Search Results

A decade ago, most third party risk programs followed a simple routine: assess the third party's risk level, perform adequate due diligence, review the contract, and check in once a year. While this approach is still used, it no longer meets today’s broader expectations for resilience, cybersecurity, privacy, supply chain oversight, and artificial intelligence, putting your business at risk of non-compliance or disruption. In 2026, TPRM is governed by a much broader mix of frameworks and regulations, including the Digital Operational Resilience Act (DORA), the Network and Information Systems Directive 2 (NIS2), the General Data Protection Regulation (GDPR), the Corporate Sustainability Due Diligence Directive (CSDDD), and the UK critical third parties regime. These requirements may highlight different risk concerns, but they often affect the same parts of a TPRM program: third party classification, due diligence, contract terms, monitoring, issue management, and exit planning. More Frameworks Now Affect TPRM The biggest change is not a single regulation, but the increase in frameworks that now apply to third party oversight. DORA requires financial firms to manage third party IT risk through governance, testing, concentration risk management, and record keeping. NIS2 broadens cybersecurity and supply chain requirements, making third party risk a key part of incident response and operational governance. Privacy and supply chain rules add complexity. GDPR continues to guide how organizations manage third parties handling personal data. CSDDD and Germany’s Supply Chain Due Diligence Act (LkSG) also drive organizations to examine risks, including human rights and environmental risks, beyond direct suppliers. Key takeaways Managing third party risk now means meeting broader standards for resilience, cybersecurity, privacy, and supply chain oversight. One process change may need to address multiple frameworks at once. Operational Resilience Has Raised the Standard Operational resilience rules continue to emphasize the importance and urgency of third party oversight. DORA requires firms to identify critical providers, manage concentration risk, include oversight and exit terms in contracts, and maintain detailed records. NIS2 also strengthens supply chain security and incident readiness, treating third party failures as broader issues. The UK’s critical third party regime adopts a similar approach for financial services, allowing direct oversight of providers whose disruption could affect many firms or the wider market. The bottom line: if a third party supports a critical service, regulators expect more than just a one-time review. Key takeaways Critical third parties require heightened scrutiny as new regulations and resilience rules emphasize operational dependencies and disruption risk. Third party classification, contracts, continuity, and documentation must adapt to resilience standards. Overlapping Rules from Different Jurisdictions Create Practical Challenges One challenge for TPRM teams is that third party oversight often goes beyond a single country’s rules. For example, a U.S. organization may begin with local requirements but find extra obligations if it serves customers in the EU or UK, supports regulated firms there, or uses third parties that do. This means the same third party might need different review steps based on location, customer type, or service model. To manage this complexity, organizations should prioritize requirements that carry the highest regulatory or business risk and look for opportunities to harmonize controls where possible. Establishing a baseline set of global controls, then layering on local or high-priority requirements, can help ensure compliance without duplicating effort. When faced with conflicting rules, consult with legal, compliance, or risk experts to determine which requirements should take precedence. Multiple regulatory requirements often create challenges as organizations grow. A TPRM program built for one country might struggle when the company expands to new markets or supports clients in other jurisdictions. DORA can even apply to non-EU providers serving EU financial firms; NIS2 covers organizations offering services in the EU, and the UK’s rules affect non-UK providers serving UK financial companies. Key takeaways Expanding your business across borders often brings overlapping regulatory requirements. TPRM needs adaptable due diligence and oversight for global third parties. Less Frequent Reviews Are Hard to Justify Annual assessments are useful, but less convincing when third party risk changes during the year. DORA and NIS2 both emphasize ongoing oversight and incident readiness. Not every organization needs to implement automated monitoring or redesign risk re-assessment schedules; however, critical third parties, major subcontractor changes, concentration points, and significant incidents should be addressed between formal reviews. Key takeaways Point-in-time reviews leave gaps when third party risk changes quickly, making it harder for your organization to respond to emerging threats. Higher-risk third parties require ongoing monitoring year-round. AI Highlights Weaknesses in Older TPRM Processes Artificial intelligence (AI) is now providing clear indicators of where older TPRM tools fall short. Standard questionnaires developed a few years ago might cover security and privacy but probably miss basic questions about AI use, data inputs, model governance, and how important changes are explained. This means organizations are trying to assess new risks with outdated templates. Regulations make this even more challenging. AI-related requirements can come from specific AI rules, privacy laws, model risk standards, or industry supervision, depending on the country and use case. As a result, the same third party may need different levels of review based on its services and where it operates. Key takeaways AI risks increasingly surface in third party relationships that older processes may overlook. Cross-border third parties need flexible, AI-specific due diligence and contracts. A Few Things Organizations Can Do Now Most organizations do not need to completely rebuild their TPRM programs. By strengthening the parts facing new regulatory pressures, you can meet evolving requirements and keep your business protected. Current frameworks all point toward better visibility into third parties and dependencies, stronger documentation, clearer governance, and more up-to-date oversight, delivering the assurance your organization needs. Here are a few practical steps that can help: Update your list of critical third parties and confirm which regulations apply based on service, location, customer type, and data exposure. Prioritize requirements that carry the highest regulatory or business risk and look for opportunities to harmonize controls where possible. Review your questionnaires and contract templates to ensure they cover resilience, subcontractor visibility, AI use, incident response, and exit support as needed. Set up monitoring triggers for Critical and high-risk third parties, such as major incidents, subcontractor changes, declining performance, sanctions updates, or concentration points affecting critical services. Ensure that changes or updates to your processes are documented, including the rationale for those changes. TPRM programs are always evolving, and recent changes mean many organizations must now align with overlapping expectations from DORA, NIS2, GDPR, CSDDD, and local rules for how third parties are chosen, contracted, monitored, and, if needed, exited. This is harder in multi-jurisdiction environments and with AI-enabled services, where the same third party can fall under several rule sets at once. Organizations that keep a clear view of critical third parties and jurisdictions, keep their questionnaires and contracts up to date on resilience and AI, and add reliable monitoring triggers, should be able to keep up without rebuilding their program every year. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the Third Party Risk Association (TPRA) as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of TPRM Success, a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Third party risk management (TPRM) looks very different now than it did 20 years ago. Back then, teams mainly checked procurement and contracts and conducted basic due diligence. Rules were simpler, and oversight was mostly manual. Today, TPRM covers just about every part of the business, including cybersecurity, privacy, resilience, business continuity, AI, fourth-party and supply chain risks, compliance, Environmental, Social, Governance (ESG), and even geopolitics. The field has become more specialized, with dedicated professionals, certifications, technology tools, and standardized industry practices. As TPRM evolves, practitioners must continuously learn to ensure their skills remain current. This article covers key TPRM skills to consider in today’s environment and shares practical ways to build them through your daily work and ongoing learning. Practical Technical Skills and Understanding Everyone working in TPRM should have a solid grasp of the basics: lifecycle stages, core risk domains, risk tiering, critical third party identification, ongoing monitoring and reassessment, performance oversight, and offboarding. Comfort with these fundamentals is essential for TPRM professionals. The next sections outline technical skills and experience that are increasingly vital for both new and seasoned practitioners. Understanding AI in a TPRM Context By now, most professionals have heard that anyone who does not learn AI will be left behind. For TPRM practitioners, the bar is higher than just knowing how to use a tool. The key capability is understanding how AI is actually being used across your organization and your third party ecosystem, as well as how that use affects existing risk domains such as cybersecurity, privacy, operational resilience, reputation, and governance. Organizations vary in AI maturity. Some have formal governance and oversight; while others are still finding out where AI is used across their business and third party services. Even when governance structures are still developing, effective third party risk practitioners prioritize understanding AI well enough to ask informed questions, recognize its presence in workflows and products, and identify potential operational, cybersecurity, or compliance concerns before formal processes are established. Ways to build capability include: Learn the basics of how AI systems function, including concepts such as large language models, training data, automation, model drift, and generative AI. Focusing on your higher-risk third parties, pick one that markets “AI-powered” capabilities and review its documentation, privacy notice, or security whitepaper. Note where data use, governance, and controls are clearly explained and where information is vague or missing. Ask internal Security, Data, Architecture, or Technology teams to walk through one existing AI use case and its risk review. Identify which of those questions you should also be asking during third party due diligence. Review a current questionnaire, contract template, or assessment process and identify where AI-related questions, disclosures, or governance language should be added or strengthened. Spending time on these activities helps you see how AI really works in your company and with third parties. This hands-on experience shows that AI is more than just an abstract idea. Seeing Risk Beyond the Questionnaire Many third party risks don’t show up in questionnaires or security checks. Instead, they appear as outages, repeated failures, missed promises, poor escalation, unhappy teams, or customer complaints. It’s important to spot risks beyond checklists and understand how vendors work every day. Strong TPRM links third party oversight to real operations. This requires knowing where the business relies most on a provider, where workarounds exist, where support issues recur, and where failures cause disruption. These insights often come from conversations, incident reviews, and observing relationships over time. Ways to build capability include: Ask a business owner to walk through how they use a key third party during a normal workday, including where they experience the most dependency, delays, or operational pain points. After a third party-related incident or outage, review the event summary and identify where stronger TPRM visibility or earlier questioning may have helped surface concerns sooner. Sit in during operational, service review, or escalation meetings involving key third parties to see how issues are handled in practice versus how they appear in contracts or assessment responses. Review recurring support tickets, performance metrics, or complaint trends tied to critical third parties and look for patterns that may indicate broader operational or governance concerns. Strengthening this area helps you spot operational risks early, establish credibility with business stakeholders, and expose hidden gaps that questionnaires may miss. The key is proactively identifying risks and gaps before they impact operations or stakeholder trust. Turning Data into Something People Can Use Most TPRM teams collect plenty of data, but much of it is hard to use or doesn’t support decision-making. Reports can be overwhelming, dashboards confusing, and important issues can get lost. A key skill is making information clear so the business can focus on what matters. You don’t need to be a reporting pro or data-visualization expert, but you do need to organize info so people can see the real risks, know what matters, and focus. The best reports make things clear quickly, not just dump out all the data. Ways to build capability include: Review a dashboard or report your team regularly produces and identify what people actually reference during meetings versus what is largely ignored. Take a large third party spreadsheet and reduce it to a short summary focused only on critical third parties, overdue remediation items, or unresolved high-risk issues, then see whether the simpler version improves the discussion. Ask a business stakeholder which third party metrics or reports they actually find useful versus which ones feel confusing or too complicated. Practice summarizing a complicated third party issue in a few plain-language sentences without leaning on acronyms, scoring formulas, or framework terms. When you make data easier to understand, people can make better decisions. Clarity helps drive action with confidence. Building Contract and Performance Awareness No one expects you to be a lawyer, but you do need to know contracts and performance standards well enough to spot when something is missing, unclear, or doesn’t line up. Big risk calls often hinge on service levels, security promises, escalation rules, audit rights, or how you can end a contract, even if you’re not the one negotiating the details. Good TPRM means spotting the gap between stakeholder assumptions and contract terms. If you understand service level agreements (SLAs), reporting, and accountability, you give better advice and catch problems before they become disputes. Ways to build capability include: Select one important third party agreement and review only the sections tied to SLAs, security obligations, audit rights, incident notification requirements, and termination language, then summarize the key commitments in plain business language. When a third party repeatedly underperforms, compare the operational issues being reported to the contractual requirements and identify where expectations and obligations do not line up. Sit with Procurement, Legal, Vendor Management, or Business teams during a contract review discussion to see which provisions tend to create the most negotiation friction or operational risk. Review a recent third party’s escalation or dispute and identify whether the issue stemmed from poor performance, unclear expectations, weak governance, or contract language that lacked specificity. Improved contract and performance awareness empowers you to address gaps early and drive realistic risk conversations. Takeaway: Understand contracts to manage operational outcomes. Soft skills deserve equal attention Technical expertise helps you identify problems and assess risk, but your influence on outcomes hinges equally on how you communicate, negotiate, and collaborate. These interpersonal skills are least likely to be automated, making them necessary for long-term career endurance in this field. Telling the Risk Story So People Listen Risk management matters only when people understand it clearly enough to make decisions or act. Many TPRM teams provide detailed, accurate assessments, yet leaders leave discussions uncertain about priorities. The ability to explain risk in practical, relevant terms tied to business impact is priceless. Effective communication in TPRM is not about sounding technical. It is about making information usable. Stakeholders need to understand the issue, how it could affect the business, the trade-offs, and the action you recommend. That often means simplifying language, cutting unnecessary detail, and focusing on consequences and decisions rather than framework terminology. Ways to strengthen this area include: Take a recent assessment or finding and rewrite the summary for a business leader in five short sentences, focusing on impact, exposure, and available options. Before a meeting or escalation discussion, identify the specific decision, approval, or action you need and shape your talking points around that outcome. Review an older risk report or assessment summary and spot where acronyms, scoring language, or technical detail may have made the message harder to understand. Ask a non-TPRM stakeholder to review one of your summaries or presentations and explain back what they believe the risk or concern is, then notice where misunderstandings occur. Clear communication makes it much easier to build stakeholder trust, gain support for remediation efforts, and help the business make well-informed decisions. Handling Stakeholders, Negotiation, and Conflict TPRM is often caught between different pressures. Business teams want speed and flexibility. Security wants stronger controls. Legal cares about liability. Procurement focuses on cost and timing, and third parties want quick agreements. Handling these tensions is a normal part of the job. The goal isn’t to win every argument or block progress. Good TPRM work means raising concerns clearly, explaining trade-offs, and helping others make reasonable decisions without causing extra friction or damaging relationships. Ways to strengthen this area include: During a difficult conversation or escalation, start by clearly summarizing the other party’s priorities or concerns before presenting your own risk perspective or recommendations. When documenting disagreements or unresolved concerns, frame the situation around available options, tradeoffs, and potential impacts rather than reducing it to a simple approval-versus-rejection decision. Observe how experienced leaders in your organization handle difficult stakeholder conversations, especially where business pressure and risk concerns collide. After a challenging meeting, reflect on which communication approaches helped move the discussion forward and which ones created defensiveness or blocked progress. Getting better at this builds your credibility and helps others see TPRM as a collaborative partner who solves problems, not just a gatekeeper. Growing Yourself and Your Team If you lead a TPRM function, these same capabilities apply at the team level. The work is changing, and so are expectations. It is not enough to build processes and buy tools. Teams need chances to practice, learn from mistakes, and grow in both technical and soft skills. To ensure ongoing development is effective, consider tracking team growth through regular skills assessments, structured feedback sessions, and peer reviews. These approaches help you spot where the team is making progress and where more support is needed. You don’t need a formal rotation program. Small, intentional opportunities within your current work can help people grow. In practice, that can look like: Giving analysts chances to present their own work instead of always presenting for them, then debriefing afterward on what landed well and what could be clearer next time. Inviting team members to observe a contract negotiation, a difficult third party call, or a high-stakes risk discussion, and then talking through why certain points were pushed, where tradeoffs were made, and how tone influenced the outcome. Using real assessments, incidents, or escalations as teaching moments, walking through not just what decision was made, but how you weighed business pressure, control gaps, and relationship impact. Pairing less experienced staff with more senior colleagues on complex third parties so they can see how judgment is applied, not just how checklists are completed. These practices help move TPRM from just following steps to building real judgment, which is more important than ever. Conclusion Third party risk management will continue to evolve as long as organizations rely on external products, services, platforms, and partners. There is no way to predict exactly what the next few years will bring, whether that is new regulatory pressure, different operating models, more embedded AI, or risks that are not getting enough attention today. What tends to set the most effective people in this field apart is a strong grasp of the foundations, paired with communication, judgment, stakeholder management, and a willingness to keep learning as the environment changes. For people already doing this work, that means keeping your eyes open, staying curious, and treating the job itself as part of your ongoing development. With so many skills to develop, it helps to prioritize based on both organizational needs and your personal areas for improvement. Start by talking with your manager or stakeholders about which risks or capabilities are most urgent for your business right now. Consider where you feel least confident or where you have received feedback, and target skill-building there first. Reviewing recent incidents, business objectives, or audit findings can also help you choose the most relevant areas to focus on. By identifying a few high-impact skills to work on at a time, you can make continuous progress without becoming overwhelmed. For those leading teams, it also means building the bench, creating opportunities for people to grow, and helping strong practitioners expand into the more extensive range the field now demands. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the Third Party Risk Association (TPRA) as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of TPRM Success, a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Executive Summary Third-Party failures rarely begin as legal disputes. They being as performance weaknesses, control breakdowns, or operational gaps that contracts failed to anticipate, define or enforce. Most organizations treat contracts as legal protection and service level agreements (SLAs) as operational metrics. But in reality, contracts and SLAs are among the most powerful risk management tools an organization has – if they are designed to reflect the priorities of all stakeholders and monitored through a risk lens. This paper introduces the concept of Contractual Fitness: the degree to which a vendor agreement translates enterprise risk, regulatory expectations, and resilience requirements into enforceable obligations and measurable performance indicators. It also outlines how SLA performance monitoring, when aligned to risk impact rather than technical convenience, becomes an early warning system for vendor instability, compliance exposure, and operational disruption. The Core Problem: Why Contracts Often Fail the Business Across industries, contracts are negotiated in silos Function What They Focus On What Often Gets Missed Legal Liability, indemnification, dispute terms Operational enforceability of resilience & security IT Technical SLAs Business impact of service degradation Compliance Regulatory clauses Monitoring mechanisms to validate compliance DR/Resilience Recovery capabilities Contractual testing and proof requirements Procurement Commercial Terms Risk-based performance accountability TPRM Risk identification Ensuring mitigations become binding obligations Results: risks are identified during due diligence but never fully embedded into contractual language or measurable SLAs. Contracts describe services – they don't always control risks. Defining Contractual Fitness Contractual Fitness is the alignment between: Risk Exposure – What could go wrong Contractual Obligation – What the vendor is legally required to do Performance Metrics (SLAs) - How ongoing effectiveness is measured Governance & Enforcement – What happens when performance degrades A contract is “fit” when risk expectations are: Clearly Defined Measurable Auditable Enforceable Stakeholder Priorities and How They Translate into Contract SLAs Vendor risk is multi-dimensional. A contract that works only for Legal or for IT is incomplete. Below is a cross-functional view of what each stakeholder needs from vendor agreements. Stakeholder Primary Concern Critical Contractual Clauses Key SLA / Monitoring Metric Common Gap Information Security Protection of systems and data Security control requirements, vulnerability management, audit rights, incident notification timeliness Patch remediation timeliness, vulnerability remediation cycle time, incident response time Security language is vague (“reasonable security”) and not measurable Privacy Lawful data processing & subject rights Data Processing Addendum, sub processor approval, cross border transfer terms, deletion or return of data DSAR support response time, deletion certification timelines, sub processor change notifications Privacy obligations exist but are not operationalized or tracked DR / Resiliency Service recovery within tolerance Defined RTO/RPO, mandatory testing, geographic redundancy, dependency transparency DR test success rates, actual recovery time vs. Contracted RTO, backup validation results RTO/RPO written in contract but no tested or reported IT / Engineering Reliable technical performance Availability SLAs, incident response SLAs, change management notice, maintenance windows Uptime % latency, MTTR (mean time to restore), change notification timeliness SLAs measure performance but not business disruption Legal Liability containment & enforceability Indemnification, limitation of liability carve-outs, termination rights, cooperation clauses Tracking repeated breaches of contractual obligations Operational failures not escalated as contractual risk triggers Compliance / Regulatory Ability to demonstrate oversight Right to audit, regulatory cooperation, control evidence requirements Timeliness of evidence delivery, audit finding remediation timeliness Contract allows audit, but evidence collection is not structured Finance / Procurement Financial exposures & value Service credits, benchmarking, billing audit rights, termination for convenience SLA credit trends, billing accuracy rates, overcharge recovery Credits are claimed but not analyzed as risk signals TPRM Holistic risk oversight Risk-based obligations, subcontractor flow-down performance reporting requirement SLA degradation rends, control testing results, unresolved issue aging Risk findings don’t always translate into enforceable contract terms. From Clause to Control: What “Good” Language Looks Like A major element of contractual fitness is moving from vague commitments to measurable obligations. Risk Area Weak Clause Contractually Fit Clause DR “Vendor will maintain disaster recovery capabilities” “Vendor shall maintain DR capabilities sufficient to restore services within an RTO of 8 hours and an RPO of 15 minutes. Vendor will conduct at least annual failover testing and provide documented results and remediation plans.” InfoSec “Vendor will use reasonable security measures” “Vendor shall maintain security controls aligned to ISO 27001 or NIST CSF and remediate critical vulnerabilities within 14 days and high vulnerabilities within 30 days.” Incident Notification “Vendor will notify customer of breeches promptly” “Vendor shall notify Customer within 24 hours of becoming aware of a confirmed or suspected security incident affecting Customer Data and provide status updates every 48 hours until containment.” Sub processors “Vendor may use subcontractors” “Vendor must provide 30 days prior notice of new sub processors, flow down equivalent security and privacy obligations, and remain fully liable for their performance.” SLA Reporting “Vendor will provide performance reports.” “Vendor shall provide monthly SLA performance reports including uptime, incident metrics, and root cause analysis for any SLA breach.” SLA Performance Monitoring as a Risk Discipline SLAs are often treated as operational scorecards. But they are more powerful when viewed as risk indicators. SLA Metric Traditional Interpretation Risk-Based Interpretation Uptime % Service quality Operational continuity and customer impact risk Incident Response Time Help desk efficiency Cyber containment and business disruption risk DR Test Results Technical exercise Organizational survival dependency Patch Timelines IT hygiene Exposure window for cyber exploitation Change Notification Process formality Risk of unassessed system or data impact When TPRM tracks these metrics over time, patterns emerge that may include: Control fatigue Under-investment by the vendor Operational instability Elevated breach or outage likelihood Trending & Early Warning Indicators Isolated SLA failures happen. Trends tell the real story. Trend Patterns Potential Risk Signals Gradual increase in SLA credits over multiple quarters Declining service quality or capacity strain Missed DR testing deadlines Weak recovery preparedness Slower vulnerability remediation times Security control deterioration Increasing incident response times Staffing or Operational stress at vendor Delays in providing audit evidence Compliance maturity issues These trends allow organizations to act before a regulatory breach, data compromise, or major outage occurs. Governance: What Happens When Performance Degrades Measurements without action creates - “risk tolerance” by default. A contractually “fit” governance model includes: Operational Review – immediate discussion of SLA breach Formal Notice of Performance Concerns – Triggered by repeated failures Executive Governance Escalation – senior-level accountability Documented Remediation Plan – with deadlines and reporting Termination Readiness – exercising exit rights if risk remains unacceptable. These steps must be supported by contract clause allowing: Formal notice of breach Mandatory remediation Service credits Termination for chronic failure The Integrating Role of TPRM TPRM is uniquely positioned to connect: Phase TPRM Role Pre-Contract Identify risk and required control expectations Contracting Ensure risk requirements translate into clauses & SLAs Ongoing Monitoring Analyze SLA trends and control performance Escalation Elevate chronic issues as enterprise risk concerns Renewal / Exit Use performance history to inform decisions TPRM transforms contracts from static documents into dynamic risk management tools. Actionable Take-Aways For TPRM Map risk tiers to mandatory clauses and SLA expectations Trend SLA performance as part of ongoing monitoring Treat repeated SLA failures as risk events, not vendor nuisances For Legal Replace “reasonable efforts” with measurable, auditable standards Preserve audit, termination, and step-in rights Ensure operational clause are enforceable, not just aspirational For IT, Security, Resilience Team Define SLAs based on business impact tolerance, not vendor defaults Require testing and documented evidence for recovery and security claims For Procurement & Finance Analyze SLA credits and billing issues as indicators of operational risk Tie commercial leverage to performance accountability For Executives View chronic vendor underperformance as an enterprise risk signal Support cross functional governance when SLA show sustained decline Contracts should not simply describe services; they should operationalize trust. When risk expectations are translated into enforceable obligations and monitored through meaningful SLAs, vendor agreements become what they were always meant to be. A front-line control for protecting the organization's operations, data, customers, and reputation. Authors Heather Kadavy Director of Membership Success at TPRA Ryan Hesser VP Third Party Risk Mgmt & Legal Counsel at VyStar CU

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Thursday, July 9, 2026 10:00 – 11:00 AM CT Roundtable: Nth Party & Supply Chain Risk Register > Tuesday, July 21, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Register > Tuesday, July 21, 2026 10:00 – 10:30 AM CT New & Potential Member Call Register > Thursday, August 13, 2026 10:00 – 11:00 AM CT Roundtable: Budgeting for TPRM Success Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

Join TPRA’s Women in TPRM program to uplift and support women in the industry through mentorship, leadership development, and recognition. Empowering the next generation of women leaders in TPRM. Our Goals Our Goals The Women in TPRM (WNTPRM) Program is dedicated to empowering women in the Third Party Risk Management (TPRM) industry. This program is open to all , regardless of TPRA membership status or gender identity. Through collaborative efforts, we aim to: Uplift Women in TPRM : Advocate for professional growth and recognition. Provide Access to Higher-Paying Roles: Break barriers to equitable opportunities in TPRM careers. Celebrate & Support Women: Establish a platform to spotlight achievements and nurture community. Cultivate Future Leaders: Develop the next generation of trailblazers in TPRM. What We Do What We Do We meet monthly to strategize on achieving these goals and to address challenges within the field. You do not need to be a TPRA member to participate in this program, but some facets of this program are member-specific, such as our 'Women in TPRM' Slack Channel, where TPRA Practitioner Members can continue meaningful conversations, share resources, and collaborate. Standard Practitioner Membership is free , and all TPRA Practitioner Members are invited to join our Slack Forum here . Members and non-members can join our LinkedIn group to stay connected. Our Initiatives Include: Advocating for the importance of women in TPRM through educational resources and outreach. Providing access to tools, techniques, and insights that uplift and empower women in the field. Showcasing and celebrating women leaders who inspire and shape the TPRM landscape. Sharing job opportunities from organizations committed to supporting women in TPRM. Join us as we drive change, foster leadership, and build a brighter future for women in TPRM! Meetings Upcoming Meetings Watch On-Demand Meetings July 21, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Read All August 18, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Read All September 15, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Read All Programs & Resources Women Lead Spotlights Our Women Lead Program is dedicated to showcasing inspiring leaders by highlighting their stories. Our goal for this program is to learn from and be inspired by women leaders in the field of Third Party Risk Management (TPRM) throughout various industries. View our Leaders and learn how to nominate and/or apply to become a spotlight. View Spotlights Resource Sharing Library Our Women in TPRM Resource Sharing Library contains a variety of women in business-related materials. Included are reports on the latest women in business trends and statistics, blogs and articles on relevant and current happenings, and TED Talks featuring inspiring women in business educating others on how to navigate the business world and find success in their careers. View Library Leadership Ladders Originally developed by TPRA's Women in TPRM "Lead" work group, this training activity is designed for all current & aspiring leaders within the Third Party Risk Management (TPRM) industry. Inspired by the classic "Shoots and Ladders" game, it is an all-in-one roadmap to leadership in the form of a nostalgic, virtual board game! E ach box on the board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity. Check It Out Recorded Meetings View meeting recordings and PowerPoints from our monthly Women In TPRM Meetings. Recorded Meetings Resources Statistics Women only represent 15-20% of the Governance, Risk and Compliance profession (GRC World Forums, 2021). Read Full Article Only about 25% of every 100 security and risk management (SRM) executives are women (Gartner Inc., 2019). Read Full Article Gender-diverse and inclusive teams outperform gender-homogeneous, less-inclusive teams by an average of 50 % (Gartner Inc., 2019). Read Full Article According to one survey, 24% of global cybersecurity employees are women, and 18% of CIOs/CTOs are female (Deloitte, 2021 ). Read Full Article Quotes "Diversity matters not just because increasing representation of minorities and women in a fast growing and critical field is the right thing to do, but because a variety of viewpoints are key to solving hard problems." SVP, General Counsel - Legal, Bitsight Johanna Werbach “...change must come from within the industry and not be mandated from external parties.” Chief Data and Privacy Officer, MeritB2B Karie Burt "With different backgrounds and perspectives and voices at the table and in an environment where their contributions are really valued, you benefit from a much more expansive conversation and one that’s much more likely to uncover the full range of possibilities and solutions." VP & GM, TPRM, BitSight Vanessa Jankowski Read "Women in CyberSecurity"

Watch Women in TPRM recordings of past monthly meetings. Hear insights from women leaders and practitioners driving change in third party risk management. Meetings WNTPRM On-Demand Meetings Tuesday, June 16, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, May 19, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, April 28, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, March 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, February 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video Tuesday, January 20, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting PowerPoint Watch Video LOAD MORE