Search Results

In this episode of the TPRM Exchange Podcast, host Hilary Jewhurst sits down with Tracy Keeping, Founder of Steel Harbor Consulting and former risk executive at State Street, JPMorgan Chase, and Deutsche Bank, to explore one of the most pressing challenges facing third party risk programs today: geopolitical uncertainty. “Geopolitical uncertainty becomes a third party problem the moment it impacts operational decisions.” The conversation explores why traditional geopolitical risk assessments often fail to capture the speed and interconnectedness of these changes, and how organizations can move from passive visibility to active decision-making. Rather than treating geopolitical risk as a standalone category, Tracy explains how emerging conditions are exposing vulnerabilities hidden deep within vendor ecosystems, supply chains, cloud infrastructure, and subcontractor dependencies. “Geopolitical risk isn’t creating entirely new problems — it’s accelerating the risks organizations already have.” This episode is especially valuable for practitioners navigating: Rapidly changing supplier and jurisdictional exposure Escalating concentration and fourth-party risk Executive pressure to make faster decisions with incomplete information The growing gap between assessment cycles and real-world events Governance and accountability challenges during periods of uncertainty Key Takeaway Geopolitical risk is no longer a static checkbox within a risk framework — it is a dynamic force accelerating existing vulnerabilities across third-party ecosystems. Organizations that succeed will be the ones that connect external events to operational decision-making in real time. About the Guest Tracey Keeping Founder and CEO Steel Harbor Consulting Tracy Keeping is the Founder of Steel Harbor Consulting and a former risk executive at State Street, JPMorgan Chase, and Deutsche Bank. 📩 Have a topic idea? Email: pod@tprassociation.org

I was pleased to be invited by Third Party Risk Association to attend April’s session on Emerging Risks and Geopolitical Uncertainty. The discussion reinforced how quickly the third party risk landscape is shifting and how interconnected these risks have become. AI, data sovereignty, supply chain realignment, cyber activity, financial stability, and operational resilience are no longer separate topics. They are converging. Across all of it, one message came through clearly: Organizations need a more integrated and leadership-led response. AI is changing the landscape of third party risk AI is no longer a niche technology issue. It is reshaping how organizations approach vendor oversight, data governance, and cross-border exposure. A vendor that appears straightforward on paper often relies on multiple layers beneath the surface. A SaaS provider may depend on an AI engine, which in turn relies on foundation models and sub-processors across multiple jurisdictions. That means data is moving across countries and entities, often without full visibility. The implication is clear... Organizations need to move beyond generic policy references. AI-specific due diligence, stronger contractual controls, and a clear understanding of data flows must now be foundational. Data sovereignty is now a live, operating issue Data sovereignty is becoming more complex, not less. It is no longer sufficient to know where a provider is headquartered. Organizations need to understand where data is stored, processed, accessed, and transferred across the full ecosystem of providers and infrastructure. The leadership question has shifted. It is no longer “Is the data protected?” It is “Can we clearly explain where our data is going and why?” Geopolitical fragmentation is reshaping supply chain risk Geopolitical tension is actively reshaping supply chains. Regional conflict, sanctions, trade tension, energy disruption, and concentration risk in sectors such as semiconductors and infrastructure are directly affecting resilience, pricing, and service continuity. Many organizations believe they have diversified. In reality, they have often redistributed risk. Third- and fourth-party dependencies remain a significant blind spot. Cyber activity is part of the operating environment Cyber risk continues to evolve in both scale and intent. The TPRA discussion highlighted activity targeting critical infrastructure, telecom providers, and software supply chains. This shift is important to note. This is no longer just about data loss. In some cases, threat actors are positioning themselves inside infrastructure to enable future disruption. This raises a critical question. How much visibility do you really have, not just into your vendors, but into the infrastructure they depend on? Financial stability still matters Financial stability remains a core risk factor, particularly in uncertain markets. Tariffs, energy pricing, and geopolitical instability are directly impacting vendor viability. This is especially relevant for smaller or newer providers where financial transparency may be limited. The practical question is straightforward... If a critical vendor failed tomorrow, could you transition? For many organizations, the answer is still no. Operational resilience is where this all comes together Operational resilience is no longer a standalone activity. It cannot be reduced to documentation or periodic assessments. It is shaped by: Geographic concentration of vendors Supply chain dependencies Location of talent and engineering teams Strength of contracts and communication protocols The ability to respond effectively under pressure The session emphasized the importance of testing real-world scenarios, including third party failure and geopolitical disruption. This is where the leadership challenge becomes visible because these issues do not sit in one function. They cut across legal, procurement, risk, cyber, compliance, operations, and executive decision making. What this means in practice If you are leading third party risk management today, focus on this: Move beyond visibility to decision readiness It is not enough to map vendors and dependencies. You need to understand how decisions will be made when something fails or is disrupted. Define ownership across functions before pressure hits Legal, procurement, risk, and the business often operate independently until there is an issue. Clarity on ownership and escalation paths need to be established in advance. Strengthen how you evidence decisions Regulators and boards are increasingly focused on how decisions are made, not just the outcome. Document rationale, trade-offs, and accepted risk clearly. Test your operating model under stress Tabletop exercises should reflect real scenarios such as geopolitical disruption, vendor failure, or cyber events. Many frameworks work in a steady state but fail under pressure. Reframe third party risk as an organization-wide issue This is no longer a compliance exercise. It requires executive engagement, cross-functional coordination, and board-level visibility. Final reflection The environment is no longer stable enough for siloed responses. AI, geopolitical tension, supply chain concentration, cyber disruption, and vendor viability are intersecting in ways that increase pressure on decision making. Organizations do not need more frameworks. They need to be able to make and defend decisions under pressure. This is where leadership becomes the differentiator. My thanks again to Third Party Risk Association for the invitation and for convening such a timely discussion. Author Bio Tracy Keeping Founder, Steel Harbor Consulting Tracy Keeping is the Founder of Steel Harbor Consulting, providing fractional executive leadership to organizations navigating governance, risk, and operational complexity. She works directly with CEOs and boards to drive decisions, execution, and defensible outcomes.

When the CFO asks "How many active suppliers do we have?", and you get three different answers from Procurement, Accounts Payable, and Legal, you don't have a TPRM problem - you have a data architecture problem. This scenario plays out more often than most organizations care to admit. Third-party risk management programs invest heavily in assessment tools, monitoring platforms, and automation workflows. But underneath all that technology sits a foundation that's often fractured: the supplier data itself. Multiple systems. Duplicate records. Conflicting information. Outdated details. No single source of truth. The result? TPRM teams spend enormous effort not managing risk, but managing data chaos. And that chaos creates real exposure that no amount of sophisticated tooling can fix. The Symptom Everyone Recognizes Ask any TPRM practitioner what consumes their time, and you'll hear familiar complaints: "We discovered during an audit that the same supplier had three different risk tiers across our systems." "IT says a vendor has admin access to our environment, but Procurement has no contract on file for them." "Legal approved a supplier based on one set of financials, but Finance is seeing completely different numbers in their system." "We can't tell auditors when we last assessed a critical supplier because the records are scattered across email, SharePoint, and two legacy platforms." These aren't edge cases. They're symptoms of a structural issue that undermines every TPRM initiative: fragmented supplier information. Why Data Quality Breaks Down TPRM data quality problems don't happen because teams are careless. They happen because of how organizations evolve: Mergers and acquisitions bring together disparate systems, each with its own supplier database. Integration gets deprioritized, and suddenly the organization is operating with three "master" supplier lists. Departmental silos mean Procurement tracks suppliers in an ERP, Compliance uses a GRC platform, IT maintains a separate vendor access registry, and Finance works from Accounts Payable records. Each system becomes authoritative for its domain, but none owns the complete picture. Tool proliferation compounds the problem. Organizations add point solutions for vendor risk scoring, contract management, security assessments, and ESG tracking. Each creates its own data repository. Each requires manual updates. None integrate cleanly. Spreadsheet workarounds emerge when systems don't talk to each other. Teams build Excel-based "integration layers" to bridge gaps. These spreadsheets become critical infrastructure, despite being fragile, error-prone, and impossible to audit. The result is predictable: data decays. Supplier information becomes stale the moment it's entered, because there's no mechanism to keep it current across all the places it lives. The Hidden Costs of Bad Data Poor data quality isn't just an operational annoyance. It creates genuine risk and measurable cost: Failed audits and regulatory findings. When auditors ask for evidence of due diligence on critical suppliers, teams scramble to piece together documentation from multiple sources. Gaps appear. Inconsistencies raise questions. What should be a routine control verification becomes a finding. Duplicate assessments and supplier fatigue. Without a unified view, different teams send overlapping questionnaires to the same supplier. The supplier receives three security assessments, two financial reviews, and four ESG questionnaires in the same quarter - all asking similar questions. Response rates drop. Relationships deteriorate and generate supplier fatigue. Slow incident response. When a supplier experiences a security incident or operational disruption, response speed matters. But if the first 30 minutes are spent identifying who owns the relationship, what data they access, and which business functions they support, the window for effective action closes. Inaccurate risk aggregation. Executive dashboards show supplier risk metrics, but those metrics are only as good as the underlying data. If 40% of supplier records are incomplete or conflicting, leadership is making decisions based on fiction. Blocked business velocity. Sales teams wait for supplier approvals. Procurement can't onboard vendors quickly because compliance workflows are stuck gathering basic information that should already exist. The TPRM program becomes a bottleneck, not because processes are broken, but because data is. How to Diagnose Your Data Quality Problem? The MDM (Master Data Management) appears as the solution. Before fixing data quality, you need to measure it. Here's a practical framework for auditing your current state: Step 1: Map Where Supplier Data Lives List every system that stores supplier information. Don't limit this to "official" systems—include spreadsheets, Accounting, SharePoint sites, and departmental databases. For each system, document: Who maintains it What data fields it contains How often it's updated Who relies on it for decisions Most organizations discover they have 6-10 systems touching supplier data, with no clear owner for ensuring consistency. Step 2: Test for Basic Accuracy Pick 20 critical suppliers at random. For each one, answer these questions: How many records exist for this supplier across all systems? Do the records show the same legal entity name? Do they reflect the same address and contact information? Is the risk tier or classification consistent? Can you identify a single business owner? If you find significant discrepancies in more than 30% of your sample, you have a material data quality problem. Step 3: Measure "Time to Basic Information" Run this exercise: Ask someone outside the TPRM team to answer basic questions about a supplier: Is this supplier currently active? What services do they provide? When was their last risk assessment? Who is the business owner? Are they compliant with our requirements? Time how long it takes to get definitive answers. If it requires more than 5 minutes and multiple system lookups, your data architecture is creating friction. Step 4: Identify the "Data Conflict Rate" Pull supplier records from your three most-used systems. Compare key fields like risk tier, contract status, and last assessment date. Calculate the percentage of records where these fields conflict. A well-governed TPRM program should see conflict rates below 10%. Rates above 25% indicate systemic issues that automation alone won't fix. Building a Data Quality Remediation Roadmap Once you've diagnosed the problem, remediation follows a structured path: Phase 1: Establish a Single Source of Truth The first step is philosophical, not technical: decide where authoritative supplier data will live. This doesn't mean consolidating all systems into one platform immediately. It means designating one system as the "system of record" where the definitive version of core supplier information exists. Core fields typically include: legal entity name, primary contact, business owner, risk tier, criticality designation, contract status, and last assessment date. Other systems can maintain specialized data, but they should reference—not duplicate—the core record. Phase 2: Deduplicate and Consolidate Assign a team, or a subcontractor, to systematically merge duplicate supplier records. This is unglamorous work, but it's foundational. Start with critical and high-risk suppliers, then work down the tier list. Use a consistent methodology: Identify the authoritative record (usually the most recent or most complete) Merge data from other records, preserving any unique information Document the consolidation in an audit log Deprecate old records with clear redirects to the current one Use a common token as the Duns Number Phase 3: Implement Data Governance Data quality doesn't maintain itself. Establish clear ownership and processes: Assign a Data Steward role responsible for supplier data integrity Define update workflows: who can modify core fields, and with what approval Build quality checks into onboarding: new suppliers can't be activated with incomplete records Schedule periodic reviews: quarterly audits of high-risk suppliers, annual reviews of the full population Phase 4: Automate Validation and Monitoring Once foundational data is clean, use technology to keep it that way: Implement validation rules that prevent invalid or incomplete data entry Set up alerts for data conflicts (e.g., if a supplier's risk tier changes in one system, flag for review) Use APIs to synchronize core data fields across systems rather than manual updates Build dashboards that surface data quality metrics: completeness rates, staleness, conflict rates Why Technology Alone Won't Fix This It's tempting to believe that buying a new TPRM platform will solve data quality problems. It won't—at least not by itself. A new platform can provide better structure, more robust validation, and cleaner workflows. But if you migrate messy data into that new platform, you just have expensive, messy data. The organizations that succeed treat data quality as an organizational discipline, not a technology project. They invest in governance, assign clear ownership, and build data hygiene into their operational culture. Technology enables good data management. It doesn't create it. The Strategic Advantage of Clean Data When TPRM teams solve their data quality problem, something remarkable happens: the program shifts from reactive to strategic. Instead of spending hours reconstructing basic supplier information during incidents, teams respond in minutes using reliable, current data. Instead of duplicating assessments across departments, cross-functional teams collaborate from a shared view of supplier risk. Instead of building executive reports manually, leadership gets real-time visibility into third-party exposure. Clean data doesn't just reduce friction—it becomes a competitive advantage. Organizations can onboard suppliers faster, make risk decisions with confidence, and demonstrate control to auditors and regulators without scrambling. Moving from Chaos to Clarity The TPRM data quality problem is solvable, but it requires acknowledging that it exists. Too many organizations layer sophisticated risk analytics and automation workflows on top of fragmented, unreliable supplier information—and then wonder why their programs underperform. The path forward starts with measurement: understand where your data lives, how accurate it is, and where conflicts arise. Then commit to remediation: consolidate, deduplicate, govern, and maintain. The work isn't glamorous, but it's foundational. Because every TPRM capability—risk assessment, continuous monitoring, incident response, regulatory reporting—depends on one fundamental requirement: knowing the truth about your third parties. Author Bio Emmanuel Poidevin CEO and co-founder of Aprovall Emmanuel Poidevin is the CEO and co-founder of Aprovall, a TPRM platform serving 1,800+ organizations. Emmanuel leads Aprovall's vision to centralize supplier information, automate compliance workflows, and enable cross-functional risk management from a single system of record. Connect with Emmanuel on LinkedIn or learn more at www.aprovall.com. Aprovall provides a centralized TPRM platform designed to serve as a single system of record for third-party information, eliminating data fragmentation across procurement, compliance, legal, and risk teams. Organizations use Aprovall to establish data governance, automate validation, and maintain accuracy across the supplier lifecycle. To learn more about building a unified approach to third-party data management, visit www.aprovall.com.

Join us for "Demo Days," where leading TPRM Service Providers showcase their solutions through 25-minute product demos tailored for TPRM practitioners. TPRM Tool Demo Days The Third Party Risk Association (TPRA) invites you to attend our quarterly "Demo Days, " an exclusive opportunity for TPRM practitioners to explore innovative solutions from leading TPRM Service Providers. During these interactive sessions, vendors will deliver 25-minute product demos , showcasing their tools, technologies, and services designed to address the complex challenges of third party risk management programs. These virtual events allow practitioners to: Gain insights into the latest TPRM innovations. Connect directly with service providers to ask questions. Compare tools and platforms to determine the best fit for their organization. Don't miss this opportunity to stay ahead in the evolving landscape of third party risk management. New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Tool Types Below you can find brief descriptions of the TPRM tools that will be showcased during these events. TPRM Platform A software system designed to manage Third-Party Risk Management (TPRM) programs, which involves identifying, assessing, mitigating, and monitoring risks associated with external companies that an organization works with. Risk Ratings/Intelligence Tool A system or software application used to evaluate and quantify the potential likelihood and severity of risks associated with a particular incident or investment, typically assigning a numerical rating to each risk to facilitate prioritization and decision-making within risk management processes. GRC Platform A software tool that tracks, monitors, and manages governance, risk, and compliance activities at the enterprise level. This tool usually encompasses more than one risk-related department and encourages risk management at the highest level for an organization. TPRM Services An organization that assists with the implementation of TPRM programs and/or the completion of due diligence activities. TPRM Service providers can determine the maturity of your program and enhance operational capabilities. Register for Upcoming Demo Days New service providers demo each quarter, so we encourage you to register for as many Demo Days as you're able! Wednesday, August 19, 2026 at 2:00:00 PM UTC 6 hours Q3 Demo Day Read All Wednesday, October 21, 2026 at 2:00:00 PM UTC 6 hours Q4 Demo Day Read All NOTE: TPRM Service Providers and their employees, affiliates, parent companies, etc. NOT participating in a demo are not allowed to register based on conflict of interest. Q1 2026 Lookbook Demo Day Agenda Please note that the below may feature presenters for multiple Demo Days. Demo Day times are subject to change depending on the number of demos per day. All scheduled times are in Central Time. Filter by Quarter Select Quarter Filter by Tool Type Select Tool Type Date: Wednesday, May 13, 2026 Time: 9:00 - 9:25 AM CT Risk Ratings/Intelligence With RiskRecon, you can build a scalable, third-party risk management program and realize dramatically better outcomes. Read More Date: Wednesday, May 13, 2026 Time: 9:30 - 9:55 AM CT TPRM Platform Lema.AI is the first Zero-Trust Third-Party Risk Management platform, enabling organizations to create a resilient third-party ecosystem that ensures business continuity and drives growth Read More Date: Wednesday, May 13, 2026 Time: 10:00 - 10:25 AM CT TPRM Platform Certa’s Third Party OS is the digital backbone for managing your third party relationships across all risk domains and lifecycle stages. Read More Date: Wednesday, May 13, 2026 Time: 10:30 - 10:55 AM CT TPRM Platform Aravo drives operational excellence and measurable business outcomes with centralized third-party risk management. Read More Date: Wednesday, May 13, 2026 Time: 11:00 - 11:25 AM CT TPRM Platform OneTrust empowers you to collect, govern, and use data with complete visibility and control. Read More Date: Wednesday, May 13, 2026 Time: 11:30 - 11:55 AM CT TPRM Platform Coverbase automates 90% of third-party risk management using AI. Read More Date: Wednesday, May 13, 2026 Time: 12:00 - 12:55 PM CT Lunch Read More Date: Wednesday, May 13, 2026 Time: 1:00 - 1:25 PM CT TPRM Platform Bitsight Third Party Risk Management is an end-to-end solution that includes continuous, data-driven, validated cyber risk insights and automated vendor assessment capabilities. Read More Date: Wednesday, May 13, 2026 Time: 1:30 - 1:55 PM CT Risk Ratings/Intelligence Supply Wisdom provides real-time, continuous risk intelligence across third parties and locations to help enterprises proactively manage operational, compliance, financial, cyber, location, ESG and Nth party risks. Read More Date: Wednesday, May 13, 2026 Time: 2:00 - 2:25 PM CT TPRM Platform Safe Security has redefined cyber risk measurement and management with its real-time, data-driven approach that empowers enterprise leaders, regulators, and cyber insurance carriers to understand cyber risk in an aggregated yet granular manner. Read More Date: Wednesday, May 13, 2026 Time: 2:30 - 2:55 PM CT tekrisq, inc. was founded in 2021 to address technology risks at underserved SMBs, small and medium sized businesses. Read More LOAD MORE Lookbooks Interested in presenting a product demo? Please complete our Sponsor Information Form to start the process or contact Heather Kadavy, TPRA's Senior Membership Success Coordinator, at heather.kadavy@tprassociation.org to learn how to get involved!

Explore jobs in third party risk management from organizations hiring TPRM professionals. New listings added regularly. Start your search today. TPRM Job Listings Searching for a TPRM-specific job? Check out the listings below from organizations looking for talented TPRM professionals! Note: TPRA reserves the right to remove any job listing for any reason and without communication to the contact. Post a Job Vertex Pharmaceuticals Senior Director, Enterprise Third Party Risk View Job Boston, MA (Hybrid) iCapital Third Party Risk Specialist - Associate View Job Salt Lake City, UT Raymond James Manager, RJF third Party Risk Management View Job St. Petersburg, FL Vanguard TPRM Strategy & Governance TPR Consultant View Job Malvern, PA (Hybrid) OpenAI Manager, TPRM (GTM) View Job San Francisco, CA (Remote) Simpson Thacher & Bartlett LLP Senior Analyst, Third Party Security View Job New York, NY (Hybrid) Robert Walters Risk Manager (Data Protection) View Job London, England Stanley Black & Decker, Inc Senior Director, IT Vendor Management View Job New Britain, CT (Hybrid or Remote) Credit One Bank Sr. Vendor Management Analyst View Job Las Vegas, NV (onsite) Brown Brothers harriman Vendor Risk Management Compliance Analyst View Job Pittsburgh, PA (fully remote role, but to be eligible candidates must reside in the Central NY/Utica, Pittsburgh or Tampa area KeyBank Operational Risk Analyst V - Third Party Management View Job Brooklyn, OH (Hybrid) McKinsey & Company Senior Manager, Third Party Risk Strategy View Job Miramar, FL LOAD MORE

Opening Remarks Website Email LinkedIn Video Fact Sheet The Third Party Risk Association (TPRA) was created out of a necessity to build a community of like-minded third party risk professionals to allow for the sharing of best practices, exchanging of ideas, and influencing of an industry. Our founders are practitioners who built their own third party risk programs within their respective organizations and were looking for a vendor-agnostic community that could help them elevate their programs. When they couldn't find one, they created one . What started as a roundtable between colleagues has turned into a community of thousands of practitioners and TPRM service providers worldwide , all working towards the same goal: sharing knowledge and furthering the industry of TPRM. Presenter(s)