Search Results

In today’s third party risk management (TPRM) environment, time is a scarce resource, and risk teams are feeling the pressure. As organizations grow their third party ecosystems and regulatory expectations rise, TPRM programs are expected to scale without receiving more people or budget.  That’s where automation can help.  But before jumping into technology solutions, practitioners often ask a crucial question:   “How do I know what to automate?”   Not everything is a good candidate. Some processes rely on deep judgment or require hands-on communication. But others, the repetitive, rules-based, time-consuming tasks, are perfect opportunities to automate and free up your team’s time for strategic risk management activities.  Let’s walk through how to spot automation use cases inside your own program, and hear how one risk leader turned hours of manual work into minutes of automated flow.  What Makes a Good Candidate for Automation?  Start with a simple lens. The best automation processes usually have these qualities:  High volume: Happens frequently across many third parties  Repetitive: Same steps followed every time  Rule-based: Decisions based on set criteria or logic  Low variation: Minimal case-by-case customization  Trackable: Easily measurable in terms of success or failure  If you’re doing a task over and over, and it doesn’t require nuanced human decision-making, it’s probably a strong automation candidate.  Common TPRM Automation Use Cases    Here are some of the most common areas where automation delivers real value:  1. Initial Third Party Intake & Risk Tiering   Automating the intake form and feeding third party and business owner responses directly into a tiering model saves time and reduces manual scoring errors. You can set rules to automatically assign low, medium, or high risk based on responses like data sensitivity or criticality.  2. Due Diligence Questionnaire Distribution   Rather than tracking who received what questionnaire; use automation to send the right assessment based on third party type and level of risk, trigger reminder emails, and flag when a response is overdue.  3. Policy & Document Collection   Stop chasing third parties manually for SOC reports, insurance certs, or data mapping. Use tools that auto-request, validate expiration dates, and flag missing documents before you notice.  4. Issue Remediation Workflows   If a third party fails a control assessment, automation can generate a ticket, assign it to the right risk owner, and send periodic follow-ups until it’s resolved or escalated.  5. Continuous Monitoring   Set thresholds and rules so that alerts from external monitoring platforms are filtered, prioritized, and routed to the right business owner and/or third party. Not every continuous monitoring alert needs to land in your inbox.  Real-World Example: Automating Third Party Risk Tiering  Case Study: Financial Services TPRM Team (Mid-Sized U.S. Bank)     A TPRM team supporting over 1,000 third parties struggled to keep up with onboarding. Each third party was manually risk-tiered by reviewing spreadsheets, pasting data into a scoring tool, and then having it double-checked by a second analyst.  “It was taking us 2 to 3 hours per vendor, just to assign a tier,” the risk lead told us.   By implementing an automation workflow using a TPRM platform, they built a rules engine tied to their intake questionnaire. Now, as third parties fill out intake forms, their answers auto-feed into a tiering model based on categories like access to sensitive data, cloud usage, and financial impact. The automation generates a tier instantly, flags high-risk vendors for human review, and logs everything for audit readiness.  Result:  Manual effort dropped from 3 hours to under 10 minutes  Analyst hours saved = ~50/month  More consistent tiering = stronger regulator confidence  How to Identify Automation Opportunities in Your Program  Start simple. Ask yourself and your team:  What process eats up the most time?  Are there tasks we do the same way every time?  Where do errors or delays occur?  What are we manually tracking in Excel or email?  What do we wish we had more time for (but don’t)?  Then, map out the steps. If you can diagram it on paper, chances are you can automate it.  Avoid These Common Pitfalls  Before automating, take these precautions:  Don’t automate a broken process. Fix inefficiencies first.  Avoid black-box logic [ a system or algorithm where the internal workings are not easily understood or accessible to the user ]. You still need visibility and traceability.  Keep humans in the loop for judgment calls or escalations.  Test in small batches before going wide.  Final Thought: Start Small, Scale Smart  You don’t need a full digital transformation to begin automating. Choose one use case, something your team is tired of doing manually, and experiment. Measure the time saved. Show impact.  Remember in TPRM, every minute you save on manual administration is a minute you can spend mitigating actual risk.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In the early morning of October 20, 2025, Amazon Web Services, the backbone of much of the modern internet, experienced a widespread outage in its Northern Virginia region. Within hours, popular apps, business platforms, and government services began to slow or fail. By evening, AWS reported that services were operating normally, with some backlogs clearing after that. This was not some minor hiccup. It took much of the day to resolve, and by the time systems steadied, the outage had already reminded everyone how deeply daily life depends on the same shared foundations.  The Impact  The outage originated in AWS’s US-EAST-1 region, which supports a significant portion of global cloud activity. That single region underpins countless tools and services used every day by businesses, governments, and consumers alike. Well-known platforms such as Zoom, Venmo, and Alexa saw interruptions, but the effects reached much farther than that.  For many organizations, the disruption was one step removed. Their own systems appeared stable, yet vendors or downstream providers that relied on AWS began to falter. Even companies with no direct contract felt the slowdown through partners and service integrations that quietly depend on the same infrastructure.  The Cause  AWS said the incident stemmed from DNS resolution issues that affected DynamoDB service endpoints in US-EAST-1, and they began mitigation after identifying the problem ( AWS update ). In parallel, traffic health checks did not behave as expected, which complicated rerouting and recovery. The combination created a chain of disruptions that took most of the day to unwind.  In short, one lookup broke, one database stalled, and everything built on top of them learned what “shared dependency” really means.   The Response  AWS posted regular updates, isolated the DNS issue, and restored service, with some queues taking longer to clear. By evening, operations were mostly normal.  AWS confirmed that the outage was not the result of a cyberattack  and said a detailed incident analysis would be released. The company’s updates through its status page and social channels provided transparency but were highly technical, which made it difficult for non-technical teams to interpret and share meaningful updates inside their organizations .   What This Illustrates About Concentration Risk  This was concentration risk in practice, too much dependency in one place. The AWS US-EAST-1 region is popular because it is large, efficient, and cost-effective. That popularity concentrates demand, which can magnify impact during an incident.  When multiple organizations and their vendors depend on the same region, a single problem can become a multi-industry event. Many companies that felt diversified discovered their vendors were sitting on the same underlying infrastructure.  What It Reveals About Fourth- and Nth-Party Risk  Even companies far removed from AWS saw disruptions. That is extended vendor risk, where your vendor’s vendor, or their vendor’s vendor, fails and causes impact for you.  A payment platform might use AWS directly, while your billing software depends on that platform. Your HR system’s analytics add-on might sit on AWS even if the core platform does not. The farther down the chain the issue occurs, the harder it is to see, yet the business effect is the same.  The Broader Lesson: Shared Infrastructure Means Shared Consequences  Cloud services and computing have made business faster and more connected. It has also made it interdependent. When one provider falters, entire industries can feel the shock.  Technical events become business events quickly. Disruptions affect customer access, transactions, revenue, and regulatory expectations. For TPRM programs, resilience is not about predicting every outage. It is about understanding dependency risk and being ready to respond calmly when it appears.  What TPRM Practitioners Should Be Doing Now  The AWS outage was a free stress test. Even if your organization stayed upright, it showed how much depends on a handful of cloud providers. Now it’s time to turn awareness into action.  1. Revisit your dependency map   Trace your direct, fourth-party, and nth-party exposure. You do not need to document every sub-vendor, but you should know where critical systems live and who connects them.  Review your direct vendors and note hosting provider and region.  Identify shared dependencies across your portfolio.  Flag any service that leans on a single region.  Share this with cybersecurity and IT partners to align contingency plans.    2. Strengthen collaboration between TPRM and Cybersecurity/Information Technology  When an outage hits, both perspectives are essential.  Cyber professionals (which may include the incident response team) focus on the how, root cause, technical exposure, and data integrity.  TPRM focuses on the so what, business impact, vendor accountability, and continuity of services.  Confirm with IT which systems can run from more than one location. Confirm with TPRM which vendors must maintain uptime and notify you. If this partnership is informal, formalize a simple workflow that defines who watches vendor status, how alerts move to business leaders, and who decides when to communicate with executives or customers.  3. Update due diligence and contracting  Bake resilience into every step of the vendor lifecycle.  During due diligence   Ask where systems are hosted, including backup regions.  Require disclosure of key sub-vendors such as cloud hosts and data processors.  Confirm that failover is tested and recent.  Check that downtime tolerance matches your business needs.  In contracts   Add notification timelines for incidents that affect your data or operations.  Require vendors to maintain and test continuity and disaster recovery plans on a regular basis (at least annually).  Define how credits or remedies apply during regional incidents.  Include data portability and exit terms so you can migrate if reliability declines.  For existing contracts, capture this through an addendum or vendor questionnaire. The goal is alignment between your expectations and actual capabilities.  4. Treat vendor resilience as an ongoing metric  Do not let resilience live in a one-time questionnaire.  Track uptime and incident response quarterly.  Watch how vendors communicate during industry-wide disruptions.  Follow up with any vendor that takes more than a business day to confirm whether they were affected.  Transparency and communication matter as much as uptime.  5. Bring the lesson to leadership  Executives and boards care about continuity, not DNS details. Use this event as a case study.  Keep it in business terms.  How long could you operate if your main region failed?  Which vendors share that region?  How long does recovery actually take in hours, not in theory?  Boards and regulators should already be asking about cloud concentration and systemic risk. Showing mapped dependencies and credible plans signals maturity and foresight.  Not Ready for All That Yet? Try This Instead  If your program is not ready for the full list above, start smaller. A one-hour tabletop can surface the most important gaps before you redesign your program.  A One-Hour Tabletop: “When the Cloud Falters”  Scenario:  Your most important customer-facing service is degraded for six hours because your cloud provider’s main region is down.  Prompts:   What fails first, and who notices?  Who owns communication with leadership and customers?  What do you tell executives in the first 30 minutes?  What data confirms whether the issue is internal or supplier-related?  If the outage lasts more than four hours, how do you continue operations?  When and how do you tell customers you are stable again?  What good looks like:   Clear ownership of communication and impact analysis.  Named roles for executive updates and recovery coordination.  A realistic recovery time, not a guess.  Two improvement items assigned for follow-up within 30 days.  Start here. Capture where confusion happens and what slows decisions. The results will show you where to strengthen communication, contracts, and coordination next.  Conclusion   The AWS outage was not just about downtime. It was about concentration risk and dependency, and how quietly it grows until something forces everyone to see it. What looked like one point of failure was really a network of shared reliance across vendors, industries, and geographies.  For TPRM professionals, the lesson is to stop treating concentration as abstract and start treating it as operational reality. Every vendor, every contract, and every dependency tells part of that story. The work ahead is not to eliminate risk, it is to ensure that when one link breaks, which it inevitably will, the rest of the chain holds.  Additional Resource Explore our certificate, Securing SaaS Applications: A Comprehensive Approach to Cloud Risk Management , which provides an in-depth look at evaluating and managing risks associated with cloud-based SaaS solutions. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

When a vendor relationship ends, the risk doesn’t.  Too often, vendor offboarding is treated as an afterthought, left to chance, split between departments, or buried in a never-used checklist. The problem? An incomplete or inconsistent termination process exposes your organization to some of the highest risks in the TPRM lifecycle.   These risks include, but are not limited to, access that was never revoked, assets that were never returned, and/or data that was never deleted.  The good news: these risks are avoidable, and automation can help.  Why Offboarding Matters More Than You Think  In many organizations, onboarding gets all the attention, due diligence, approvals, kickoff meetings, and security reviews.  But what about the end of the relationship?  "You wouldn’t let an employee walk out the door without collecting their badge and shutting off system access. Why do we do it with vendors?"   Poor offboarding can lead to:  Lingering system access and potential unauthorized activity  Unreturned data or devices , especially in hybrid/cloud environments  No formal record of what actions were completed or by whom  Compliance gaps if data disposal or security controls were contractual  The Automation Opportunity  Here’s where automation can drastically improve vendor offboarding, making it faster, repeatable, and auditable.  1. Triggering the Offboarding Workflow Automatically  When a contract is marked as terminated or not renewed, the system will kick off automated offboarding activities.  It can route these activities to IT, InfoSec, Procurement, and TPRM automatically.  Tool tip: Use a trigger from your TPRM tool, GRC system, or contract lifecycle platform to launch this sequence.    2. Auto-Assigning Offboarding Tasks  Such offboarding tasks can include, but are not limited to:  Revoking system access and credentials  Collecting physical or virtual assets  Confirming data destruction or secure transfer  Archiving vendor risk files and workpapers  Tool tip:  Use tools like ServiceNow, Jira, or Monday.com to assign tasks and track completion status in real time.    3. Generating & Storing Offboarding Evidence  The system can require documentation uploads or confirmations (e.g., screenshot of deprovisioned access, destruction certificates) of completed offboarding tasks  It can also store all evidence in the third party profile for audit purposes  Tool tip:  Attach offboarding steps to a third party profile in your TPRM platform or centralize storage in a secure SharePoint folder.    4. Post-Termination Reviews  Set up a short internal review form to capture any final third party risks or lessons learned.  Optionally trigger a survey to business owners to assess third party performance.  Update the third party’s profile to note if the third party can be used again or if it is recommended to not do business with the third party.  Tool tip: Use Microsoft Forms or Google Forms and auto-send based on the third party status change.  Real-World Example: Offboarding Automation at a Global Fintech  A fintech company with over 1,200 third parties discovered that more than 30% of “inactive” third parties still had some form of residual access, including access to shared cloud folders and legacy single sign-on (SSO) profiles.  The organization then implemented a third party offboarding checklist built into their TPRM platform, which auto-triggered when a contract end date was reached or when a business owner marked a third party as "no longer in use."  Each task, such as deprovisioning access, collecting assets, confirming data deletion, was auto-assigned to pertinent stakeholders with deadlines and owner accountability.  Results in the first 6 months:   Reduced open-access risk by 78%  100% of offboarding steps documented and accessible for audits  Gained stronger alignment between TPRM, InfoSec, and Procurement  Getting Started: Questions to Ask  Do we have a standard offboarding checklist for third parties?  Who owns each task, and how do we know the tasks were completed?  Can we identify all third parties with system access that may still be active post-contract?  Do we store evidence of data destruction or handover?    Quick Win to Try  Start by creating a centralized third party offboarding checklist with due dates and owner fields. Even if you use Excel or a Google Form at first, link this to third party termination triggers and build consistency from there.  Then, explore how your existing tools (TPRM platform, ticketing system, workflow automation) can formalize and automate the process.    For additional information on the third party Termination process, view TPRA’s TPRM 101 Guidebook.   Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Tuesday, November 18, 2025 1:00 - 2:00 PM CT Women In TPRM Meeting Register > Thursday, December 11, 2025 10:00 - 11:00 AM CT Roundtable: TPRA Year In Review / Look Ahead + FUN! Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

Leverage this list of third party risk management service providers in various categories to find the right vendor for your needs. TPRM Tools At the Third Party Risk Association, we know that finding the right vendor for your needs can be a challenge. Often, organizations may not even be aware of the potential vendors in the space. We're aiming to compile an exhaustive list of TPRM vendors across various categories to make your life a little easier. This list of TPRM Vendors is not affiliated with the TPRA, and the TPRA does not receive any monetary gain from listing them below. If you are a TPRM Vendor and would like to be included in the list below, please email Heather Kadavy at heather.kadavy@tprassociation.org . Filter by Category Select Category Filter by TPRA Membership Select Status Search by Organization Select Organization Number found: 138 Search Clear Filters Category Name TPRA Member? URL GRC Platform 360Factors Inc No https://www.360factors.com GRC Platform Acuity Risk Management No http://acuityrm.com GRC Platform Archer Integrated Risk Management No https://www.archerirm.com/third-party-governance GRC Platform AuditBoard No https://auditboard.com/contact-us/request-demo?utm_medium=tooklist&utm_source=tpra&utm_content=cta GRC Platform CoreStream No http://corestreamplatform.com GRC Platform DVV Solutions TPRM No https://www.dvvs.co.uk GRC Platform Diligent No https://www.diligent.com/ GRC Platform Ethico No http://www.ethico.com GRC Platform LogicGate No http:// https://www.logicgate.com/solutions/third-party-risk-management/ GRC Platform LogicManager No https://www.logicmanager.com/ GRC Platform MetricStream No https://www.metricstream.com GRC Platform Navex No https://www.navex.com/en-us/products/navex-irm-integrated-risk-management/third-party-risk-management/ GRC Platform Onspring No https://onspring.com/solutions/governance-risk-compliance/third-party-risk-management/ GRC Platform OpenPages GRC by IBM No https://www.ibm.com/products/openpages-with-watson?utm_content=SRCWW&p1=Search&p4=43700070084211913&p5=p&gclid=f61d865decc71a305683e4bf26ab6b2c&gclsrc=3p.ds GRC Platform Reasonable Risk No https://www.reasonablerisk.com/ GRC Platform RiskOptics formerly Reciprocity No https://reciprocity.com/ GRC Platform SAI 360 GRC No https://www.sai360.com/ GRC Platform SAP Risk Management No https://www.sap.com/products/financial-management/risk-management.html GRC Platform ServiceNow GRC No https://www.servicenow.com/products/governance-risk-and-compliance.html GRC Platform Standard Fusion No https://www.standardfusion.com/ GRC Platform TutelaSolutions No https://www.tutela-solutions.com/ Research & Educational Community Cloud Security Alliance (CSA) Yes https://cloudsecurityalliance.org/ Research & Educational Community Dynamic Standards International (DSI) Yes https://dsi.org/about Research & Educational Community FAIR Institute Yes https://www.fairinstitute.org Research & Educational Community Global Resilience Federation (GRF) Yes https://www.grf.org/ Research & Educational Community High Risk Education No https://www.linkedin.com/company/highriskeducation/posts/?feedView=all Risk Ratings/Intelligence Argos Risk No https://argosrisk.com Risk Ratings/Intelligence Bitsight Yes https://www.bitsight.com Risk Ratings/Intelligence Black Kite Yes https://blackkite.com/ Risk Ratings/Intelligence Blackwired Pte Ltd No https://www.blackwired.com Risk Ratings/Intelligence BreachSiren Yes https://breachsiren.com Risk Ratings/Intelligence Continuity Strength Yes https://continuitystrength.com/corporate-support Risk Ratings/Intelligence Cybercert.ai No https://cybercert.ai Risk Ratings/Intelligence Cyberwrite No https://www.cyberwrite.com/ Risk Ratings/Intelligence Dark Sky Technology, Inc. No http://www.darkskytechnology.com Risk Ratings/Intelligence Dun & Bradstreet No https://www.dnb.com/solutions/manage-supplier-risk.html Risk Ratings/Intelligence FortifyData No http://www.fortifydata.com Risk Ratings/Intelligence GRMS | Global Risk Management Solutions No http://www.GlobalRMS.com/Difference Risk Ratings/Intelligence ISS Corporate Solutions No https://www.isscorporatesolutions.com/solutions/security-suite/ Risk Ratings/Intelligence Interos Yes https://www.interos.ai/ Risk Ratings/Intelligence Ionix previously Cyberpion No https://www.ionix.io/ Risk Ratings/Intelligence KHARON No https://www.kharon.com/ Risk Ratings/Intelligence Ncontracts No https://www.ncontracts.com/ Risk Ratings/Intelligence Orpheus Cyber No https://www.orpheus-cyber.com Risk Ratings/Intelligence Owlin No http://www.owlin.com Risk Ratings/Intelligence Panorays No https://www.panorays.com Risk Ratings/Intelligence PromptArmor Yes https://www.promptarmor.com Risk Ratings/Intelligence RapidRatings Yes https://www.rapidratings.com/ Risk Ratings/Intelligence Recorded Future No https://www.recordedfuture.com Risk Ratings/Intelligence RiskRecon by Mastercard Yes https://www.riskrecon.com Risk Ratings/Intelligence Semantic Visions Yes https://www.semantic-visions.com/ Risk Ratings/Intelligence Sentrisk No https://www.marshmclennan.com/sentrisk.html Risk Ratings/Intelligence Supply Wisdom Yes https://www.supplywisdom.com/ Risk Ratings/Intelligence TRaiCE No https://www.traice.io Risk Ratings/Intelligence Tenchi Security No https://www.tenchisecurity.com/en Risk Ratings/Intelligence The Smart Cube, a WNS company No https://www.thesmartcube.com/solutions/procurement-supply-chain/supplier-risk-intelligence/ Risk Ratings/Intelligence UpGuard No https://www.upguard.com/ Risk Ratings/Intelligence Vendict No https://www.vendict.com/ TPRM Platform Aprovall No https://www.aprovall.com/en/ TPRM Platform Aravo Yes https://www.aravo.com TPRM Platform Atlas Systems Yes https://www.atlassystems.com/solutions/third-party-risk-management TPRM Platform Blue Umbrella No http://www.blueumbrella.com TPRM Platform Censinet No https://www.censinet.com TPRM Platform Certa.ai Yes https://certa.ai TPRM Platform Clarity360 (Kroll) No https://www.krollclarity.com/ TPRM Platform Coverbase Yes https://coverbase.ai/ TPRM Platform Crossword Cybersecurity No https://www.crosswordcybersecurity.com/ TPRM Platform CyberGRX (now ProcessUnity) No https://www.cybergrx.com TPRM Platform DSALTA No https://www.dsalta.com/ TPRM Platform DocuBark Yes https://docubark.com/ TPRM Platform DoubleCheck Software No http://www.doublechecksoftware.com TPRM Platform EthixBase360 (formerly EthixBase) No https://ethixbase360.com/ TPRM Platform Exiger Yes https://www.exiger.com/ TPRM Platform Fabrik Yes https://www.thetrustfabrik.com/ TPRM Platform Findings No https://findings.co/ TPRM Platform Fortress No https://fortress.ai/ TPRM Platform Gatekeeper No https://www.gatekeeperhq.com TPRM Platform GraphiteConnect No https://www.graphiteconnect.com/ TPRM Platform Hellios Information No https://hellios.com/ TPRM Platform Kobalt Labs No https://www.kobaltlabs.com/ TPRM Platform Lema Yes https://www.lema.ai/ TPRM Platform Locktivity Yes https://www.locktivity.com/ TPRM Platform Mirato Yes https://mirato.com/ TPRM Platform MyRiskShield No https://www.myriskshield.com/ TPRM Platform OneTrust Yes https://www.onetrust.com TPRM Platform Perimeter (formally ProcessBolt) No https://perimeter.net/ TPRM Platform Prevalent No https://www.prevalent.net TPRM Platform ProcessUnity Yes https://www.processunity.com TPRM Platform Protecht No https://www.protechtgroup.com/en-us/ TPRM Platform Resilinc No http://www.resilinc.ai TPRM Platform Risk Ledger No https://riskledger.com/ TPRM Platform Safe Security Yes https://safe.security/ TPRM Platform SecurityScorecard Yes https://www.securityscorecard.io TPRM Platform Shift Security No https://www.shift.security/ TPRM Platform Smarsh (formerly Privva) No https://www.smarsh.com/platform/cybersecurity-risk-management/vendor-risk-management TPRM Platform Sphera (formerly RiskMethods) No https://sphera.com/supply-chain-risk-management/ TPRM Platform Start No https://www.startvrm.com/ TPRM Platform TDI No https://tdinternational.com/ TPRM Platform TEKRiSQ Yes http://TEKRiSQ.com TPRM Platform ThirdPartyTrust (a Bitsight company) No https://www.thirdpartytrust.com TPRM Platform Trust Your Supplier No https://trustyoursupplier.com/ TPRM Platform TrustExchange No https://www.trustexchange.com TPRM Platform VISO TRUST No https://www.visotrust.com TPRM Platform Vanta Yes https://vanta.com TPRM Platform Velocity No https://www.velocitysec.com/ TPRM Platform VendorRisk No https://www.vendorrisk.com TPRM Platform Vendorly No https://www.vendorly.com/ TPRM Platform Venminder, an Ncontracts Company Yes https://www.venminder.com TPRM Platform Whistic No https://www.whistic.com TPRM Platform myCYPR No https://www.mycypr.com/ TPRM Services AML RightSource No http://www.amlrightsource.com TPRM Services BDO USA No https://www.bdo.com TPRM Services CORL Technologies No https://www.corltech.com TPRM Services CRFQ Yes https://www.crfqnow.com/ TPRM Services Cadre No https://www.cadre.net TPRM Services CastleHill Risk No https://www.castlehillrisk.com TPRM Services Certificial, Inc. No http://www.certificial.com TPRM Services ComplyScore No https://www.complyscore.com TPRM Services Copeland BUHL No https://www.copelandbuhl.com/ TPRM Services Crowe No https://www.crowe.com/services/consulting/third-party-risk-management TPRM Services Defentrix No https://www.defentrix.com/ TPRM Services Dixon Hughes Goodman No https://www.dhg.com/services/advisory TPRM Services Evident ID No https://www.evidentid.com TPRM Services Grant Thorton No https://www.grantthornton.com/services/advisory-services/cybersecurity-and-privacy/third-party-risk TPRM Services GuidePoint Security No http://www.guidepointsecurity.com TPRM Services HITRUST Yes https://hitrustalliance.net/ TPRM Services ITPN No http://www.ITPeopleNetwork.com TPRM Services RSM US Yes https://rsmus.com/ TPRM Services S&P Global Market Intelligence Yes https://www.spglobal.com/marketintelligence/en/mi/products/ky3p.html TPRM Services Schneider Downs No https://www.schneiderdowns.com/third-party-risk-management TPRM Services SecureCrest No https://www.securecrest.com TPRM Services Securis360 Inc. Yes https://securis360.com TPRM Services Sidekick Security No https://sidekicksecurity.io/third-party-risk-management/ TPRM Services Source Callé No https://www.sourcecalle.com TPRM Services TUV OpenSky No https://www.tuvopensky.com TPRM Services Truvo Cyber No http://www.Truvo.ca TPRM Services VIVIDedge No https://www.vivid-edge.com/ TPRM Services Vendor Centric No https://www.vendorcentric.com

All TPRM professionals are invited to attend our "Open Meetings"! No TPRA membership is required. Meetings Open to All All TPRM professionals are invited to join us for these informative events! You do not need to have a TPRA Membership to attend. Filter by Event Type Select Event Type WOMEN IN TPRM Women In TPRM Meeting Date Tuesday, November 18, 2025 Time 1:00 - 2:00 PM CT Learn More Register Now WORK GROUP WNTPRM Work Group Meeting Date Tuesday, December 2, 2025 Time 1:00 - 2:00 PM CT Learn More Register Now TPRM WEBINAR Roundtable: TPRA Year In Review / Look Ahead + FUN! Date Thursday, December 11, 2025 Time 10:00 - 11:00 AM CT Learn More Register Now LOAD MORE