations. Ask which third parties are more critical today than they were a few years ago, which parts of the process cause the most friction, and which risks feel harder to evaluate than they used to. Those answers usually reveal where the program has fallen out of alignment.  Continuous Improvement Is Not a Program Overhaul “Continuous improvement” can sound daunting, like a massive redesign or endless meetings. But small, steady steps are more practical and effective than big overhauls. Simple changes can help without overwhelming the team.  In reality, improvement is often much simpler. It’s about noticing what the program is already showing you and using that to make changes.  Most stalled programs don’t lack effort. They lack a way to learn from results. Lessons are recorded but rarely drive change. Onboarding problems persist, and third party incidents are treated as isolated incidents rather than as prompts for process improvement.  Pro tip: Review last year's most common third party findings. Clearly identify whether they led to changes in the program, such as revised questionnaires, clarified evidence requirements, enhancements to contracts, or altered monitoring priorities. If you identify no resulting changes, the takeaway is that the program needs a stronger improvement loop, not more automation.  The Feedback Loop Many Programs Overlook  TPRM programs naturally generate assessments, test results, follow up on incidents, and alerts that reveal how well the process works.  But most teams focus on completing tasks, rarely pausing to spot patterns.  Continuous improvement begins when practitioners see this data as feedback. Some controls get vague answers from third parties. Or maybe certain requirements tend to lead to frequent exceptions. Monitoring sometimes finds problems that assessments missed. These are not just third party actions; they show where the program needs to change.  Programs that adapt to these patterns become more effective over time. Updating the process with new insights is key.  Actions to Take: Once a quarter, review several completed assessments and ask a simple question... What did these reviews teach us about our process? Not only about the third parties, but about the program itself. To make these quarterly reflections easier, consider using questions like:  Which requirements caused the most confusion or pushback from third parties?  Did any part of our process slow down unnecessarily, and why?  Are there risks we failed to catch until after the assessment, and what signals did we overlook?   These questions highlight where the program needs to change and encourage real discussion.  Where Improvement Usually Starts  Improvement usually begins in three areas: assessments, governance, and risk communication.  Assessment questionnaires often grow over time as new questions are added but rarely removed. Eventually, they become hard to complete and review , without adding value. Mature programs review assessments, remove redundancies, clarify evidence needs, and focus on meaningful risk controls.  Pro tip: Identify the questions third parties struggle to answer most often. If responses are vague or copied from policy templates, the issue may not be the third parties. The question itself may need revision or a different validation approach.  Governance models need regular review. Current third party tiering may be outdated, and review schedules can become unbalanced. Regular checks help restore focus where it matters most.   Actions to Take: Review the third party inventory and ask a simple operational question. If this third party failed tomorrow, what would actually happen to the business? If the answer does not match the third party’s current risk tier or oversight level, the governance model likely needs adjustment.  Risk communication often requires improvement. Detailed reports may obscure key decisions. Sometimes, making reports clearer and simpler is the most valuable change.  Pro tip: In the next leadership report, replace one status slide with a single prompt: what third party risk decision requires attention this quarter? If that question is difficult to answer, the reporting model may need refinement.  Identifying When Your Program Has Plateaued Teams rarely admit that a program has stalled, even when clear patterns appear: repeated findings, recurring exceptions, and reviews that have become routine.  This plateau doesn’t mean failure. It just means it’s time to rethink improvement.  Instead of just checking whether the process is followed, the team should ask whether it still aligns with reality. The key is that moving from just maintaining to reflecting helps the program grow.  Actions to Take: Choose one program component each year and deliberately revisit its design. It might be third party tiering, assessment scope, monitoring strategy, or reporting. Improvement rarely appears on its own. Someone has to decide that it is time to look again.  Continuous Improvement as a Habit  The best TPRM programs aren’t always the ones with the longest questionnaires or the most detailed governance charts. They are the ones where people stay curious about how their process works and work to make it better.   They review their assumptions before they become outdated, learn from third party incidents instead of treating them as isolated events, and adjust oversight when business needs change.  Continuous improvement is a habit, not a project . Regular reflection is essential to maintaining the value of third party risk management as a practice.  When this habit becomes routine, maturity usually follows. It’s not because the framework is perfect, but because the program keeps learning.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Explore jobs in third party risk management from organizations hiring TPRM professionals. New listings added regularly. Start your search today. TPRM Job Listings Searching for a TPRM-specific job? Check out the listings below from organizations looking for talented TPRM professionals! Note: TPRA reserves the right to remove any job listing for any reason and without communication to the contact. Post a Job Midland Credit Management, an Encore Capital Group Company Vendor Management Specialist View Job San Diego, CA Wells Fargo Lead Business Execution Consultant - Third Party Risk Insights View Job Charlotte, NC The Hanover Insurance Group Director of Vendor Management View Job Worcester, MA or Remote N-iX TPRM Risk Manager View Job United States (Remote) Morgan Stanley Director, Operations (Strategic Partner and Vendor Management) - Parametric View Job Seattle, WA DLB Associates Risk and Contracts Manager View Job United States (Remote) Point72 Third Party Risk Specialist View Job New York, NY (onsite) Sayari Senior Product Manager - TPRM View Job Washington, DC (onsite) Humana AVP, Vendor Performance and Value Management View Job United States (remote) Citi Vice President - Third Party Resilience 2nd LOD Lead Analysts - Risk View Job Tampa, FL (hybrid) Byline Bank Vendor Management Analyst View Job Hybrid Schedule IL LOAD MORE

Learn about and register for events outside of the TPRA that are applicable to TPRM. Vendor-Hosted Events The TPRA promotes the industry of third party risk, which includes events conducted by other third party risk-related groups and organizations. Check back here regularly to see our list of vendor-hosted events. If you would like to promote your next third party risk-specific event, please complete the form below . Disclaimer: TPRA does not endorse or sponsor the products/services of one particular organization; however, we do communicate training opportunities for the benefit of the community. Filter by Organization Select Organization Filter by Event Type Select Event Type Filter Download Bitsight Webinar Live Webinar: When Attackers Choose Your Vendors Thursday, March 26, 2026 12:00 PM EST Register Vanta Webinar Learn How to Automate Compliance for SOC 2, ISO 27001, and More Thursday, April 9, 2026 12:00 PM ET Register DRI International Webinar Fusion Risk Management Sponsored Webinar: Advancing Resilience Testing with AI: From Static Tabletop Exercises to Data-Driven Scenario Intelligence Tuesday, April 14, 2026 2:00 PM EDT Register Exiger Webinar Webinar Series: From Risk Awareness to Supply Chain Advantage Thursday, April 16, 2026 10:00 AM GMT Register Drata Inc. Webinar Aligning EU AI Act, ISO Standards & AI Governance for Scalable Compliance Thursday, April 23, 2026 2:00 PM BST Register Cloud Security Alliance (CSA) Virtual Conference Agentic AI Security Summit 2026 Wednesday, April 29, 2026 11:00 AM EDT Register Cloud Security Alliance (CSA) Virtual Conference Cloud Threats & Vulnerabilities Summit 2026 Wednesday, May 20, 2026 11:00 AM EDT Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk Europe Wednesday, June 3, 2026 London, UK CeFPro’s 14th Annual Vendor & Third Party Risk Europe, taking place 3–4 June 2026 in the City of London, brings together senior risk leaders and industry experts to examine the evolving third-party risk landscape. The event will explore regulatory expectations, operational resilience, critical third-party oversight, and effective exit strategies, providing practical insight into how organisations are strengthening vendor risk frameworks in an increasingly complex environment. Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk USA Tuesday, June 9, 2026 Ease, New York CeFPro’s Vendor & Third Party Risk USA, taking place 9–10 June 2026 at Ease, New York, convenes senior risk leaders and industry experts to explore the evolving third-party risk landscape in the U.S. market. The event will focus on regulatory expectations, operational resilience, oversight of critical third parties, and effective exit strategies, offering practical insight to strengthen vendor and third-party risk management frameworks. Register Cloud Security Alliance (CSA) Virtual Conference NHI & Identity Summit 2026 Wednesday, June 24, 2026 11:00 AM EDT Register Exiger Webinar Human Rights in The Supply Chain: From Obligation to Operational Discipline Thursday, July 16, 2026 London | 6:00 PM GMT Register Global Resilience Federation (GRF) In-Person Conference 9th Annual Summit on Security & Third-Party Risk Wednesday, October 21, 2026 Orlando, FL Networking and Education on Critical Third-Party and Cybersecurity Issues, for Mutual Resilience The conference features dozens of speakers on third-party risk management, cloud security, emerging cybersecurity threats, and AI/machine learning threat mitigation and management. Attendees will gain an understanding of how some of the largest and most sophisticated organizations in the world are managing risk, and leave the conference better armed to defend their company, regardless of its size or the status of its risk mitigation program. Register Submit an External Event TPRA Practitioner Members can submit upcoming events they'd like displayed on this page using the form below. Some events may also be shared via our monthly events emails and/or quarterly newsletter. TPRA does not post on-demand/recorded events to this page. TPRA Vendor Members can submit their upcoming events through the Vendor Member Submissions form . Submitter Information First name* Last name* Email* Event Information Event Title* Event Host* Event Type* Event Description* Event Date* Event Time (please include time zone)* Link to learn more and/or register for the event* Anything else we should know? Submit

Enhance your Third Party Risk Management (TPRM) skills with TPRA’s flexible certificate program. Explore free and paid courses covering AI risk, cloud security, and more. Gain practical knowledge to support your organization. Certificate Program The Third Party Risk Management (TPRM) Certificate Program , offered by TPRA in collaboration with our trusted partners, provides comprehensive training designed to enhance knowledge and expertise in TPRM best practices. This program features a diverse selection of courses covering critical topics in third-party risk, cloud security, AI/LLM security and risk. Participants can choose from both free and paid courses, ranging in duration from one to four hours, allowing for flexible learning tailored to individual needs and schedules. Participants will receive a certificate upon completion of the training course. Please note that this is not a certification program, nor will participants receive any professional credentials. Whether professionals are new to TPRM or looking to deepen their expertise, the program provides valuable insights and practical knowledge to strengthen risk management strategies within their organizations. Available Courses AI/LLM Security & Risk Course for TPRM: Learn the risks that AI in vendors can carry, and how to assess them On-Demand, Self-Paced | 1 hour | $0 | 1 CPE hour The Third Party Risk Association (TPRA) has partnered with PromptArmor to bring you the " AI/LLM Security & Risk Course for TPRM ". This training course includes 12 modules to teach you… Read More Register Securing SaaS Applications: A Comprehensive Approach to Cloud Risk Management Live Virtual Training | 4 hours | $159 | 4 CPE hours As organizations increasingly rely on cloud-based Software-as-a-Service (SaaS) solutions, understanding and mitigating associated risks is critical. This virtual training provides an in-depth exploration of key security considerations when evaluating and… Read More Register