Search Results

by Third Party Risk Association & Shared Assessments As part of our ongoing support to the large global community of third-party risk practitioners and programs, the Third Party Risk Association (TPRA) and Shared Assessments have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership . At a time when many firms are planning and finalizing their annual budgets, our two organizations developed this basic guidance for senior executives and board members to encourage them either to launch new or to mature legacy third-party risk programs in the coming year. Working with hundreds of companies and thousands of risk professionals globally, our two membership organizations bring decades of collective experience with third-party risk management, including what regulators and clients routinely expect from such programs. We hope that our combined experience will help the vast and growing audience of TPRM professionals and programs gain or expand the leadership commitment and budgets they need to improve their ability to protect their firms, their clients, and the related assets they are working to safeguard. Download Now!

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors. Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options? The value of adding the answer choice ‘partial’. As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization. Compare what is said to what was said last time. Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed. Business visit and demo. Compare what is said to what is done. An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided. In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.

Learn about and register for events outside of the TPRA that are applicable to TPRM. Vendor-Hosted Events The TPRA promotes the industry of third party risk, which includes events conducted by other third party risk-related groups and organizations. Check back here regularly to see our list of vendor-hosted events. If you would like to promote your next third party risk-specific event, please complete the form below . Disclaimer: TPRA does not endorse or sponsor the products/services of one particular organization; however, we do communicate training opportunities for the benefit of the community. Filter by Organization Select Organization Filter by Event Type Select Event Type Filter Download OneTrust Live Webinar Global AI regulation: How to prepare for what’s now and what’s next Wednesday, July 16, 2025 11:00 AM ET AI regulation is accelerating across the globe—from the EU AI Act to draft laws in the U.S., Latin America, Asia, and beyond. While some jurisdictions emphasize promoting innovation and responsible development, others focus on risk mitigation and accountability. In this live discussion, privacy and legal experts will highlight comparisons and differences between enacted and emerging laws, and guide businesses on how to strike the right balance between compliance, risk mitigation, and innovation. Join OneTrust DataGuidance as we explore key questions organizations are asking: What’s in scope? Who’s accountable? And how do we translate legal requirements into action across different business units? Register OneTrust Live Webinar Optimize privacy operations: Scale and manage risks effectively Thursday, July 17, 2025 11:00 AM ET As privacy teams navigate growing data volumes, evolving regulations, and cross-functional demands, scaling operations efficiently has never been more critical. This session explores how automation can power a smarter, more resilient privacy program—without increasing headcount. Register Cloud Security Alliance (CSA) Live Webinar AI Super Agents: Delivering Autonomous SecOps Thursday, July 17, 2025 1:00 PM ET Imagine a SOC where AI-powered agents work together like a virtual team—handling alerts, eliminating noise, and responding to threats faster than ever before. Join ReliaQuest experts Brian P. Murphy, Chief Scientist, and Jonathan Echavarria, Principal Research Scientist, as they explore the transformative power of AI multi-agent systems. Learn how these "super agents" collaborate to automate Tier 1 and Tier 2 tasks, improve detection and response, and empower your team to focus on high-impact priorities. In this session, you’ll discover: How multi-agent systems enable autonomous, end-to-end security operations. The productivity gains of eliminating repetitive tasks and alert fatigue. The future of AI in SecOps and what it means for your team. Register S&P Market Intelligence Live Webinar The What, Where, When and How of Tariffs: Q3 2025 Trade & Supply Chain Outlook Thursday, July 17, 2025 10 - 11 AM EDT The structure of the Trump administration’s trade policy has become clear, but the details remain in limbo, setting the scene for supply chain-decision making during the third quarter of 2025. Join our experts as we unpack the key supply chain issues in 2025 and 2026: The road ahead for tariffs: US tariffs can be broken into two broad types. We’ll take a deep dive into the outlook for Section 232 investigations into individual sectors. There’ll also be a review of the latest progress on country-centric reciprocal tariffs as well as the country negotiations and where else trade policy could go next. From tactical to strategic: Corporate tactics for dealing with tariffs are well-established and we’ll provide markers for tracking their progress. Longer-term supply chain strategies have been put on hold, but the time is coming to restart them. What you weren’t watching: Tariffs have sucked the oxygen from the room when it comes to considering the risks and opportunities for supply chains. We’ll look in detail at mainland China’s upcoming actions, the state of EU regulatory policy and the state of logistics networks. Register Vanta Live Webinar Security, AI, and Trust: What We Learned from the Trust Maturity Report Wednesday, July 23, 2025 11:00 AM PST The launch of our Trust Maturity Report revealed something clear: security maturity isn’t about ticking boxes—it’s about building trust, driving resilience, and scaling security alongside the business. But what does that look like in practice? And how do leaders prioritize and evolve their programs in the face of resource constraints, external pressure, and rapidly shifting risks? Join us on July 23rd for a live conversation with Matt Johansen, Founder & Security Researcher at Vulnerable U, as we dig into the findings of the report and explore what trust maturity looks like at every stage of growth. Register OneTrust Live Webinar Leading the charge on trustworthy AI governance Wednesday, July 23, 2025 11:00 AM ET AI program owners and governance leads are at the heart of executing the AI committee’s vision. This session brings together AI governance experts and industry leaders to share how they are managing AI risk, ensuring fairness and transparency, and operationalizing responsible AI practices across teams and technologies. Register OneTrust Live Webinar Strengthening data governance to power responsible AI Thursday, July 31, 2025 11:00 AM ET Data governance leaders ensure that the AI Committee’s work is built on strong, ethical data foundations. In this session, learn how data leads manage quality, lineage, and access to create trusted datasets that power AI systems—and support responsible AI decision-making. Register ProcessUnity Live Webinar Third-Party Risk: Conducting Emergency Assessments After the CrowdStrike Incident Friday, August 1, 2025 11 AM ET If the recent CrowdStrike incident taught us anything it's that we need to drastically change how we assess our third-party service providers in the face of emerging threats and vulnerabilities. There are too many vendors to assess, compounded by the increasing volume of threats we face each year. On a normal day, TPRM teams already have too much to do. When an incident like this occurs, they need to stop what they're doing and conduct an emergency assessment -- an ugly process that overburdens companies and their vendors, and typically takes weeks, if not months. It doesn't have to be that way. Join ProcessUnity for a 50-minute webcast on Thursday, August 1 at 11:00 AM ET as we discuss Best Practices for Threat and Vulnerability Response. Register Cloud Security Alliance (CSA) Live Webinar Revolutionizing Compliance and Third-Party Governance Friday, August 1, 2025 11:00 AM ET Financial service organizations today face a maze of third-party and regulatory risks as they look to modernize their offerings, oversee their provider partnerships, and keep pace with emerging risks. The expanding technology footprint creates a much greater scope for compliance activities while the number of regulatory activities continues to rise. Is there an easier, more efficient and effective way to improve governance, risk management and compliance, increase transparency and achieve objectives at scale? This session will discuss the impact of new legislation such as DORA, NIS2, CRA, and other emerging standards and explore strategies for harmonizing compliance efforts without duplicating work. Register RSM Live Webinar Internal audit at a crossroads: Adapting to cyberthreats and new standards Thursday, August 14, 2025 2 PM ET As cyber risks continue to evolve in complexity and scale, so too must the standards and practices of internal audit. To remain effective and deliver meaningful value to the business, internal audit teams must adapt—enhancing their approach to risk, controls and assurance. This transformation is being driven by updates to the Global Internal Audit Standards released by the Institute of Internal Auditors (IIA) in 2024, along with the new IIA Cybersecurity Topical Requirement in 2025. These changes provide a framework for internal audit functions to strengthen their role in cybersecurity oversight and align with emerging expectations. Register Global Resilience Federation (GRF) Live Webinar Operational Resilience Series: Communications Disruption Exercise Wednesday, August 20, 2025 12 PM ET Join fellow cybersecurity, IT, and risk management peers for a practical, scenario-driven discussion that will help your organization better withstand and adapt to telecom disruptions. By participating, you will: Assess Your Dependencies – Identify how telecom disruptions affect your organization’s operations and response plans. Test Resilience Plans – Pinpoint gaps in your existing frameworks for managing service failures. Enhance Communication – Improve internal and external coordination during widespread outages. Collaborate Across Sectors – Engage with peers and government agencies to strengthen resilience. Develop Actionable Insights – Walk away with key findings to inform and enhance your organization’s preparedness. The GRF Business Resilience Council's complimentary Communications Disruption Exercise will challenge organizations to test their resilience against communications disruptions, refine incident response plans, and share best practices during a panel-led discussion with real-time response and data aggregation. Register Global Resilience Federation (GRF) In-Person Conference 8th annual Summit on Security & Third-Party Risk Monday, November 3, 2025 Starting at 7 PM PT | The Palms Las Vegas The 8th annual Summit on Security & Third-Party Risk will take place at the Palms in Las Vegas, November 3-5, 2025. Each year, the conference features dozens of speakers on third-party risk management, cloud security, emerging cybersecurity threats, and AI/machine learning threat mitigation and management. Attendees will gain an understanding of how some of the largest and most sophisticated organizations in the world are managing risk and leave the conference better armed to defend their company, regardless of its size or the status of its security or risk mitigation program. Register FAIR Institute In-Person Training 2025 FAIR Conference | Resetting Cyber Risk in the Age of AI Tuesday, November 4, 2025 New York City @ The Glasshouse The 2025 FAIR Conference is the Institute's main event of the year. This event is the premier event in risk management, that brings leaders in cybersecurity and operational risk management together to explore best FAIR™ practices that produce greater value and alignment with business goals. FAIRCON25 will be held on November 4 & 5, 2025 at The Glasshouse in New York City. Register Submit an External Event TPRA Practitioner Members can submit upcoming events they'd like displayed on this page using the form below. Some events may also be shared via our monthly events emails and/or quarterly newsletter. TPRA does not post on-demand/recorded events to this page. TPRA Vendor Members can submit their upcoming events through the Vendor Member Submissions form . Submitter Information First name* Last name* Email* Event Information Event Title* Event Host* Event Type* Event Description* Event Date* Event Time (please include time zone)* Link to learn more and/or register for the event* Anything else we should know? Submit

Explore TPRM service provider resources, including tools and documents to enhance your risk management strategy. Access helpful links and information from various providers. Information Sharing Service Provider Resources Here you can find links to resources supplied by service providers. Some of these resources require you to input information to obtain the document. Note: TPRA does not support one particular service provider over another, nor do we benefit from providing you the links below. Read and implement at your own risk. If you are a TPRA Vendor Member and have a resource or link you would like to see added to this page, please submit through our Vendor Submissions form , or send it to Meghan Schrader at meghan.schrader@tprassociation.org for review. Filter by Resource Type Blog Checklist Infographic Magazine Newsletter Playbook Presentation Report Research State of the Industry Survey Results Template Tool Toolkit Whitepaper eBook Aravo Blog Doing More with Less: Streamlining Due Diligence and Maximizing TPRM Efficiency with Evaluate July 8, 2025 "...when resources are limited, ingenuity must step in. Even when our resources have dwindled and the stakes have grown, we must continue to achieve great things. It’s a principle that applies far beyond beach vacations, especially in today’s world of Third-Party Risk Management (TPRM) , where teams are being asked to deliver more insight, faster decisions, and stronger outcomes—with fewer people, tighter budgets, and growing pressure." Read All Venminder, an Ncontracts Company Infographic 10 Reasons for a Third-Party Risk Budget June 30, 2025 Allocating a dedicated TPRM budget isn’t just a necessity — it’s a smart investment. A well-funded TPRM program empowers organizations to proactively identify, assess, monitor, and mitigate third-party risks. By establishing and prioritizing a TPRM budget, your organization protects operations, supports compliance, and strengthens business continuity. With the right resources in place, you can build resilient, high-performing third-party relationships. Download the infographic to learn: Reasons for a third-party risk budget How a third-party risk budget protects your organization Read All S&P Global Market Intelligence Blog Three Key Elements to Unlock a Seamless, Stress-Free, and Leadership-Worthy Third-Party Risk Management (TPRM) Program June 11, 2025 Managing third-party risks is critical in today’s fast-paced business environment—but it shouldn’t take over your entire day. Imagine a solution that not only streamlines compliance but also makes your day-to-day responsibilities easier, all while positioning you as a trusted expert in front of your leadership. Read All S&P Global Market Intelligence Whitepaper Onsite Assessments: A Historic Tool in Third-Party Risk Management June 11, 2025 As global third-party risk assessment methods evolve, important questions arise about the tangible benefits of onsite assessments. While close-up, in-person examinations offer deeper insights through firsthand experience, remote assessments provide flexibility and scalability. Our whitepaper explores the evolution from self-assessed questionnaire-based assessments to validated onsite evaluations, the impact of regulatory requirements, and the future direction of a hybrid approach combining the best of both methods. Read All Venminder, an Ncontracts Company eBook How to Develop a Third-Party Risk Culture June 2, 2025 An organization's mindset and approach toward managing risks, also known as risk culture, plays a crucial role to manage third party risks effectively. Risk culture is a key element in helping teams work together appropriately to achieve their objectives and maintain performance in unpredictable business environments. Learn what organizations need to know and do to ensure they have a strong third-party risk culture. Download the eBook to learn: The components of third-party risk culture Questions to determine if your organization's risk culture is proactive, neutral, or reactive Benefits of a strong third-party risk culture How to create a third-party risk culture Read All Semantic Visions Whitepaper Early Warning Signals - Leveraging OSINT for Predicting Business Distress and Bankruptcies May 19, 2025 This white paper provides a brief overview of how OSINT (Open-Source Intelligence) can identify early warning signs of financial distress weeks or even months before they appear in traditional financial reports. It emphasizes the importance of proactive monitoring for risk mitigation, particularly in today's volatile economic climate. Read All Bitsight Research Under the Surface: Uncovering Cyber Risk in the Global Supply Chain May 15, 2025 As we've entered the digital age, new specialities and methods of collaboration have made it easier to work together. But this interconnectedness is not without risk. By relying on others, organizations create a dependency over which they have limited control. Failures experienced by unreliable partners can affect not just a single organization, but also a remarkably large portion of the global economy. In this report, we draw on Bitsight data from a variety of sources—including third-party relationships, our security scanning technologies, entity mapping, and financial data—to offer a comprehensive picture of the global, digital supply chain. We uncover: The role of “providers,” or organizations that deliver resources and processes (and, spoiler alert, have their own large supply chains) There “hidden pillars” of the global supply chain (i.e. providers who serve a small number of consumers but have significant market share) How the security postures of each player—including providers, consumers, and products—factor in What CISOs or risk managers can do in the face of this complexity Read All RapidRatings Blog Tariffs, Supply Chains, and a 90-Day Window: What Companies Should Be Doing Today April 23, 2025 RapidRatings conducted a series of financial health stress tests based on our knowledge of global supply chain structures and country-specific tariff rates, in order to help clients understand the potential consequences of tariffs on their operations. The Tariff stress test published on Fri 4/11 shows the impact of the 10% universal tariff and rising China tariffs: Tariffs, Supply Chains, and a 90-Day Window: What Companies Should Be Doing Today | RapidRatings Financial Health Rating Decline : 🔺 High-risk and very high-risk public suppliers increased by 46% 🔺 Private Co suppliers saw a 92% surge in high-risk classification 🔺 Public companies saw an average 6.1-point decline in their FHR 🔺 Private companies experienced a staggering 13.0-point drop. Read All Venminder, an Ncontracts Company Infographic How to Effectively Manage International Vendors April 17, 2025 As outsourcing becomes increasingly popular, supply chains have extended around the globe. This can increase your organization’s competitive appeal, boost the bottom line, create operational efficiencies, and provide the best product or service to your customers. However, outsourcing to international vendors adds new complications to identifying and managing vendor risks. International vendors require additional considerations and activities to effectively manage the risk. Download the infographic to learn: Considerations for international vendors Due diligence for international vendors Contracting tips for international vendors Read All Venminder, an Ncontracts Company eBook How to Review a Vendor SOC Report April 17, 2025 Many third-party vendors store, process, access, or transmit your organization’s sensitive data. This data must remain protected. System and Organization Controls (SOC) reports let your organization evaluate the vendor’s internal controls to protect data. A SOC report is an independent audit, offering assurance of the vendor’s practices and identifying potential risks. Due to the SOC report’s technical language, they are challenging to review and evaluate. This eBook will help you understand what to look for in your vendor’s SOC report. Read All Venminder, an Ncontracts Company eBook What Are Inherent and Residual Third-Party Risks? April 17, 2025 Risk assessments are key to managing third-party risk. They help organizations spot potential threats and decide how much oversight vendors need. By evaluating a vendor’s risks and controls (the safeguards and measures used to reduce or manage risk), risk assessments show which vendors pose the highest risk and what steps are needed to mitigate those risks. Understanding inherent risk and residual risk is essential for making informed risk decisions. This eBook breaks down these key concepts and shows you how to assess them as part of your third-party risk evaluation process. Download the eBook to learn: What is inherent and residual third-party risk How to measure inherent and residual third-party risk Categories of inherent risk How to mitigate inherent third-party risk Best practices for inherent and residual risk ratings Read All Bitsight Tool Groma Explorer March 21, 2025 Free access to selected data sets from Bitsight's Internet scanner (similar to Shodan). From global footprint to vertical breakdown to top vulnerabilities. There is a lot of helpful information for third-risk teams! Read All LOAD MORE

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Tuesday, July 15, 2025 10:00 - 10:30 AM CT Q3 New & Potential Member Call Register > Tuesday, July 15, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Register > Tuesday, August 5, 2025 1:00 - 2:00 PM CT WNTPRM Work Group Meeting Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. ! Widget Didn’t Load Check your internet and refresh this page. If that doesn’t work, contact us.