Search Results

In TPRA’s December blog, “TPRM State of the Industry: The 2026 Risk Reality Check,” Heather Kadavy laid out what many practitioners are dealing with heading into 2026, deeper dependency chains, more AI use by third parties, higher expectations for ongoing oversight, and external pressures that land through suppliers.    This blog will discuss what to do with that reality in practice. The sections below focus on preparation and actions that can be put in place early and reused throughout the year, so programs are not rebuilding workflows every time a third party issue surfaces.    What follows is practical guidance, not a maturity model or a checklist. The goal is usable steps that support consistent execution as issues surface.     1) Third Party visibility that supports decisions  Third Party issues often become harder to manage once the same questions circulate across functions. Questions such as who is involved, what systems or data are affected, and which dependencies sit behind the third party. When that information is fragmented, early coordination slows.  Consolidate third party inventories across Procurement, IT, Cyber, Privacy, Finance, and Compliance.  Tag third parties with service, data they can access, criticality, connectivity, primary hosting region, and key sub-service providers.  Track unknowns, such as unclear data exposure or missing sub-service provider detail, and reduce them over time.  Visibility supports alignment when decisions are needed.  2) Tiering for effective and efficient risk management  As third party populations grow, tiering becomes essential to keep program requirements proportional to inherent risk. The point is not only due diligence depth. Tiering and criticality help structure how the program addresses the most common risks and the biggest threats in a consistent way.  Define your risk tiers ( high, moderate, and low) using inherent risk factors such as data sensitivity, access level, operational criticality, concentration risk, regulatory compliance and geography.  Identify third parties that are essential to operations , interact directly with customers , or could reasonably drive regulatory scrutiny if they fail or experience an incident, and flag them as critical .  Assign every third party both a risk tier and a critical or not critical designation, so the program can clearly identify which vendors require the most scrutiny, due diligence, monitoring, and oversight.  Use the risk tier to set baseline program requirements, such as due diligence scope, evidence expectations, monitoring cadence, issue management timelines, and escalation triggers.  For critical third parties , set heightened requirements across contracts, business continuity and disaster recovery expectations, scenario testing, performance monitoring, and incident coordination.  The intent is to structure program effort around where risk and impact concentrate.  3) Practical Nth-party accountability  Sub-service provider exposure often becomes visible after an issue has already arisen. At that point, teams are working to understand who else is involved and what leverage exists.  Require disclosure of material sub-service providers, hosting locations, and changes that affect data or service delivery.  Request sub-service provider data maps for critical third parties only, focused on dependencies that carry real impact.  Start with a small group of critical third parties and expand once the process is repeatable.  Sub-service provider work tends to be most useful when it starts with the dependencies that affect service delivery or data exposure, then broadens over time.  4) Monitoring with clear ownership, including performance  Many organizations receive more third party risk information than they can act on. Without thresholds and ownership, monitoring loses operational value. Monitoring also needs to cover performance, not just risk events, because service degradation and missed deliverables often surface before a formal incident.  Define a short list of conditions that require attention, such as breach disclosures, ransomware activity, sanctions exposure, financial distress, critical vulnerability exposure, major control changes, or sustained service issues.  TPRM sets the cadence and requirements for monitoring based on risk tier and criticality, including what must be reviewed, how it is documented, and when escalation is required.  The business owner manages third party performance and is accountable for driving timely, complete remediation with the third party, including Service Level Agreement (SLA) review, corrective actions, and escalation when customer or operational impact is at stake.  Ownership and accountability drive follow-through and better outcomes.  5) Third party incident readiness and continuity coordination  Third Party incidents rarely affect just one function. They can raise legal questions, trigger privacy assessments, affect operations, or require triage from Information Security teams. When a critical provider is degraded or offline, business continuity and recovery planning becomes part of the same conversation.  Develop a third party incident and continuity playbook with cyber, legal, privacy, procurement, business owners, and business continuity and recovery stakeholders. Include notification and evidence requests, impact assessment, escalation paths, communications, recovery time and recovery point expectations, workaround options, and decision points for failover or alternate sourcing.  Run tabletop exercises that include both incident handling and service disruption scenarios, using at least one critical third party as the case study.  Confirm 24/7 contacts, notification SLAs, and continuity-related commitments for critical third parties, including recovery objectives and support expectations during disruptions.  Preparedness here reduces confusion during incidents and shortens the path from impact to recovery.  6) AI governance in intake and contracts  AI use by third parties can affect data handling, security controls, and compliance obligations. Addressing expectations early helps reduce rework later.  Ask where AI is used, what data it touches, if data is used to train models, retention practices, access controls, and incident handling.  Include contract language on data use, transparency, and notification when AI-related practices change.  Require third parties to identify material changes to AI-enabled features, underlying model providers, or data processing workflows that could affect confidentiality, integrity, availability, privacy, or regulatory obligations.  The goal is oversight and defensible governance, not blocking adoption.  7) Regional and geopolitical disruption  External pressures often reach organizations through suppliers. Preparation means thinking through how disruption would affect service delivery and contractual obligations.  Identify single points of failure by region, facility, cloud zone, or logistics route.  Document substitution options and what can be paused if disruption occurs.  Run scenario exercises tied to regional or geopolitical disruption and update continuity assumptions.  Scenario work surfaces dependencies that are otherwise easy to miss.  8) Cross-functional integration  Third party issues tend to escalate when relationship ownership, escalation paths, and decision authority are not clearly defined.  Name a business owner for each third party to own the relationship and drive risk remediation. Document risk acceptance authority and escalation paths, typically an executive owner or committee.   Hold regular decision meetings for exceptions, remediation approvals, renewals, access changes, and exits.  Maintain an exceptions register with clear expiration dates.  Regular coordination keeps decisions moving and reduces friction when issues span multiple functions.  9) Develop a scorecard leadership will use  A small, consistent scorecard helps leadership see where risk is concentrated and where follow-up is lagging.  Track a limited set of measures:  Percent of critical third parties with current evidence-based validation  Percent with known material sub-service providers  Time to triage third party incidents  High-risk issues past agreed timelines  Concentration risk across core functions  Metrics are most useful when they inform decisions and drive action.  Closing thought  None of these actions require rebuilding a TPRM program. They require clarity on roles, a disciplined way to separate critical third parties from the broader population, and monitoring and escalation approaches that connect risk signals to real follow-up. The programs that hold up best tend to be steady on the fundamentals, especially when third party issues arrive alongside procurement deadlines, operational pressure, and leadership questions.  Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.

Navigating Ownership, Oversight, and Expertise in the Age of Artificial Intelligence  As artificial intelligence (AI) adoption accelerates across industries, organizations are grappling with a new challenge: where should AI risk management, and specifically AI-related Third Party Risk Management (TPRM), live within the enterprise?  While some organizations assign ownership to existing structures like IT, model risk management, or cybersecurity, others manage AI/TPRM through risk committees or distributed governance models.  However, as AI becomes embedded in everything from third party software to operational decision making, defining accountability and expertise is more critical than ever.  This blog explores the current state of organizational ownership of AI/TPRM, the challenges of fragmented accountability, and the evolving landscape of AI risk governance.  The Current Reality: Distributed Ownership, Fragmented Accountability  Most organizations are still in the early stages of formalizing how AI and third party risk intersect. The result is a patchwork of ownership that reflects historical structures rather than emerging needs.  Common Models of AI/TPRM Ownership:  Model Typical Owner Strengths Challenges IT Ownership CIO or Head of IT Deep technical knowledge; integration visibility Focused on enablement over risk; limited governance scope Cybersecurity Ownership CISO or Security Team Expertise in data protection, privacy and threat management May overlook model bias, ethics and performance risk Model Risk Management (MRM) CRO, Enterprise Risk or Finance Familiar with validation frameworks and model governance Not all AI tools qualify as “models”; hard to scale across third parties. Enterprise Risk Management Chief Risk Officer Holistic view of risk across functions May lack the technical fluency needed to assess AI-specific risks Governance Committee or AI Council Cross Functional Groups Encourages shared accountability Decision-making can be slow; unclear escalation or ownership paths In practice, AI/TPRM often lives everywhere and nowhere at all.   This distributed reality makes it difficult to establish clear accountability, consistent controls, or effective monitoring.   The Expertise Dilemma: Interest, Enthusiasm, and Illusion  AI governance has quickly attracted attention across business functions.  Within most organizations, there are three groups emerging:  The Interested:  Professional who wants to understand AI’s risk and opportunities but lack hands-on experience.  The Aspiring Expert:  Individual who follows AI trends and participates in governance conversations but may not yet grasp the nuances of model architecture or data provenance.  The Actual Experts:  Technologist, data scientist, and risk professionals who understand both the technical and ethical implications of AI.  The challenge is not a shortage of passion, it's a shortage of true multidisciplinary expertise.  AI/TPRM sits at the intersection of technology, ethics, and compliance, few individuals or departments are fluent in all three.  To close this gap, organizations must create intentional learning pathways and collaborative governance structures that balance subject matter expertise with enterprise risk accountability. Governance in Practice: Moving Towards a Federated Model  A leading practice emerging across industries is a federated governance model for AI and TPRM. This structure combines distributed ownership with centralized oversight.  Key Features of a Federated Model  Central Oversight Body  – An AI Risk or Governance Committee that sets policy standards, and reporting expectations.   Functional Ownership – Each business or function (e.g., IT, Cyber, Risk, Legal, Procurement, etc.) owns execution of AI/TPRM controls relevant to their domain.  Integration with TPRM – Third party due diligence processes are expanded to include AI-specific assessment covering model transparency, ethical design, data sourcing, and bias testing.  Continuous Monitoring – Establish ongoing oversight for AI-enabled third party tools, especially for evolving and retraining models.  This model encourages shared responsibility while ensuring decisions align with enterprise-level risk appetite and ethical standards.   A Practical Path Forward  Organizations can begin clarifying AI/TPRM ownership with the following steps:  Map Current Ownership – Identify where AI activities and risk currently reside(within IT, Cyber, Risk or elsewhere).  Establish an AI Governance Charter – Define roles, responsibilities, and decision rights for all AI-related risk activities, including third party AI vendors.  Integration of AI Risk into TPRM Frameworks – Update third party due diligence questionnaires/assessments and monitoring processes to include AI use, transparency, and data ethics.  Create a Skills Development Roadmap – Offer training that bridges the technical, operational and ethical dimension of AI risk.  Promote Transparency and Communication – Encourage open dialogue between those who “build”, those who “buy”, and those who “govern” AI.  Where AI/TPRM “lives” is not a static question, it's a reflection of how mature an organization is in managing emerging risk. Ownership will likely evolve over time, shifting from isolated functions to integrated governance models.   Ultimately, the goal isn’t to decide whether IT, Cyber, or Risk “owns” AI. It's to ensure that someone is accountable,  that the process is transparent, and decisions are made responsibly.  AI will continue to reshape third party risk management. Those who establish clarity of ownership today will be better equipped to manage the risks and seize the opportunities of tomorrow.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In many Third Party Risk Management (TPRM) programs, contracts and service-level agreements (SLAs) are signed, filed, and then forgotten. That is, until a renewal deadline sneaks up, or a vendor fails to meet a critical performance standard, whereby no one can prove whether the vendor was or wasn’t held accountable.  If that sounds familiar, you’re not alone.  Contract and SLA management are two of the most underrated yet high-impact areas for TPRM automation. And the good news? You don’t need a massive system overhaul to start reaping the benefits.  Why Contract & SLA Monitoring Matters in TPRM  Contracts contain the DNA of your third party relationships. They note:  What services are being delivered  What controls are expected  When the agreement expires or renews  What happens if something goes wrong  If this information lives in static PDFs or folders, and relies on someone to remember key dates or terms, you’re exposing your organization to real risk. Such risks include, but are not limited to:  Missed renewals that may auto-renew unfavorable terms  SLA violations that go undetected and un-remediated  Unenforced obligations that weaken your risk posture  Automation can help solve this problem. And it doesn’t have to be complex.  What You Can Automate  Here are several key elements of contract and SLA management you can automate today:    1. Key Date Reminders  Renewal and termination notice deadlines  Compliance documentation expiry (e.g., updated SOC 2 required every 12 months)  Review cycles (e.g., quarterly performance check-ins)  Automation example:  Auto-alerts at 90/60/30 days before renewal, with owner assignment and status tracking.     2. Obligation Tracking  Ensure third parties deliver required evidence (e.g., updated pen test results)  Auto-track performance standards (e.g., response times, uptime, ticket resolution)  Flag when obligations aren’t met  Automation example:  Use automated tools to extract obligations from contracts and load them into a tracker that flags upcoming deliverables.     3. SLA Monitoring Integration  Link with operational data (e.g., help desk platforms, uptime monitors) to auto-validate whether SLA commitments are being met.  Set automated thresholds for escalation if a third party exceeds a defined limit (e.g., >3 late response tickets in a month).  Automation example:  When help desk tickets tied to a third party cross a certain age threshold, an alert is triggered to the TPRM team.  Real-World Example: Automating Renewal Notifications in a Mid-Sized Bank  A regional U.S. bank had thousands of third parties with contracts stored across multiple departments. Renewal dates were tracked in spreadsheets, and deadlines were frequently missed, resulting in automatic renewals that locked the organization into poor terms.  “We didn’t realize how often we were defaulting to auto-renewal until we missed our shot at renegotiating a major payment vendor,” the TPRM manager shared.   The team implemented a contract tracker tied to their TPRM tool that extracted and logged:  Contract expiration dates  Required notice periods  Assigned contract owners  Automated alerts were triggered on 90, 60, and 30 days before key dates, with color-coded status dashboards.  Impact:   100% of critical third party renewals reviewed on time  Saved ~$300K through renegotiated terms in Year 1  Improved coordination with Legal and Procurement  Getting Started: Tools You Can Use  You don’t need a custom platform to get going. Some automation options include:  GRC/TPRM platforms  with contract modules   Contract lifecycle tools  (e.g., Ironclad, LinkSquares, DocuSign CLM)  Workflows in MS365 or Google Workspace  using reminders and task lists  Low-code platforms like Airtable or Monday.com for custom trackers    Key Takeaways:  Contracts are a goldmine of risk and performance data. Don't let them sit untouched.  Automating reminders and tracking obligations keep your third parties accountable and your TPRM program compliant.  Start small: even a shared tracker with auto-reminders can reduce missed deadlines and drive savings.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Thursday, February 12, 2026 10:00 – 11:00 AM CT Roundtable: Incident Response & Recovery in the Extended Enterprise Register > Tuesday, February 17, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Register > Wednesday, February 18, 2026 9:00 AM to 4:00 PM CT Q1 Demo Day Register > Thursday, March 12, 2026 10:00 – 11:00 AM CT Roundtable: Continuous Improvement and Program Maturity Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit

Learn about TPRA's available Vendor Member plans, the benefits included in each one, and how to join! TPRA Vendor Membership Becoming a TPRA Vendor Member isn't just about gaining leads and promoting your organization, it's about helping to further the industry of Third Party Risk Management (TPRM) by becoming an integral part of a community that establishes TPRM guidance, resources, and tools, and works to promote the value that TPRM professionals add to their organizations. INQUIRE ABOUT MEMBERSHIP This page is specific to Vendor Membership, but TPRA offers three types of membership to TPRM Service Providers depending on their needs, maturity, and/or revenue. A brief overview of each option can be found below, with links to explore further. Vendor Membership For established TPRM Service Provider organizations (TPRM Platform, GRC Platform, Risk Rating/Intelligence Tool, TPRM Services, etc.). Learn More Consultant Catalyst For single Independent Consultants or Boutique Advisory Firms specializing in third-party risk management services, typically with limited marketing budgets but high expertise. Learn More Incubator Program For Start-Up TPRM Service Provider Organizations looking to gain insight, support, and promotion. Learn More Vendor Member Benefits Connect with Targeted Audience Build relationships with third party risk professionals across industries through direct engagement opportunities, collaborative forums, and curated networking channels. Access Member-Only Insights Stay ahead of industry trends and challenges with exclusive access to community-driven insights, resources, and discussions. Highlight Your Solutions Showcase your tools, services, and innovations to the TPRM community through exclusive presentation and visibility opportunities designed to spark meaningful connections. Share Your Expertise Contribute your knowledge and thought leadership to the broader community through educational content and resource-sharing opportunities. Strengthen Your Brand Presence Enhance your brand recognition across TPRA platforms and communication channels through welcome features, spotlight opportunities, and tailored visibility touchpoints. Promote Events & Opportunities Expand your reach by promoting your relevant events, job openings, and initiatives directly to the TPRA practitioner network. Our Members Why Join? As a TPRA Vendor Member, you are recognized as an organization that believes in the mission of furthering the Third Party Risk Management profession through knowledge sharing and networking . Working together with Practitioners, you are an integral part of building a community that establishes TPRM guidance, resources, and tools, and works to promote the value that TPRM professionals add to their organizations. While the Third Party Risk Association is vendor-agnostic, we absolutely recognize the value our Vendor Members create not only in our profession, but also in the organizations our practitioners represent as well. Vendor Members are invited to leverage the Third Party Risk Association as a platform for increased brand recognition within our industry – we’ll support you with priority sponsorship opportunities , expedited customer support , and our partnership in providing you a voice within the larger TPRM community. Our membership and leadership can also serve as a resource offering unique insights into practitioner pain points and domain-specific challenges to inform your product offerings and prioritize your roadmaps. As we continue to grow, adding to our ever-evolving community of verified TPRM practitioners, the Third Party Risk Association will continue consulting our Vendor Membership for guidance on industry trends , emerging risks , and enhanced program automation effort s. The TPRA looks forward to working with you on furthering the profession of Third Party Risk Management together! INQUIRE ABOUT MEMBERSHIP Ready to Join? If you are looking to move forward with Vendor Membership, complete this form to begin the process! Our team will reach out soon with plan and pricing options. Contact Heather directly using the contact info below. Heather Kadavy Senior Membership Success Coordinator heather.kadavy@tprassociation.org TPRM Service Provider Membership Inquiry Complete this form if you are interested in one of TPRA's Service Provider Membership options (Vendor Membership, Incubator Program, Consultant Catalyst). Our team will reach out to you as soon as possible with further details on plan benefits and pricing. First name* Last name* Job Title* Organization* Email* Phone Which membership option are you interested in? Vendor Membership – For established TPRM Service Provider organizations (TPRM Platform, GRC Platform, Risk Rating/Intelligence Tool, TPRM Services, etc.). Incubator Program – For Start-Up TPRM Service Provider Organizations looking to gain insight, support, and promotion. Consultant Catalyst – For single, Independent Consultants or Boutique Advisory Firms specializing in third-party risk management services. Other Anything else we should know? Submit

TPRM Service Provider start-ups are invited to join the TPRA as Incubator Members! Apply now! TPRA Incubator Program Welcome to the TPRA Incubator Program, created to be a catalyst for transformative innovation in third party risk management (TPRM) Read More Inquire About Membership About Mission Empower and accelerate the success of innovative third party risk management startups through a comprehensive incubator program. We strive to foster a collaborative ecosystem that provides mentorship, resources, and networking opportunities, enabling startups to navigate challenges, develop cutting-edge solutions, and establish a robust presence in the evolving landscape of risk management. Vision To be a catalyst for transformative innovation in third party risk management, fostering a dynamic ecosystem where startups thrive in pioneering solutions that redefine industry standards. We aspire to build a global community of resilient and adaptive risk management leaders who contribute to a secure and trustworthy business environment. Through our incubator program, we envision a future where emerging startups play a pivotal role in shaping the evolution of risk management practices, driving sustainability, and ensuring resilience in an ever-changing landscape. Transforming the Industry Together Incubator Participants Who Can Participate Inquire About Membership Innovative Third Party Risk Management Startups Only start-up organizations within the Third Party Risk Management space Start-up must be five years old or less and/or within the pre-seed, seed, or early stage (Series A and Series B) Start-ups must not bring in more than $500,000 of revenue annually from product/service offerings Must complete an application and potentially an interview Must provide evidence of the revenue the organization generates from products/services within their last and/or current financial year TPRA retains the right to deny any organization and/or individual entry into the Incubator Program for any reason Goals & Activities The goals and activities of the Incubator Program are to assist with removing roadblocks within the community to allow for better communication, tighten feedback loops to ensure community needs are addressed, and to be a catalyst for innovation within the community. The program will also allow for a common lexicon when speaking about TPRM programs and the value they bring to organizations. Below are the goals and activities related to the TPRA’s Innovator Program: 1 TPRA Vendor Membership Receive “Incubator Status” Vendor Membership based on the Program Tier structure below. Would receive all of the benefits of an “Advocate” Member. Benefits include: Orientation & On-boarding Three website accounts Quarterly updates Invitations to practitioner meetings Website Access Service Provider Profile LinkedIn Welcome Message Share your resources, events, surveys, & job openings with TPRA members Newsletter Spotlight & Links to Blogs Write blogs for TPRA 3 Access to Resources Share TPRA resources, webinars, and training opportunities. TPRA will create a website to share external resources for Incubator Program members only (to include company names and URLs for investment firms, other incubator programs, and other start-up accelerators). 5 Training & Skill Development Incubator participants may attend TPRA webinars, events, and activities on the website to enhance TPRM skill development. 7 Lead Generation Opportunities TPRA to provide incubator participants with discounts on conference sponsorships and demo opportunities. Sponsorships come with opt-in lists. TPRA to create a site for Practitioners to submit RFPs for TPRM tools and for incubator participants (as well as TPRA Vendor Members) to respond to them. 9 Feedback & Improvement of Incubator Program From time to time, participants will receive surveys that request feedback on the Incubator Program. Responses will be used to continually enhance the program. 2 Start-Up Advisory Council Set up regular 1:1 meetings (most likely quarterly) with select practitioners (based on industry and company size) to provide program participants with feedback on their products/services. This can also assist with the incubator program participant figuring out their product market fit, target market, and product/service pitch. Can also assist with the participant better understanding if they are addressing their market’s TPRM pain points. TPRA to create a site for Practitioners to note TPRM pain points and/or note request for innovation. (Note: Can have the community vote on what they would like to see the most.) Incubator Participants would be able to access this list. 4 Network Opportunities TPRA will create network opportunities to introduce incubator program participants other program participants, practitioners, and other service providers. 6 Brand Awareness TPRA to note the incubator participant’s organization on the TPRA website (within Service Provider Profile), highlight the organization on LinkedIn, and note the organization as a spotlight within one of the TPRA’s quarterly newsletters. 8 Collaboration on Additional Resources In collaboration with TPRA, may participate in educational trainings, research, & content creation (such as blog posts, whitepapers, & videos). Inquire About Membership Heather Kadavy Senior Membership Success Coordinator heather.kadavy@tprassociation.org Follow on LinkedIn > TPRM Service Provider Membership Inquiry Complete this form if you are interested in one of TPRA's Service Provider Membership options (Vendor Membership, Incubator Program, Consultant Catalyst). Our team will reach out to you as soon as possible with further details on plan benefits and pricing. First name* Last name* Job Title* Organization* Email* Phone Which membership option are you interested in? Vendor Membership – For established TPRM Service Provider organizations (TPRM Platform, GRC Platform, Risk Rating/Intelligence Tool, TPRM Services, etc.). Incubator Program – For Start-Up TPRM Service Provider Organizations looking to gain insight, support, and promotion. Consultant Catalyst – For single, Independent Consultants or Boutique Advisory Firms specializing in third-party risk management services. Other Anything else we should know? Submit