top of page

Search Results

756 items found for ""

Events (148)

View All

Blog Posts (38)

  • What is Third Party Risk Management (TPRM)?

    Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

  • Optimizing Third Party Contractual Agreements

    This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page  and navigate to the November 2024 meeting recording noted on the On Demand tab.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

  • Achieving Third-Party Risk Management Program Compliance With Vendor Collaboration

    Maintaining a compliant third-party risk management (TPRM) program involves active collaboration between multiple stakeholders. Compliance isn’t just an objective but a shared responsibility throughout your organization, from senior management and the board of directors to the business lines and vendor owners. Vendors themselves also have a responsibility to comply with TPRM policies and regulations, so it’s crucial to develop a strategy that involves effective collaboration.   In this blog, you’ll learn some tips on collaborating with your vendors to achieve compliance in your TPRM program. You’ll also learn some next steps to take when a vendor is creating challenges in your compliance efforts.  How to Achieve Third-Party Risk Management Compliance Through Vendor Collaboration  TPRM program compliance involves more than just reacting to specific laws and regulations. It's about being proactive and considering internal policies, rules, and industry best practices that are designed to maintain effective TPRM programs. Below are some proactive strategies to collaborate with your vendor and achieve TPRM program compliance across multiple expectations and standards:   Set a culture of compliance – In order to effectively set expectations for your vendors' compliance, it’s advisable to first establish your organization's values and practices for your TPRM program. Organizations should communicate priorities internally to foster a culture of compliance that’s clearly understood and endorsed by all stakeholders. Once this culture has been established, it can be more effectively conveyed to your vendors, leading to smoother collaboration and program compliance.  Follow up on due diligence –   Compliance issues are usually identified during the due diligence process as you collect and review the vendor's documentation. Follow up on any issues that were found and ask for clarification or more information as needed. In some cases, the vendor may have additional documentation that can verify its compliance with your expectations.  Negotiate a compliant contract –   Make sure to include contract provisions that require both parties to comply with applicable laws and regulations. These provisions could relate to areas such as data protection, privacy, and breach notification requirements. Contract provisions could also outline any internal compliance requirements set by your organization, such as following your corporate policies or industry standards.  Communicate early and often  – Don’t assume that your vendor is staying updated on changing regulatory expectations and industry standards. New state privacy laws continue to emerge, and cybersecurity standards are revised to address new vulnerabilities, so it's essential to frequently communicate your expectations to ensure the vendor is aware of relevant changes and is updating their processes as needed. This ongoing communication is key to building a collaborative partnership.  Work together on remediation –   Just like compliance should involve vendor collaboration, so should remediation plans. Whenever there are issues with compliance, work with the vendor to develop a remediation plan that’s actionable, effective, and time bound. Vendors may be more responsive to requests for improvement if they collaborate on the remediation plan and can identify any roadblocks to success.  Addressing Challenges With Vendor Compliance  It’s not uncommon to face compliance challenges with vendors who might have different strategic goals and priorities. Some vendors may choose to do the bare minimum in compliance and only meet applicable laws and regulations. Here are some suggestions for handling a vendor that isn’t collaborative in your compliance efforts:  Talk with the vendor – First, sit down and have a conversation with the vendor about any issues to better understand their perspective. There may be a misunderstanding about a certain requirement, or they may not have the resources to meet your expectations. These conversations can help clarify your compliance goals and determine if you and the vendor can work toward an improvement plan.  Document issues and progress – Make sure to document any compliance issues and improvement plans, along with a time frame for remediation. It’s important to track any progress made on the compliance issue and regularly follow up with the vendor for updates until the issue is resolved.  Increase monitoring – In addition to documenting the compliance issue, you may need to increase your ongoing monitoring activities with the vendor. Depending on the issue, this may include more frequent reviews of the vendor’s financial health, business continuity risk, security testing, or negative news.   Move forward with the exit strategy  – If the vendor isn’t following the requirements to an extent that’s too severe and beyond your risk tolerance, you may need to think about ending the relationship. Evaluate your plan for ending the relationship and start talking to the right people to make sure your organization can end the vendor relationship securely. Following through with your plan to end the relationship might take more time and resources, but it could be a worthwhile effort to keep your TPRM program in compliance.  Collaborating with your vendors through due diligence, careful contract negotiations, and remediation plans can be an effective strategy for TPRM program compliance. When you build a culture of compliance that extends to your vendors, your organization’s TPRM program can achieve many benefits, such as satisfying regulators and following your internal standards.

View All

Other Pages (453)

  • 2025 IN-PERSON CONFERENCE | TPRA

    Join TPRA on April 7 - 9, 2025 for our annual TPRM conference! "Navigating Risky TPRM Waters" will be held in Myrtle Beach, NC. Register now! TPRA's 2025 THIRD PARTY RISK MANAGEMENT CONFERENCE NAVIGATING RISKY TPRM WATERS MONDAY, APRIL 7 - WEDNESDAY, APRIL 9, 2025 MARRIOTT MYRTLE BEACH RESORT & SPA MYRTLE BEACH, SOUTH CAROLINA REGISTER NOW ABOUT SPONSORS SPEAKERS REGISTER AGENDA VENUE Set Sail for Success at "Navigating Risky TPRM Waters"! Ahoy, TPRM Professionals! Prepare to embark on an unforgettable voyage at the "Navigating Risky TPRM Waters" conference, hosted by the Third Party Risk Association (TPRA). From Monday, April 7 to Wednesday, April 9, 2025 , chart your course to the beautiful shores of Myrtle Beach, South Carolina , and drop anchor at the luxurious Marriott Myrtle Beach Resort & Spa at Grande Dunes . 4 TRACKS 47 SESSIONS 2 KEYNOTES 8 ROUNDTABLES 2 NETWORK EVENTS Explore a Treasure Trove of Knowledge Dive into the depths of Third-Party Risk Management with expert-led sessions, interactive roundtables, and cutting-edge strategies to get your TPRM program into shipshape! Our 2025 conference will feature four speaking tracks and up to 47 different sessions , including 44 breakout sessions , 2 keynotes , 8 roundtables , and 5 sponsor demo sessions . Also included are 2 network events , sponsor booths, games, raffles, live entertainment, and more! Network with Fellow Buccaneers Connect with fellow TPRM professionals and industry leaders, sharing insights and building valuable relationships on this high-seas adventure. Participate in two pirate-themed network events , complete with privateer-approved treasure hunts, appetizers, deluxe beverages, and more! Enjoy breakfast meet-and-greets , roundtable discussions , and other social events designed to foster meaningful connections and collaborations. Keynote Speakers Hear from renowned TPRM experts who will share their treasure maps for navigating the complex waters of third-party risk. Learn from industry leaders and innovators who will provide actionable insights and future trends in TPRM. Exhibit Hall Explore the latest tools and solutions from leading TPRM service providers, offering you the best treasure to safeguard your organization. Discover new technologies, software, and services that can enhance your TPRM processes and strategies. Relax & Unwind Enjoy the stunning ocean views and top-notch amenities at the Marriott Myrtle Beach Resort & Spa at Grande Dunes . Take advantage of the resort’s spa services, pools, and beachfront access to relax and rejuvenate between sessions. Ready to Set Sail? Don't miss the opportunity to steer your TPRM career toward new horizons. Secure your spot today and join us for an extraordinary journey filled with discovery, adventure, and invaluable learning at "Navigating Risky TPRM Waters"! REGISTER NOW Justification for Attendance Interested in getting certified through the TPRA? Register for TPCRA in-person training , to be held April 7-8, 2025, and attend the last day of conference sessions at no additional cost! View instructions below . THANK YOU TO OUR SPONSORS Apply to Sponsor ADMIRAL SPONSORS (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) CAPTAIN SPONSORS (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) QUARTERMASTER SPONSORS (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) FIRST MATE SPONSORS (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) SEAFARING SPONSORS RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor SPEAKERS Chinyere Watson Lead Third Party Risk Expert - Content and Education Venminder an NContracts Company John Tondreau Senior Director / Solution Architect ProcessUnity Jillian Kwong Research Scientist Cybersecurity at MIT Sloan (CAMS) Ed Thomas Senior Vice President ProcessUnity Daniel Philemon Senior Business Solutions Consultant Aravo Solutions Chris Paterson Director of Strategy, Third-Party Risk Management OneTrust LOAD MORE AGENDA AT A GLANCE View Full Agenda All sessions are subject to change. Date Time Compact Agenda Location 04/07/2025 3:00 - 5:00 PM Early Check-In Group Registration Alcove, Main Level 04/07/2025 6:00 - 8:00 PM Pirate Parley Network Event Oceanfront Courtyard, Main Level 04/08/2025 7:30 - 8:45 AM Breakfast & Check-In Atlantic Ballroom 4-8, Main Level 04/08/2025 8:45 - 9:00 AM Welcome & Kick-Off Atlantic Ballroom 4-8, Main Level 04/08/2025 9:00 - 9:55 AM Morning Keynote: "Leadership and Accountability When It Matters" Commander Kirk Lippold, USN (Ret.) Atlantic Ballroom 4-8, Main Level 04/08/2025 10:00 - 10:50 AM Atlantic Ballroom 1 04/08/2025 10:00 - 10:50 AM Atlantic Ballroom 2 04/08/2025 10:00 - 10:50 AM "The Next AI Wave is on its Way: Are You Ready?" Dean Alms & Loren Johnson, Aravo Atlantic Ballroom 3 04/08/2025 10:00 - 10:50 AM "Essentials for Effective Third Party Risk Management" Jodi Daniels, Red Clover Advisors Tides 1 & 2 04/08/2025 11:00 - 11:50 AM "Designing a Comprehensive TPRM Framework: Essential Elements for Success" Chris Phillips, Lendmark Financial Services Atlantic Ballroom 1 04/08/2025 11:00 - 11:50 AM "Collective Resilience: Elevating Third-Party Risk Management" Mark Orsi & Charlie Tupitza, Global Resilience Federation (GRF) Atlantic Ballroom 2 04/08/2025 11:00 - 11:50 AM "Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM" Ed Thomas, ProcessUnity Atlantic Ballroom 3 04/08/2025 11:00 - 11:50 AM Tides 1 & 2 04/08/2025 11:50 AM - 1:00 PM Lunch Atlantic Ballroom 4-8, Main Level 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Finance" Paul Kurtz, First Century Bank Atlantic Ballroom 1 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Retail & Manufacturing" Atlantic Ballroom 2 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Insurance (Life, Health, Auto, etc.)" Christopher Strazishar, Corebridge Financial Atlantic Ballroom 3 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Technology & FinTech" Tides 1 & 2 04/08/2025 1:50 - 2:10 PM Snack Break North & East Pre-Function Lobby 04/08/2025 2:10 - 3:00 PM Atlantic Ballroom 1 04/08/2025 2:10 - 3:00 PM "Practical Solutions for Scaling Third Party Risk Management" Courtney Turner, John Deere Atlantic Ballroom 2 04/08/2025 2:10 - 3:00 PM "Guiding GenAI Technology Providers Using CSA AI Controls Framework" Troy Leach & John Yeoh, Cloud Security Alliance (CSA) Atlantic Ballroom 3 04/08/2025 2:10 - 3:00 PM "New Rules and Lawsuits and AI...Oh My! Dealing with Change Management" Rafael DeLeon, Ncontracts Tides 1 & 2 04/08/2025 3:10 - 4:00 PM "How to Mature Your TPRM Program" Kaih Taylor, AgFirst Credit Bank Atlantic Ballroom 1 04/08/2025 3:10 - 4:00 PM "Learning from the Titanic: Dealing with Operational Resilience in TPRM" Vrushali Lakhpati, AmTrust Financial Services Atlantic Ballroom 2 04/08/2025 3:10 - 4:00 PM "Third Party Risk is First Party Risk: From Process to Decisions" Pankaj Goyal, FAIR Institute Atlantic Ballroom 3 04/08/2025 3:10 - 4:00 PM Tides 1 & 2 04/08/2025 4:10 - 5:00 PM "PANEL: Metrics & Reporting" Julia Yuabov, KPMG; Andrew Moyad, Shared Assessments; Laura Arnott, Vigilant LLC; Jon Sternstein, Stern Security Atlantic Ballroom 1 04/08/2025 4:10 - 5:00 PM "From Silos to Synergy: Partnering with Procurement while streamlining Risk" Ryan Bradford, The New York Times Atlantic Ballroom 2 04/08/2025 4:10 - 5:00 PM "Mastering the Vendor Tango: Navigating Third-Party Risk from Both Sides" Blake Hoge, Airbnb & Garret Close, Amplitude Atlantic Ballroom 3 04/08/2025 4:10 - 5:00 PM "Operational Resiliency: Best Practices to Enhance Your Program & Ensure Regulatory Compliance" Chris Paterson, OneTrust Tides 1 & 2 04/08/2025 5:30 - 7:30 PM Treasure Trove Network Event North & East Pre-Function Lobby 04/09/2025 7:30 - 8:45 AM Registration & Breakfast Atlantic Ballroom 4-8, Main Level 04/09/2025 8:45 - 9:00 AM Opening Remarks Atlantic Ballroom 4-8, Main Level 04/09/2025 9:00 - 9:55 AM Morning Keynote Atlantic Ballroom 4-8, Main Level 04/09/2025 10:00 - 10:50 AM "Setting Sail with Confidence: Establishing Strong TPRM Foundations for Smooth Sailing" Morgan Binder, Brian Howell, Jake Mitchell from Stripe Atlantic Ballroom 1 04/09/2025 10:00 - 10:50 AM Atlantic Ballroom 2 04/09/2025 10:00 - 10:50 AM "Steering Through Uncharted Waters: How Agile AI Governance and Ethical Frameworks Can Enhance Third-Party Risk Management (TPRM)" Bob Maley, Black Kite Atlantic Ballroom 3 04/09/2025 10:00 - 10:50 AM "DEMO: Aravo Solutions" Daniel Philemon, Senior Solutions Consultant Tides 1 & 2 04/09/2025 11:00 - 11:50 AM "Stop the Pirate Raids! Get the Contiuous Monitoring Cannons!" Gregory Rasner, Third Party Threat Hunting LLC Atlantic Ballroom 1 04/09/2025 11:00 - 11:50 AM "DEMO: ProcessUnity" John Tondreau, ProcessUnity Atlantic Ballroom 2 04/09/2025 11:00 - 11:50 AM Atlantic Ballroom 3 04/09/2025 11:00 - 11:50 AM "Navigating the Insurance Waters" Mark Ewert, Penn National Insurance & Mary Granville, AJG Tides 1 & 2 04/09/2025 11:50 AM - 1:00 PM Lunch Atlantic Ballroom 4-8, Main Level 04/09/2025 1:00 - 1:50 PM "Roundtable: Nth Parties" Eric Rosendaul, VP Citizens Atlantic Ballroom 1 04/09/2025 1:00 - 1:50 PM "Roundtable: Incident Response" Kelly Felder, Trane Technologies Atlantic Ballroom 2 04/09/2025 1:00 - 1:50 PM "Roundtable: Leadership (Invite Only!)" Julia Gaiaschi, TPRA Atlantic Ballroom 3 04/09/2025 1:00 - 1:50 PM "Roundtable: AI/ML, including Mapping Strategies" Vincent Scales, Verizon Tides 1 & 2 04/09/2025 1:50 - 2:10 PM Snack Break North & East Pre-Function Lobby 04/09/2025 2:10 - 3:00 PM "Risk Assessment Techniques Identifying and Evaluating Third-Party Risks" Rob Sheehan, Centers for Medicare & Medicaid Services Atlantic Ballroom 1 04/09/2025 2:10 - 3:00 PM "Weaponized Convenience: Inside the Rise of Remote Tool Abuse" Nader Zaveri, Mandiant/Google Atlantic Ballroom 2 04/09/2025 2:10 - 3:00 PM "Overcoming Obstacles" Naomi Ward, Commonwealth of Massachusetts EOTTS - ERM Atlantic Ballroom 3 04/09/2025 2:10 - 3:00 PM "Securing the Fleet: Collaborative Cybersecurity Strategies for Large Firms and their Small and Medium Suppliers" Jillian Kwong, MIT Sloan School of Management Tides 1 & 2 04/09/2025 3:10 - 4:00 PM "How to Assess Your Vendors' SSAE 18 SOC Report for Comprehensive Consistent and Security-Focused Due Diligence" Lisa Mae Hill, Independent Contractor Atlantic Ballroom 1 04/09/2025 3:10 - 4:00 PM "Resilience and Upskilling in AI Infested Waters: You’re Gonna Need a Bigger Boat" Donna Speckhard, Fannie Mae Atlantic Ballroom 2 04/09/2025 3:10 - 4:00 PM Atlantic Ballroom 3 04/09/2025 3:10 - 4:00 PM "PANEL: Relationship Management/Collaboration" Stacey Custeau, Unum; Elizabeth Blosh-Myers, First Internet Bank; Keith Frantz, Prosper Marketplace & Angela Appleby, Plante Moran Tides 1 & 2 04/09/2025 4:10 - 5:00 PM General Session Atlantic Ballroom 4-8, Main Level THE VENUE Join us at the Marriott Myrtle Beach Resort & Spa at Grande Dunes , where the ocean meets luxury and pirates meet risk management! Experience the perfect blend of business and adventure as we chart a course through the latest in TPRM while enjoying breathtaking views and top-notch amenities in beautiful Myrtle Beach, SC. BOOK NOW Discounted hotel room rate of $249 + tax ends after 3/8/2025 . 1/14 Please note, a resort fee will be added to your reservation; however, it will be removed from your final bill after your stay. Email Julie at julie@tprassociation.org if you are unable to book your room due to limited space. Get Certified Third Party Cyber Risk Assessor (TPCRA) In-Person Training Interesting in getting TPCRA certified through the TPRA? We are pleased to offer in-person training during our conference! Training will be held Monday, April 7 to Tuesday, April 8, 2025 , from 9 AM - 4 PM Eastern . Trainees will be able to attend the last day of conference sessions (April 9th) at no additional cost. Registering is easy! Just follow the steps below: 1. Complete Registration & Payment for TPCRA Certification Fill out and submit the TPCRA Registration form , select the Training or Exam & Training Bundle option, and complete payment. 2. Receive Automated Email with Instructions Upon completing payment, you will receive an email with instructions on how to select your TPCRA training dates and times. Please select the TPCRA training in Myrtle Beach, SC. 3. Book Travel & Lodging If needed, book your travel and lodging for In-Person Training at the Marriott Myrtle Beach Resort & Spa at Grande Dunes in Myrtle Beach, South Carolina. Book Hotel Room > For any additional questions, email Julie at julie@tprassociation.org .

  • 2025 CONFERENCE AGENDA

    View the agenda for our 2025 In-Person Conference, "Navigating Risky TPRM Waters"! Main Page Conference Agenda Filter by Track Select Track Early Check-In Monday, April 7, 2025 3:00 - 5:00 PM Group Registration Alcove, Main Level Check-In Drop anchor early and get a head start on your TPRM voyage with early check-in for "Navigating Risky TPRM Waters." Learn More Pirate Parley Network Event Monday, April 7, 2025 6:00 - 8:00 PM Oceanfront Courtyard, Main Level Network Event Join us for the first network event of the conference! Learn More Breakfast & Check-In Tuesday, April 8, 2025 7:30 - 8:45 AM Atlantic Ballroom 4-8, Main Level Meal Fuel Up for the TPRM Voyage! Learn More Welcome & Kick-Off Tuesday, April 8, 2025 8:45 - 9:00 AM Atlantic Ballroom 4-8, Main Level General Session Welcome & Kick-Off with TPRA Captain Julie Gaiaschi Learn More Leadership and Accountability When It Matters Tuesday, April 8, 2025 9:00 - 9:55 AM Atlantic Ballroom 4-8, Main Level Keynote Commander Kirk Lippold, USN (Ret.) Learn More Session Information Coming Soon! Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 1 Track 1: Anchoring TPRM Essentials & Best Practices Learn More Session Information Coming Soon! Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 2 Track 2: Fortifying the Shoreline (Operational Risk & Resilience) Learn More The Next AI Wave is on its Way: Are You Ready? Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 3 Track 3: Surfing the Waves of Innovation & Automation Dean Alms & Loren Johnson, Aravo Learn More Essentials for Effective Third-Party Risk Management Tuesday, April 8, 2025 10:00 - 10:50 AM Tides 1 & 2 Track 4: Charting the Course (Regulation & Compliance) Jodi Daniels, CEO & Privacy Consultant, Red Clover Advisors Learn More Designing a Comprehensive TPRM Framework: Essential Elements for Success Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 1 Track 1: Anchoring TPRM Essentials & Best Practices Chris Phillips, VP, Procurement and Vendor Risk, Lendmark Financial Services Learn More Collective Resilience: Elevating Third-Party Risk Management Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 2 Track 2: Fortifying the Shoreline (Operational Risk & Resilience) Mark Orsi, CEO & Charlie Tupitza, Director of Community Development, Global Resilience Federation (GRF) | Business Resilience Council (BRC) Learn More Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 3 Track 3: Surfing the Waves of Innovation & Automation Ed Thomas, ProcessUnity Learn More Load More

  • TPRA – Third Party Risk Management Resources, Certification & Networking

    The Third Party Risk Association (TPRA) is the all-in-one source for Third Party Risk Management (TPRM) tools, resources, templates, training, networking, certifications, and industry best practices. Join a community of professionals dedicated to advancing TPRM strategies and building resilient partnerships. The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. Join a diverse community of thousands of TPRM professionals worldwide. Learn More Join Now Furthering the profession of third party risk through knowledge-sharing & networking. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Tuesday, February 4, 2025 1:00 - 2:00 PM CT WNTPRM Work Group Meeting Register > Wednesday, February 12, 2025 9 AM to 4 PM CT Q1 Demo Day Register > Thursday, February 13, 2025 10:00 - 11:00 AM CT Roundtable: TPRM Accountability at All Levels Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

View All

Forum Posts (53)

View All
bottom of page