Search Results

Navigating Ownership, Oversight, and Expertise in the Age of Artificial Intelligence  As artificial intelligence (AI) adoption accelerates across industries, organizations are grappling with a new challenge: where should AI risk management, and specifically AI-related Third Party Risk Management (TPRM), live within the enterprise?  While some organizations assign ownership to existing structures like IT, model risk management, or cybersecurity, others manage AI/TPRM through risk committees or distributed governance models.  However, as AI becomes embedded in everything from third party software to operational decision making, defining accountability and expertise is more critical than ever.  This blog explores the current state of organizational ownership of AI/TPRM, the challenges of fragmented accountability, and the evolving landscape of AI risk governance.  The Current Reality: Distributed Ownership, Fragmented Accountability  Most organizations are still in the early stages of formalizing how AI and third party risk intersect. The result is a patchwork of ownership that reflects historical structures rather than emerging needs.  Common Models of AI/TPRM Ownership:  Model Typical Owner Strengths Challenges IT Ownership CIO or Head of IT Deep technical knowledge; integration visibility Focused on enablement over risk; limited governance scope Cybersecurity Ownership CISO or Security Team Expertise in data protection, privacy and threat management May overlook model bias, ethics and performance risk Model Risk Management (MRM) CRO, Enterprise Risk or Finance Familiar with validation frameworks and model governance Not all AI tools qualify as “models”; hard to scale across third parties. Enterprise Risk Management Chief Risk Officer Holistic view of risk across functions May lack the technical fluency needed to assess AI-specific risks Governance Committee or AI Council Cross Functional Groups Encourages shared accountability Decision-making can be slow; unclear escalation or ownership paths In practice, AI/TPRM often lives everywhere and nowhere at all.   This distributed reality makes it difficult to establish clear accountability, consistent controls, or effective monitoring.   The Expertise Dilemma: Interest, Enthusiasm, and Illusion  AI governance has quickly attracted attention across business functions.  Within most organizations, there are three groups emerging:  The Interested:  Professional who wants to understand AI’s risk and opportunities but lack hands-on experience.  The Aspiring Expert:  Individual who follows AI trends and participates in governance conversations but may not yet grasp the nuances of model architecture or data provenance.  The Actual Experts:  Technologist, data scientist, and risk professionals who understand both the technical and ethical implications of AI.  The challenge is not a shortage of passion, it's a shortage of true multidisciplinary expertise.  AI/TPRM sits at the intersection of technology, ethics, and compliance, few individuals or departments are fluent in all three.  To close this gap, organizations must create intentional learning pathways and collaborative governance structures that balance subject matter expertise with enterprise risk accountability. Governance in Practice: Moving Towards a Federated Model  A leading practice emerging across industries is a federated governance model for AI and TPRM. This structure combines distributed ownership with centralized oversight.  Key Features of a Federated Model  Central Oversight Body  – An AI Risk or Governance Committee that sets policy standards, and reporting expectations.   Functional Ownership – Each business or function (e.g., IT, Cyber, Risk, Legal, Procurement, etc.) owns execution of AI/TPRM controls relevant to their domain.  Integration with TPRM – Third party due diligence processes are expanded to include AI-specific assessment covering model transparency, ethical design, data sourcing, and bias testing.  Continuous Monitoring – Establish ongoing oversight for AI-enabled third party tools, especially for evolving and retraining models.  This model encourages shared responsibility while ensuring decisions align with enterprise-level risk appetite and ethical standards.   A Practical Path Forward  Organizations can begin clarifying AI/TPRM ownership with the following steps:  Map Current Ownership – Identify where AI activities and risk currently reside(within IT, Cyber, Risk or elsewhere).  Establish an AI Governance Charter – Define roles, responsibilities, and decision rights for all AI-related risk activities, including third party AI vendors.  Integration of AI Risk into TPRM Frameworks – Update third party due diligence questionnaires/assessments and monitoring processes to include AI use, transparency, and data ethics.  Create a Skills Development Roadmap – Offer training that bridges the technical, operational and ethical dimension of AI risk.  Promote Transparency and Communication – Encourage open dialogue between those who “build”, those who “buy”, and those who “govern” AI.  Where AI/TPRM “lives” is not a static question, it's a reflection of how mature an organization is in managing emerging risk. Ownership will likely evolve over time, shifting from isolated functions to integrated governance models.   Ultimately, the goal isn’t to decide whether IT, Cyber, or Risk “owns” AI. It's to ensure that someone is accountable,  that the process is transparent, and decisions are made responsibly.  AI will continue to reshape third party risk management. Those who establish clarity of ownership today will be better equipped to manage the risks and seize the opportunities of tomorrow.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In many Third Party Risk Management (TPRM) programs, contracts and service-level agreements (SLAs) are signed, filed, and then forgotten. That is, until a renewal deadline sneaks up, or a vendor fails to meet a critical performance standard, whereby no one can prove whether the vendor was or wasn’t held accountable.  If that sounds familiar, you’re not alone.  Contract and SLA management are two of the most underrated yet high-impact areas for TPRM automation. And the good news? You don’t need a massive system overhaul to start reaping the benefits.  Why Contract & SLA Monitoring Matters in TPRM  Contracts contain the DNA of your third party relationships. They note:  What services are being delivered  What controls are expected  When the agreement expires or renews  What happens if something goes wrong  If this information lives in static PDFs or folders, and relies on someone to remember key dates or terms, you’re exposing your organization to real risk. Such risks include, but are not limited to:  Missed renewals that may auto-renew unfavorable terms  SLA violations that go undetected and un-remediated  Unenforced obligations that weaken your risk posture  Automation can help solve this problem. And it doesn’t have to be complex.  What You Can Automate  Here are several key elements of contract and SLA management you can automate today:    1. Key Date Reminders  Renewal and termination notice deadlines  Compliance documentation expiry (e.g., updated SOC 2 required every 12 months)  Review cycles (e.g., quarterly performance check-ins)  Automation example:  Auto-alerts at 90/60/30 days before renewal, with owner assignment and status tracking.     2. Obligation Tracking  Ensure third parties deliver required evidence (e.g., updated pen test results)  Auto-track performance standards (e.g., response times, uptime, ticket resolution)  Flag when obligations aren’t met  Automation example:  Use automated tools to extract obligations from contracts and load them into a tracker that flags upcoming deliverables.     3. SLA Monitoring Integration  Link with operational data (e.g., help desk platforms, uptime monitors) to auto-validate whether SLA commitments are being met.  Set automated thresholds for escalation if a third party exceeds a defined limit (e.g., >3 late response tickets in a month).  Automation example:  When help desk tickets tied to a third party cross a certain age threshold, an alert is triggered to the TPRM team.  Real-World Example: Automating Renewal Notifications in a Mid-Sized Bank  A regional U.S. bank had thousands of third parties with contracts stored across multiple departments. Renewal dates were tracked in spreadsheets, and deadlines were frequently missed, resulting in automatic renewals that locked the organization into poor terms.  “We didn’t realize how often we were defaulting to auto-renewal until we missed our shot at renegotiating a major payment vendor,” the TPRM manager shared.   The team implemented a contract tracker tied to their TPRM tool that extracted and logged:  Contract expiration dates  Required notice periods  Assigned contract owners  Automated alerts were triggered on 90, 60, and 30 days before key dates, with color-coded status dashboards.  Impact:   100% of critical third party renewals reviewed on time  Saved ~$300K through renegotiated terms in Year 1  Improved coordination with Legal and Procurement  Getting Started: Tools You Can Use  You don’t need a custom platform to get going. Some automation options include:  GRC/TPRM platforms  with contract modules   Contract lifecycle tools  (e.g., Ironclad, LinkSquares, DocuSign CLM)  Workflows in MS365 or Google Workspace  using reminders and task lists  Low-code platforms like Airtable or Monday.com for custom trackers    Key Takeaways:  Contracts are a goldmine of risk and performance data. Don't let them sit untouched.  Automating reminders and tracking obligations keep your third parties accountable and your TPRM program compliant.  Start small: even a shared tracker with auto-reminders can reduce missed deadlines and drive savings.  Author Bio Heather Kadavy Senior Membership Success Coordinator Heather Kadavy  joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security, Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years. Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".

In the early morning of October 20, 2025, Amazon Web Services, the backbone of much of the modern internet, experienced a widespread outage in its Northern Virginia region. Within hours, popular apps, business platforms, and government services began to slow or fail. By evening, AWS reported that services were operating normally, with some backlogs clearing after that. This was not some minor hiccup. It took much of the day to resolve, and by the time systems steadied, the outage had already reminded everyone how deeply daily life depends on the same shared foundations.  The Impact  The outage originated in AWS’s US-EAST-1 region, which supports a significant portion of global cloud activity. That single region underpins countless tools and services used every day by businesses, governments, and consumers alike. Well-known platforms such as Zoom, Venmo, and Alexa saw interruptions, but the effects reached much farther than that.  For many organizations, the disruption was one step removed. Their own systems appeared stable, yet vendors or downstream providers that relied on AWS began to falter. Even companies with no direct contract felt the slowdown through partners and service integrations that quietly depend on the same infrastructure.  The Cause  AWS said the incident stemmed from DNS resolution issues that affected DynamoDB service endpoints in US-EAST-1, and they began mitigation after identifying the problem ( AWS update ). In parallel, traffic health checks did not behave as expected, which complicated rerouting and recovery. The combination created a chain of disruptions that took most of the day to unwind.  In short, one lookup broke, one database stalled, and everything built on top of them learned what “shared dependency” really means.   The Response  AWS posted regular updates, isolated the DNS issue, and restored service, with some queues taking longer to clear. By evening, operations were mostly normal.  AWS confirmed that the outage was not the result of a cyberattack  and said a detailed incident analysis would be released. The company’s updates through its status page and social channels provided transparency but were highly technical, which made it difficult for non-technical teams to interpret and share meaningful updates inside their organizations .   What This Illustrates About Concentration Risk  This was concentration risk in practice, too much dependency in one place. The AWS US-EAST-1 region is popular because it is large, efficient, and cost-effective. That popularity concentrates demand, which can magnify impact during an incident.  When multiple organizations and their vendors depend on the same region, a single problem can become a multi-industry event. Many companies that felt diversified discovered their vendors were sitting on the same underlying infrastructure.  What It Reveals About Fourth- and Nth-Party Risk  Even companies far removed from AWS saw disruptions. That is extended vendor risk, where your vendor’s vendor, or their vendor’s vendor, fails and causes impact for you.  A payment platform might use AWS directly, while your billing software depends on that platform. Your HR system’s analytics add-on might sit on AWS even if the core platform does not. The farther down the chain the issue occurs, the harder it is to see, yet the business effect is the same.  The Broader Lesson: Shared Infrastructure Means Shared Consequences  Cloud services and computing have made business faster and more connected. It has also made it interdependent. When one provider falters, entire industries can feel the shock.  Technical events become business events quickly. Disruptions affect customer access, transactions, revenue, and regulatory expectations. For TPRM programs, resilience is not about predicting every outage. It is about understanding dependency risk and being ready to respond calmly when it appears.  What TPRM Practitioners Should Be Doing Now  The AWS outage was a free stress test. Even if your organization stayed upright, it showed how much depends on a handful of cloud providers. Now it’s time to turn awareness into action.  1. Revisit your dependency map   Trace your direct, fourth-party, and nth-party exposure. You do not need to document every sub-vendor, but you should know where critical systems live and who connects them.  Review your direct vendors and note hosting provider and region.  Identify shared dependencies across your portfolio.  Flag any service that leans on a single region.  Share this with cybersecurity and IT partners to align contingency plans.    2. Strengthen collaboration between TPRM and Cybersecurity/Information Technology  When an outage hits, both perspectives are essential.  Cyber professionals (which may include the incident response team) focus on the how, root cause, technical exposure, and data integrity.  TPRM focuses on the so what, business impact, vendor accountability, and continuity of services.  Confirm with IT which systems can run from more than one location. Confirm with TPRM which vendors must maintain uptime and notify you. If this partnership is informal, formalize a simple workflow that defines who watches vendor status, how alerts move to business leaders, and who decides when to communicate with executives or customers.  3. Update due diligence and contracting  Bake resilience into every step of the vendor lifecycle.  During due diligence   Ask where systems are hosted, including backup regions.  Require disclosure of key sub-vendors such as cloud hosts and data processors.  Confirm that failover is tested and recent.  Check that downtime tolerance matches your business needs.  In contracts   Add notification timelines for incidents that affect your data or operations.  Require vendors to maintain and test continuity and disaster recovery plans on a regular basis (at least annually).  Define how credits or remedies apply during regional incidents.  Include data portability and exit terms so you can migrate if reliability declines.  For existing contracts, capture this through an addendum or vendor questionnaire. The goal is alignment between your expectations and actual capabilities.  4. Treat vendor resilience as an ongoing metric  Do not let resilience live in a one-time questionnaire.  Track uptime and incident response quarterly.  Watch how vendors communicate during industry-wide disruptions.  Follow up with any vendor that takes more than a business day to confirm whether they were affected.  Transparency and communication matter as much as uptime.  5. Bring the lesson to leadership  Executives and boards care about continuity, not DNS details. Use this event as a case study.  Keep it in business terms.  How long could you operate if your main region failed?  Which vendors share that region?  How long does recovery actually take in hours, not in theory?  Boards and regulators should already be asking about cloud concentration and systemic risk. Showing mapped dependencies and credible plans signals maturity and foresight.  Not Ready for All That Yet? Try This Instead  If your program is not ready for the full list above, start smaller. A one-hour tabletop can surface the most important gaps before you redesign your program.  A One-Hour Tabletop: “When the Cloud Falters”  Scenario:  Your most important customer-facing service is degraded for six hours because your cloud provider’s main region is down.  Prompts:   What fails first, and who notices?  Who owns communication with leadership and customers?  What do you tell executives in the first 30 minutes?  What data confirms whether the issue is internal or supplier-related?  If the outage lasts more than four hours, how do you continue operations?  When and how do you tell customers you are stable again?  What good looks like:   Clear ownership of communication and impact analysis.  Named roles for executive updates and recovery coordination.  A realistic recovery time, not a guess.  Two improvement items assigned for follow-up within 30 days.  Start here. Capture where confusion happens and what slows decisions. The results will show you where to strengthen communication, contracts, and coordination next.  Conclusion   The AWS outage was not just about downtime. It was about concentration risk and dependency, and how quietly it grows until something forces everyone to see it. What looked like one point of failure was really a network of shared reliance across vendors, industries, and geographies.  For TPRM professionals, the lesson is to stop treating concentration as abstract and start treating it as operational reality. Every vendor, every contract, and every dependency tells part of that story. The work ahead is not to eliminate risk, it is to ensure that when one link breaks, which it inevitably will, the rest of the chain holds.  Additional Resource Explore our certificate, Securing SaaS Applications: A Comprehensive Approach to Cloud Risk Management , which provides an in-depth look at evaluating and managing risks associated with cloud-based SaaS solutions. Author Bio Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

This page is dedicated to showcasing the inspiring Women Leaders and their stories. Our goal for this program is to highlight and learn from women leaders in the field of Third Party Risk Management (TPRM) throughout various industries. Back Women Lead Program Welcome to the Women In TPRM (WNTPRM) "Women Lead" Program! This page is dedicated to showcasing inspiring Women Leaders by highlighting their stories. Our goal for this program is to learn from and be inspired by women leaders in the field of Third Party Risk Management (TPRM) throughout various industries. If you know of an inspiring Leader you think should be featured by WNTPRM, complete the form linked below! Apply Now Leader Spotlights Corina Reymer AVP, Information Security The Walt Disney Company / Partners Federal Credit Union WNTPRM December 2025 Leader Spotlight December 1, 2025 Read More Erica Lane Sr. Security Analyst SPS Commerce WNTPRM September 2025 Leader Spotlight September 1, 2025 Read More Jill Zakarian Partnerships Manager Ncontracts WNTPRM July 2025 Leader Spotlight July 1, 2025 Read More Melissa Denman TPRM Lead Zoom WNTPRM November 2025 Leader Spotlight November 1, 2025 Read More Heather Vahovich Director Third Party Risk Management (TPRM) Novanta WNTPRM August 2025 Leader Spotlight August 20, 2025 Read More Kelsey Theroux Third Party Risk Analyst WNTPRM June 2025 Leader Spotlight June 1, 2025 Read More Oksana Zbyranyk Chief Compliance and Delivery Officer Truvo Cyber WNTPRM October 2025 Leader Spotlight October 1, 2025 Read More Hilda AndelizGomez VP. Enterprise Third Party Risk Performance Analyst Valley Bank WNTPRM August 2025 Leader Spotlight August 1, 2025 Read More Laura Valente Director, Compliance, Ethics & Regulatory Affairs (& Chief Privacy Officer) General Bank of Canada WNTPRM May 2025 Leader Spotlight May 1, 2025 Read More LOAD MORE

Learn about April Harrison, Sr. Director of Marketing & Communications for Trust Your Supplier, and TPRA's WNTPRM January 2026 Leader Spotlight. < See All < Previous Next > April Harrison Sr. Director of Marketing & Communications Trust Your Supplier Biography April Harrison is a B2B SaaS marketing leader with six years of experience helping organizations in procurement and third-party risk management (TPRM) connect big ideas to real customer value. At Trust Your Supplier, she built the marketing function from the ground up, launching campaigns, creating thought leadership, and designing onboarding experiences that made blockchain technology accessible and useful. Along the way, she’s introduced award-winning initiatives, produced an industry podcast, and brought together Fortune 500 leaders to collaborate on the future of supplier risk management. Colleagues describe April as adaptable, collaborative, and creative under pressure. She thrives on turning complex concepts into clear, compelling stories and building systems that make teams stronger and more efficient. Beyond her day-to-day work, she is passionate about advancing women's leadership in TPRM by sharing knowledge and lifting others up. Leadership Characteristics April has played a key role in shaping how third-party risk management is communicated and understood. At Trust Your Supplier, she doesn’t just run campaigns, she built the entire marketing function from scratch. Her work has amplified the company’s voice in the market, from increasing LinkedIn engagement by 400% to guiding product launches with clear, accessible messaging. She has also brought industry leaders together through governance boards and customer advisory groups, ensuring that innovation is informed by the voices of those on the front lines. Her leadership has been about creating connections, building trust, and showing what’s possible when collaboration is at the center. Leadership Challenges Like many in growing organizations, April has faced shifting priorities, leadership changes, and the challenge of building impact with limited resources. Rather than seeing these as setbacks, she treated them as opportunities to adapt and grow. By staying focused on the end goal, reaching new customers and helping customers succeed, she was able to pivot quickly, create new processes that brought clarity, and keep projects moving even when the path forward wasn’t always clear. These challenges strengthened her resilience and reinforced her belief that steady progress and collaboration matter more than perfection. Key Take-a-ways If there’s one message April would share with others in TPRM, it’s that clarity and connection make all the difference. Whether you’re explaining complex risk concepts to a customer, collaborating across functions, or mentoring a teammate, the ability to communicate clearly builds trust and accelerates progress. Her favorite part of working in TPRM is that it’s never just about technology, it’s about people coming together to solve problems, protect organizations, and build stronger partnerships. Fun Fact At her core, April is a teacher. She started her career as a preschool teacher and has spent the last eight years teaching group fitness classes. Whether it’s helping a child master a new skill, guiding a class through a workout, or mentoring a colleague at work, she loves creating spaces where people feel encouraged, capable, and supported.

Join the TPRM community at TPRA for expert resources, training, templates, and tools to strengthen your third party risk program and grow your network. Join the only not-for-profit, vendor-agnostic professional association uniting thousands of TPRM professionals worldwide. Furthering the profession of third party risk management through knowledge-sharing & networking. Learn More Join Now The all-in-one source for Third Party Risk Management (TPRM) tools, templates, training, networking, certifications & industry best practices. MEMBERSHIP CONNECT & DISCOVER Individuals & organizations working together to advance the industry. More > EDUCATION MEETINGS & TRAINING Certifications & training for risk professionals to advance their careers & enhance their programs. More > RESOURCES INFORMATION SHARING SITE White papers, templates, guidance & more to enhance your program. More > TOOLS & AUTOMATION EXPLORE & CONTACT Detailed profiles of trusted TPRM service provider organizations & their offerings. More > Advance Your Career in Risk Management: Learn About the Benefits of TPRA Membership > Practitioner Plans Standard: FREE Premium: $199/yr BENEFITS Member Meetings Interactive monthly calls to discuss a variety of third party risk topics decided upon by members. Conferences In-person and virtual conferences dedicated solely to third party risk topics. Networking Online interaction with your peers through membership forums and document databases. Industry-Specific Meetings Quarterly special interest calls based on your industry. Demos, Surveys, Webinars Access to third party risk management service provider demos, surveys, & webinars. Certifications TPRM professional certifications that establish credibility and demonstrate your commitment to mastering your skills and knowledge within the industry. Join Now Vendor Plans 4 available plans starting at $8,000/yr BENEFITS Priority & Discount Sponsorship Opportunities Be the first to sponsor conferences and receive discounted member rates, as well as priority positioning. Networking & Collaboration Attend monthly and quarterly meetings with TPRM practitioners and other service providers to network, collaborate, create resources, share insights, and more! Promotional Opportunities Work with the TPRA staff to communicate to Practitioner Members the your organization's webinars, surveys, demos, blog posts, and white papers. Advisory Councils Join our TPRM Service Provider Advisory Council, as well as other groups, dedicated to collaborating, sharing insights, and providing strategic guidance. Quarterly Updates Receive quarterly updates with industry innovators to collaborate on practitioner needs. Join Now Meetings Open to All Meetings Open to All Member Meetings & Events On-Demand Meetings Thursday, January 8, 2026 10:00 – 11:00 AM CT Panel: TPRA 2026 Kick-Off & TPRM State of the Industry Register > Tuesday, January 20, 2026 1:00 – 2:00 PM CT Women In TPRM Meeting Register > Tuesday, January 20, 2026 10:00 – 10:30 AM CT New & Potential Member Call Register > Thursday, February 12, 2026 10:00 – 11:00 AM CT Roundtable: Incident Response & Recovery in the Extended Enterprise Register > CONTACT US OUR INFORMATION Address: P.O. Box 824 Ankeny, Iowa 50021 USA Email: info@tprassociation.org For any general inquiries, please fill out the contact form. First name* Last name* Email* Subject Message* Yes, subscribe me to TPRA communications. Submit