Search Results

Most third party incidents come to light before the third party officially reports them. Usually, the first sign is indirect; a service slows down, a business owner notices access problems, a customer-facing team spots a disruption, or an alert goes off with little detail. By the time the third party confirms the issue, internal teams are already asking key questions: what is affected, what data is involved, who manages the relationship, what does the third party need to do under contract, and what options are available if service is not restored quickly.  Here, the extended enterprise means all the outside organizations that help the business run , including both third parties and the fourth parties they depend on. This matters during incident response because the i mpact and the root cause are often in different places. For example, a fourth party might cause a disruption, but the response still goes through the third party covering contracts, communication, evidence requests, and recovery promises. Third Party Risk Management (TPRM) teams need to make this chain clear and actionable during an incident.  Incident response and recovery in the extended enterprise are just as much coordination issues as technical ones. Security teams focus on containment and investigation. Privacy and Legal teams assess notification and contractual obligations. Business owners need to keep operations running and manage third party accountability. Continuity teams need recovery assumptions and workaround options. Procurement needs contract visibility and leverage. TPRM sits in the middle, translating third party relationships into a decision-ready context, so the response does not stall while teams reconstruct basic information.   This blog shares practical ways TPRM practitioners can help with incident response and recovery when third party incidents happen across the extended enterprise. The focus is on tools and processes that work during real incidents, not just on perfect documentation. The aim is to cut down the time spent on getting oriented, escalating issues, and tracking down information, so teams can act faster on impact, third party accountability, and recovery.  Maintain third party records for use during an incident.  When a third party problem comes up, the first challenge is getting oriented. Teams need to know who manages the third party, what the third party does, and how much disruption the business can handle.  TPRM programs should ensure third party records include:  A clearly identified business owner with authority to engage the third party.  The services provided and systems involved.  The types of data accessed or processed.  Whether the service supports customer-facing, revenue-generating, or regulated activity.  If teams have to gather this information after an incident begins, the response slows down and coordination suffers.  Practitioner takeaway: Ensure third party inventories are immediately usable during real incidents, not just for onboarding or annual reviews, so teams can quickly access orienting information.  Use risk tiering and operational criticality to define response expectations.  Risk tiering sets the basic level of oversight. Operational criticality shows if a problem with this third party would have an immediate effect on the business.  Each third party should have:  An inherent risk tier  An operational criticality designation, critical or not critical  Together, these factors should guide:  Notification and response timelines  Evidence and information requests during incidents  Leadership escalation and continuity involvement  For third parties that are critical to operations, these expectations should be agreed on and documented ahead of time. This includes clear escalation paths and recovery plans the business depends on.  Practitioner takeaway: Use risk tiering to set oversight expectations. Use operational criticality to determine how quickly a third party issue becomes a business-impact decision.  Treat fourth-party involvement as a normal part of the response.  Many third party incidents involve a fourth party, like a hosting provider, cloud platform, or specialized subcontractor. During a response, teams need to know if a fourth party is part of the delivery chain and if that changes recovery options.  Programs tend to be more effective when they:  Require third parties to disclose material fourth parties that affect service delivery or data exposure.  Apply this requirement primarily to operationally critical third parties.  Require notification when material fourth parties change.  This helps teams quickly assess impact and recovery limits, avoiding the slow process of rebuilding the supply chain during an active incident.  Practitioner takeaway: Focus fourth party visibility on the most important dependencies related to service delivery and data exposure for effective response.  Monitor for service disruptions and security events.  Third party incidents often start as performance issues. Service instability, missed Service Level Agreements (SLAs), or delayed results usually show up before there is a formal incident notice.  Monitoring practices should clearly define:  Which conditions require review.  Who is responsible for follow-up.  What triggers incident escalation.  A practical way to divide responsibilities is:  Business owners monitor performance, manage day-to-day third party relationships, and escalate when a disruption appears credible.  TPRM checks the third party’s risk tier and criticality, confirms escalation paths and contacts, and sends the issue to the right internal teams based on the third party’s profile.  Security, Privacy, Legal, and Continuity teams get involved once the situation is considered an incident, either because the third party declares it or internal teams confirm a possible security, data, or continuity impact.  Practitioner takeaway: Set a defined point for when an issue escalates to a formal incident, ensuring clear responsibility transfer.  Align incident response with recovery and continuity planning.  For third parties that are critical to operations, incident response and recovery planning often overlap. A security problem can quickly turn into an availability or customer-impact issue with little warning.   Organizations are better prepared when they have a shared approach for third party response and recovery. This should include:   Notification requirements and evidence expectations.  Impact assessment inputs.  Decision authority and escalation paths.  Recovery time and recovery point assumptions.  Workaround and alternate sourcing options.  Talking through scenarios that include third party outages helps teams understand limits before a real disruption happens.  Practitioner takeaway: Integrate recovery planning into incident response so that recovery steps are considered as part of overall incident handling, not left until later.  Address AI-related incident considerations during intake and contracting  When third parties use AI, it affects data handling, control processes, and regulatory risks during incidents. These issues are hard to solve in the middle of a response.  Practical preparation includes:  Identifying where AI is used and what data it touches.  Requiring notice of material changes to AI-enabled workflows.  Aligning incident notification and investigation expectations contractually.  This helps reduce uncertainty when incidents happen.  Practitioner takeaway: Define incident response expectations for AI usage and data handling with third parties before incidents happen to avoid delays.  Consider regional and geopolitical disruption in third party recovery planning.  Regional outages, sanctions, and infrastructure failures often hit third parties before they affect your own operations.  Preparation should include:  Identifying regional concentration across operationally critical third parties.  Understanding which services can pause and which cannot.  Discussing realistic disruption scenarios with continuity stakeholders.  These talks often reveal single points of failure that might otherwise go unnoticed.  Define ownership and decision authority in advance.  Third party incidents take longer to resolve when it is unclear who is responsible. TPRM can help speed things up by making the structure clear.  Programs should ensure:  Every third party has a named business owner.  Escalation and risk acceptance authority are documented.  There is a defined forum for remediation decisions, exceptions, renewals, and exits.  Exceptions have owners and review dates.  Clear authority helps resolve incidents faster.  Practitioner takeaway: Address structural issues, like unclear ownership and escalation paths, to reduce delays during third party incidents.  Track incident-relevant measures, not activity volume.  Leadership oversight gets better when reports focus on risk exposure and follow-up, not just on program activity.  Measures that tend to support decision-making include:  Coverage of current validation for operationally critical third parties.  Known material fourth-party exposure for operationally critical third parties.  Time to initiate triage for third party incidents.  High-risk issues that exceed agreed remediation timelines.  Concentration risk across essential services.  These measures help teams focus on what matters most and escalate issues as needed.  Practitioner takeaway: Ensure reporting enables clear decision-making by emphasizing risk exposure and remediation status.  Summary   Effective incident response and recovery in the extended enterprise rely on preparation that supports coordination, clear ownership, and predictable escalation. TPRM teams add the most value when third party records are ready to use during incidents, response expectations are based on risk and criticality, and recovery planning is part of the response process. Fourth-party involvement should be seen as a normal part of third party delivery, with clear visibility into key dependencies for the most important third parties.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Navigating Ownership, Oversight, and Expertise in the Age of Artificial Intelligence  As artificial intelligence (AI) adoption accelerates across industries, organizations are grappling with a new challenge: where should AI risk management, and specifically AI-related Third Party Risk Management (TPRM), live within the enterprise?  While some organizations assign ownership to existing structures like IT, model risk management, or cybersecurity, others manage AI/TPRM through risk committees or distributed governance models.  However, as AI becomes embedded in everything from third party software to operational decision making, defining accountability and expertise is more critical than ever.  This blog explores the current state of organizational ownership of AI/TPRM, the challenges of fragmented accountability, and the evolving landscape of AI risk governance.  The Current Reality: Distributed Ownership, Fragmented Accountability  Most organizations are still in the early stages of formalizing how AI and third party risk intersect. The result is a patchwork of ownership that reflects historical structures rather than emerging needs.  Common Models of AI/TPRM Ownership:  Model Typical Owner Strengths Challenges IT Ownership CIO or Head of IT Deep technical knowledge; integration visibility Focused on enablement over risk; limited governance scope Cybersecurity Ownership CISO or Security Team Expertise in data protection, privacy and threat management May overlook model bias, ethics and performance risk Model Risk Management (MRM) CRO, Enterprise Risk or Finance Familiar with validation frameworks and model governance Not all AI tools qualify as “models”; hard to scale across third parties. Enterprise Risk Management Chief Risk Officer Holistic view of risk across functions May lack the technical fluency needed to assess AI-specific risks Governance Committee or AI Council Cross Functional Groups Encourages shared accountability Decision-making can be slow; unclear escalation or ownership paths In practice, AI/TPRM often lives everywhere and nowhere at all.   This distributed reality makes it difficult to establish clear accountability, consistent controls, or effective monitoring.   The Expertise Dilemma: Interest, Enthusiasm, and Illusion  AI governance has quickly attracted attention across business functions.  Within most organizations, there are three groups emerging:  The Interested:  Professional who wants to understand AI’s risk and opportunities but lack hands-on experience.  The Aspiring Expert:  Individual who follows AI trends and participates in governance conversations but may not yet grasp the nuances of model architecture or data provenance.  The Actual Experts:  Technologist, data scientist, and risk professionals who understand both the technical and ethical implications of AI.  The challenge is not a shortage of passion, it's a shortage of true multidisciplinary expertise.  AI/TPRM sits at the intersection of technology, ethics, and compliance, few individuals or departments are fluent in all three.  To close this gap, organizations must create intentional learning pathways and collaborative governance structures that balance subject matter expertise with enterprise risk accountability. Governance in Practice: Moving Towards a Federated Model  A leading practice emerging across industries is a federated governance model for AI and TPRM. This structure combines distributed ownership with centralized oversight.  Key Features of a Federated Model  Central Oversight Body  – An AI Risk or Governance Committee that sets policy standards, and reporting expectations.   Functional Ownership – Each business or function (e.g., IT, Cyber, Risk, Legal, Procurement, etc.) owns execution of AI/TPRM controls relevant to their domain.  Integration with TPRM – Third party due diligence processes are expanded to include AI-specific assessment covering model transparency, ethical design, data sourcing, and bias testing.  Continuous Monitoring – Establish ongoing oversight for AI-enabled third party tools, especially for evolving and retraining models.  This model encourages shared responsibility while ensuring decisions align with enterprise-level risk appetite and ethical standards.   A Practical Path Forward  Organizations can begin clarifying AI/TPRM ownership with the following steps:  Map Current Ownership – Identify where AI activities and risk currently reside(within IT, Cyber, Risk or elsewhere).  Establish an AI Governance Charter – Define roles, responsibilities, and decision rights for all AI-related risk activities, including third party AI vendors.  Integration of AI Risk into TPRM Frameworks – Update third party due diligence questionnaires/assessments and monitoring processes to include AI use, transparency, and data ethics.  Create a Skills Development Roadmap – Offer training that bridges the technical, operational and ethical dimension of AI risk.  Promote Transparency and Communication – Encourage open dialogue between those who “build”, those who “buy”, and those who “govern” AI.  Where AI/TPRM “lives” is not a static question, it's a reflection of how mature an organization is in managing emerging risk. Ownership will likely evolve over time, shifting from isolated functions to integrated governance models.   Ultimately, the goal isn’t to decide whether IT, Cyber, or Risk “owns” AI. It's to ensure that someone is accountable,  that the process is transparent, and decisions are made responsibly.  AI will continue to reshape third party risk management. Those who establish clarity of ownership today will be better equipped to manage the risks and seize the opportunities of tomorrow.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Learn about and register for events outside of the TPRA that are applicable to TPRM. Vendor-Hosted Events The TPRA promotes the industry of third party risk, which includes events conducted by other third party risk-related groups and organizations. Check back here regularly to see our list of vendor-hosted events. If you would like to promote your next third party risk-specific event, please complete the form below . Disclaimer: TPRA does not endorse or sponsor the products/services of one particular organization; however, we do communicate training opportunities for the benefit of the community. Filter by Organization Select Organization Filter by Event Type Select Event Type Filter Download FAIR Institute Live Webinar Building Stronger Risk Cultures: Understanding and Applying the Organisational Risk Culture Standard (ORCS) Wednesday, February 18, 2026 4 PM ET In this webinar, ORCS Co-Authors Jack Jones and Dr Gavriel Schneider will provide an inside look at the development of the standard and discuss its practical application for organisations seeking to enhance risk intelligence and decision-making maturity. They will explore how ORCS aligns with global risk frameworks, supports more objective cultural assessments, and can be used alongside quantitative risk models such as FAIR to create a more holistic view of organisational risk posture. Register Tandem Live Webinar Top 10 AI Security Risks Facing Financial Institutions Thursday, February 19, 2026 2 PM CST In this session, we’ll walk through the top 10 AI-related security threats that financial institutions need to watch out for. From deepfake scams to sneaky data leaks, we’ll explore how these risks show up in real life, what makes them tricky, and what you can do about them. Whether you’re in cybersecurity, compliance, or just curious about where AI is heading, this talk will give you a clear picture and some solid next steps. Register Bitsight Live Webinar Five TPRM Priorities To Strengthen Cyber Resilience in 2026 Wednesday, February 25, 2026 11 AM ET Register Cloud Security Alliance (CSA) Live Webinar Data Security Strategies for a Gen AI World Wednesday, March 4, 2026 Generative AI is here to stay, and it’s transforming the way we use and protect data. But as AI adoption skyrockets, organizations are asking: How do we balance innovation with security? Register Exiger Live Webinar Session 1: Understanding Your Risk Posture Wednesday, March 4, 2026 11:00 AM EST Join Exiger practitioners for the first in our four-part webinar series From Risk Awareness to Supply Chain Advantage. Part one, Understanding Your Risk Posture , focuses on how organizations establish a clear, defensible understanding of their current risk posture and leverage the latest AI—without overloading teams or relying on outdated frameworks. Register Safe Security Live Webinar AI's Next Inflection Point: Predictions Cyber Risk Leaders Can’t Ignore Wednesday, March 4, 2026 1:00 PM ET Tune in to hear John Chambers and Saket Modi discuss their predictions on the AI upside, the blind spots, and where cyber risk leaders should pay attention. Register OneTrust Live Webinar Celebrating women in privacy Friday, March 6, 2026 12:00 PM AEDT In honour of International Women’s Day, join us for an inspiring webinar spotlighting remarkable women shaping the future of the privacy and data protection profession. This session brings together a panel of accomplished female privacy leaders who will share their career paths, personal experiences, and the lessons learned throughout their professional journeys. Whether you’re an aspiring privacy professional exploring career possibilities or a tenured expert seeking fresh perspective, this webinar offers a valuable forum to learn, connect, and celebrate the wealth of female talent driving impact across the privacy landscape. Come ready to be inspired, expand your network, and honour the women who continue to elevate and advance the privacy profession across the globe. Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk Europe Wednesday, June 3, 2026 London, UK CeFPro’s 14th Annual Vendor & Third Party Risk Europe, taking place 3–4 June 2026 in the City of London, brings together senior risk leaders and industry experts to examine the evolving third-party risk landscape. The event will explore regulatory expectations, operational resilience, critical third-party oversight, and effective exit strategies, providing practical insight into how organisations are strengthening vendor risk frameworks in an increasingly complex environment. Register Center for Financial Professionals (CeFPro) In-Person Conference Vendor & Third Party Risk USA Tuesday, June 9, 2026 Ease, New York CeFPro’s Vendor & Third Party Risk USA, taking place 9–10 June 2026 at Ease, New York, convenes senior risk leaders and industry experts to explore the evolving third-party risk landscape in the U.S. market. The event will focus on regulatory expectations, operational resilience, oversight of critical third parties, and effective exit strategies, offering practical insight to strengthen vendor and third-party risk management frameworks. Register Submit an External Event TPRA Practitioner Members can submit upcoming events they'd like displayed on this page using the form below. Some events may also be shared via our monthly events emails and/or quarterly newsletter. TPRA does not post on-demand/recorded events to this page. TPRA Vendor Members can submit their upcoming events through the Vendor Member Submissions form . Submitter Information First name* Last name* Email* Event Information Event Title* Event Host* Event Type* Event Description* Event Date* Event Time (please include time zone)* Link to learn more and/or register for the event* Anything else we should know? Submit

Certa’s Third Party OS is the digital backbone for managing your third party relationships across all risk domains and lifecycle stages. < Back Certa Wednesday, February 18, 2026 9:00 - 9:25 AM CT TPRM Platform Globe Mail Search Search Search Certa is the leading Third Party Risk Management (TPRM) solution. With our comprehensive Third Party Operating System (Third Party OS), Certa lets you manage risk across all third party types, all risk domains, all in one OS. Certa leverages AI across the third party lifecycle—automating onboarding, risk analysis, compliance, and monitoring. Our no-code workflows, AI-driven decisioning, and real-time data integrations help you adapt to evolving regulations and business needs. With full-spectrum risk coverage, Certa delivers due diligence 80% faster, driving smarter and more efficient third party management for global enterprises. Certa leverages AI across the third party lifecycle—automating onboarding, risk analysis, compliance, and monitoring. With Certa, enterprises can manage risk across all third party types, all risk domains, all in one OS. Presenter(s) Brian Shaw VP, Head of North America Brian has worked in business process automation targeting risk and compliance for over 25 years, supporting hundreds of fortune 500 and mid-market firms across all industries. At Certa, Brian serves as Vice President, Head of North America, empowering clients with best-in-class Artificial Intelligence solutions to reduce costs, enhance efficiency, and mitigate risk within their Third Party Risk Management programs. Previous Next

Join us for "Demo Days," where leading TPRM Service Providers showcase their solutions through 25-minute product demos tailored for TPRM practitioners. TPRM Tool Demo Days The Third Party Risk Association (TPRA) invites you to attend our quarterly "Demo Days, " an exclusive opportunity for TPRM practitioners to explore innovative solutions from leading TPRM Service Providers. During these interactive sessions, vendors will deliver 25-minute product demos , showcasing their tools, technologies, and services designed to address the complex challenges of third party risk management programs. These virtual events allow practitioners to: Gain insights into the latest TPRM innovations. Connect directly with service providers to ask questions. Compare tools and platforms to determine the best fit for their organization. Don't miss this opportunity to stay ahead in the evolving landscape of third party risk management. New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Tool Types Below you can find brief descriptions of the TPRM tools that will be showcased during these events. TPRM Platform A software system designed to manage Third-Party Risk Management (TPRM) programs, which involves identifying, assessing, mitigating, and monitoring risks associated with external companies that an organization works with. Risk Ratings/Intelligence Tool A system or software application used to evaluate and quantify the potential likelihood and severity of risks associated with a particular incident or investment, typically assigning a numerical rating to each risk to facilitate prioritization and decision-making within risk management processes. GRC Platform A software tool that tracks, monitors, and manages governance, risk, and compliance activities at the enterprise level. This tool usually encompasses more than one risk-related department and encourages risk management at the highest level for an organization. TPRM Services An organization that assists with the implementation of TPRM programs and/or the completion of due diligence activities. TPRM Service providers can determine the maturity of your program and enhance operational capabilities. Register for Upcoming Demo Days New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Wednesday, February 18, 2026 at 3:00:00 PM UTC 6 hours Q1 Demo Day Read All Wednesday, May 13, 2026 at 2:00:00 PM UTC 6 hours Q2 Demo Day Read All Wednesday, August 19, 2026 at 2:00:00 PM UTC 6 hours Q3 Demo Day Read All Wednesday, October 21, 2026 at 2:00:00 PM UTC 6 hours Q4 Demo Day Read All NOTE: TPRM Service Providers and their employees, affiliates, parent companies, etc. NOT participating in a demo are not allowed to register based on conflict of interest. Demo Day Agenda Please note that the below may feature presenters for multiple Demo Days. Demo Day times are subject to change depending on the number of demos per day. All scheduled times are in Central Time. Filter by Quarter Select Quarter Filter by Tool Type Select Tool Type Date: Wednesday, February 18, 2026 Time: 9:00 - 9:25 AM CT TPRM Platform Certa’s Third Party OS is the digital backbone for managing your third party relationships across all risk domains and lifecycle stages. Read More Date: Wednesday, February 18, 2026 Time: 9:30 - 9:55 AM CT TPRM Platform Sayari is the transparency company built to provide immediate worldwide visibility into the relationships between businesses and individuals. Read More Date: Wednesday, February 18, 2026 Time: 10:00 - 10:25 AM CT TPRM Platform Coverbase automates 90% of third-party risk management using AI. Read More Date: Wednesday, February 18, 2026 Time: 10:30 - 10:55 AM CT TPRM Platform Bitsight Third Party Risk Management is an end-to-end solution that includes continuous, data-driven, validated cyber risk insights and automated vendor assessment capabilities. Read More Date: Wednesday, February 18, 2026 Time: 11:00 - 11:25 AM CT TPRM Platform ProcessUnity Third-Party Risk Management protects companies and their brands by reducing risk from third parties, vendors and suppliers. Read More Date: Wednesday, February 18, 2026 Time: 11:30 - 11:55 AM CT Risk Ratings/Intelligence Supply Wisdom provides real-time, continuous risk intelligence across third parties and locations to help enterprises proactively manage operational, compliance, financial, cyber, location, ESG and Nth party risks. Read More Date: Wednesday, February 18, 2026 Time: 12:00 - 12:55 PM CT Lunch Read More Date: Wednesday, February 18, 2026 Time: 1:00 - 1:25 PM CT TPRM Platform Safe Security has redefined cyber risk measurement and management with its real-time, data-driven approach that empowers enterprise leaders, regulators, and cyber insurance carriers to understand cyber risk in an aggregated yet granular manner. Read More Date: Wednesday, February 18, 2026 Time: 1:30 - 1:55 PM CT TPRM Platform DocuBark is an AI enabled TPRM due diligence platform that parses through vendor documents and scores a vendor's security posture. Read More Date: Wednesday, February 18, 2026 Time: 3:00 - 3:25 PM CT TPRM Platform Clarative is an IT vendor monitoring system that streamlines compliance and operational oversight by tracking contractual SLAs, obligations, and potential violations. Read More Date: Wednesday, February 18, 2026 Time: 3:30 - 3:55 PM CT TPRM Platform Continuity Strength helps TPRM practitioners and vendor managers strengthen third-party resilience with greater speed, consistency, and confidence. Read More LOAD MORE Lookbooks Interested in presenting a product demo? Please complete our Sponsor Information Form to start the process or contact Heather Kadavy, TPRA's Senior Membership Success Coordinator, at heather.kadavy@tprassociation.org to learn how to get involved!