Search Results

“Emily was a mid-level manager in the risk management department of a major financial institution. One day, the company faced a significant challenge: a critical vendor experienced a data breach, exposing sensitive client information. The CEO tasked Emily with leading the Third Party Risk Management (TPRM) response team to address the crisis. Emily had handled vendor assessments before, but this situation required swift and decisive action. She quickly assembled a cross-functional team, including IT, legal, compliance, and communications experts. Emily knew that transparent communication and coordinated efforts were essential. She initiated daily briefings to keep everyone informed and aligned on the response strategy. Emily also reached out to the vendor, establishing an open line of communication to understand the breach's scope and implement immediate risk mitigation measures. Recognizing the need for long-term solutions, Emily led a thorough review of the company's TPRM framework. She identified gaps and proposed enhancements, such as more stringent vendor vetting processes and continuous monitoring systems. Her proactive approach not only mitigated the immediate risk but also strengthened the organization's overall TPRM program. The successful handling of the crisis and the subsequent improvements earned Emily high praise from senior leadership. Her ability to lead under pressure and implement effective risk management strategies led to her promotion to head of the TPRM division.” This anecdote highlights how taking charge in a TPRM crisis, fostering collaboration, and driving systemic improvements can propel career growth and demonstrate essential leadership qualities.   TPRA’S LEADERSHIP LADDERS Originally developed by TPRA's Women in TPRM "Lead" work group, “Leadership Ladders” is a training activity designed for all current and aspiring leaders within the Third Party Risk Management (TPRM) industry.  Each box on the slides and ladders-style game board is linked to a valuable resource–including customized guides, blogs, videos, quizzes, and more–with the goal of enhancing your leadership potential through buildable skills and expert insights. Any professional, regardless of what stage they're at in their career, can find value in this activity.   “ Leadership Ladders ” involves focusing on the progression of leadership skills, traits, and responsibilities at different levels within an organization.  It is a transformative experience that challenges you to evolve and grow. DIFFERENT LEADERSHIP LEVELS Entry-Level Leadership : Focuses on the initial stage, key responsibilities, and essential skills (e.g., team leadership, basic project management). Mid-Level Leadership : Covers the next stage, focusing on more complex responsibilities (e.g., departmental management, strategic planning). Senior Leadership : Involves the traits and skills needed at the senior level (e.g., executive decision-making, vision setting). Executive Leadership : Focuses on the top-tier leadership level, emphasizing overall organizational leadership and high-stakes decision-making. Each of these levels requires a new set of skills and understanding to meet its challenges, focusing on specific responsibilities and collaborative efforts.  TPRA’s “Leadership Ladders” can assist with developing those skills no matter what level of leadership you are working towards. KEY CATEGORIES UNDER THE TPRA LEADERSHIP LADDERS Core Competencies  (Communication, Collaboration, Confidence, Cultivating Relationships, Coaching) TPRM Lifecycle Budgeting HR Process Boundaries Driving Strategy & Influencing Change Navigating Executive Leadership Discussions Crucial Conversations Mentorship Public Speaking & Getting Published   LEADERSHIP LADDERS PLAY A CRUCIAL ROLE IN CAREER DEVELOPMENT FOR SEVERAL REASONS Structured Progression Clear Pathways : Leadership Ladders provide a clear roadmap for career advancement, helping individuals understand the steps required to move up within an organization. Goal Setting : They enable employees to set specific, achievable goals for their career progression, making it easier to track and measure success. Skill Development Targeted Learning : Different levels on the Leadership Ladders require different skills. By understanding these levels, individuals can focus on developing the necessary skills for their current and next roles. Continuous Improvement : Leadership Ladders encourage a mindset of continuous learning and improvement, essential for personal and professional growth. Increased Engagement and Retention Motivation : Clear pathways for advancement can increase motivation and job satisfaction, as employees see tangible opportunities for growth. Retention : Organizations with well-defined pathways to leadership often experience lower turnover rates, as employees are more likely to stay when they see potential for career advancement. Effective Succession Planning Preparation for Leadership : Leadership Ladders help organizations identify and prepare future leaders, ensuring a smooth transition when current leaders retire or move on. Consistency : They help maintain organizational continuity by ensuring that new leaders are well-prepared and aligned with the company's culture and values. Enhanced Organizational Performance Better Leadership : As employees move up the ladder, they bring enhanced skills and experience to their roles, leading to more effective leadership and improved team performance. Strategic Alignment : Leadership Ladders ensure that individuals at all levels understand and align with the organization's strategic goals, leading to more cohesive and focused efforts. Personal Growth and Fulfillment Self-Awareness : Working through the Leadership Ladders activity requires self-assessment and reflection, helping individuals understand their strengths and areas for improvement. Achievement : Successfully progressing through the Leadership Ladders activity provides a sense of accomplishment and personal fulfillment, contributing to overall well-being. Competitive Advantage Attracting Talent : Organizations known for their strong leadership development programs are more attractive to top talent. Market Positioning : Effective leadership at all levels enhances an organization's reputation and competitive positioning in the market.   In summary, Leadership Ladders is great for both individuals and organizations. It provides a structured approach to career development, promoting skill growth, increased engagement, and retention. It also can assist with facilitating effective succession planning, enhance overall performance, and contribute to personal fulfillment. For organizations, they are a key tool in building a robust leadership pipeline and maintaining a competitive edge.   CHECK IT OUT We encourage you to assess your current leadership level and work towards the next. Have fun and expand your knowledge: https://www.tprassociation.org/leadership-ladders – play TPRA’s thought-provoking Leadership Ladders game enriched with additional resources such as videos, interviews & quizzes, and whitepapers.

Artificial intelligence (AI) is everywhere, and it’s transforming the way we live and work. It’s rapidly revolutionizing industries with its potential to solve complex problems, enhance decision-making, and improve efficiency. As such, the integration of AI into many products and services offered by third-party vendors to organizations is also becoming more widespread, many times without the organization’s awareness.    Understanding the Risks of Third-Party AI   AI is an impressive technology, but it also comes with significant risks, especially when it’s integrated into vendor products or services.    Let’s examine two of the most common risks of third-party AI usage:   Data security and privacy – AI systems need a significant amount of data to function efficiently. Therefore, it’s essential to protect the data from theft and misuse. AI systems may access different types of data such as:   Customer/consumer information and personal identifiable information (PII): This includes addresses, driver's licenses, passports, family members, financial or health information, social media or web use data, shopping behaviors, and more.   Sensitive company data:  This includes employee records, financial information, customer data, legal and compliance information, supply chain inventory, logistics, forecasting, and all types of intellectual property.   Compliance and legal – It’s vital to understand there are significant legal and compliance concerns related to the use of data and other assets when they’re accessed and processed with AI. The use of AI in data processing may be subject to numerous laws and regulations, including:  Health Insurance Portability and Accountability Act (HIPAA)   Children's Online Privacy Protection Act (COPPA)   Gramm-Leach-Bliley Act (GLBA)   Electronic Communications Privacy Act (ECPA)   California Consumer Privacy Act (CCPA)   Numerous state privacy laws   Additionally, there’s a risk of violating permissible use requirements preventing out of context, unrelated, or unfair use of data.   While these are two significant risks associated with AI, they’re not the only ones. Ethical risks, including bias and fairness, require attention, as do algorithm transparency, financial risk, and intellectual property risks. As AI technology becomes more widespread, the risks associated with it are also expanding.   Identifying AI Risk in Your Third-Party Vendor Portfolio   You likely have third parties who are currently using AI in their products and services. If you haven't done so already, it’s important to identify these third-party vendors and assess the specific AI risks they pose to your organization and customers.     It's crucial to update your third-party risk management (TPRM) framework and tools to include AI risks. However, many TPRM programs haven’t incorporated AI risks, and it’s important to address this issue now.    A practical, two-prong approach can ensure you’re identifying existing third-party AI risks and building the infrastructure to properly assess and mitigate them:   Getting started  – Develop a short questionnaire to help identify the products and services utilizing AI. Here are three suggested questions that can provide a wealth of information:   Has AI technology been used in the research, development, or production of any of your products or services?  It's worth noting that different types of AI carry different levels of risk. For instance, a vendor might use image recognition for research purposes, generative AI to create a system that interacts with customers directly, such as a chatbot, or machine learning to identify fraud across a series of transactions.   Are there any plans to incorporate AI in your products, services, or operations?  It's crucial to consider that your third-party vendor's adoption of AI can significantly impact your organization, even if they aren't currently using it today.   Do you have any policies on employee use of AI?  Inquire whether your third-party vendor has any limitations or prohibitions regarding the workers' usage of AI for work-related assignments. With the increasing popularity of generative AI systems such as ChatGPT, it’s essential to understand how your vendor is supervising the utilization of such technologies among their employees, especially if the AI-based service uses the data input to train its model.   Begin with your critical and high-risk vendors and work your way down the list. This simple approach can help you determine where additional due diligence and risk reviews are needed.   Updating your TPRM framework  – It's not enough to identify third-party vendors with AI; you’ll also need proper tools and processes to ensure they have adequate AI risk management practices and controls, and that risks are well-managed and monitored throughout the contract. This means incorporating AI risk across your entire TPRM framework. Here are key areas to review and update:   Incorporate AI-related questions in the inherent risk assessment   Update vendor questionnaires to include AI-related questions   Identify the types of due diligence documentation you’ll request as evidence of AI controls   Review and update standard contract language to address AI risks   Consider how AI will be factored into third-party performance monitoring and management   Consider how AI will be factored into third-party risk monitoring    Update governance documentation    Evaluate stakeholder education and collaboration   Note: Don’t overlook this important consideration! It’s crucial to update your TPRM processes and tools with a sense of urgency. However, it should be noted that AI isn’t yet as well understood as other established risk domains. Even experienced TPRM professionals may face unique challenges when dealing with AI, which could lead to delays, rework or, in the worst case, ineffective risk identification, assessment, and management.     To help prevent these AI challenges and issues, your organization should find and work with a qualified AI subject matter expert who can guide you through the process of updating the TPRM framework. This expert can help determine the right questions to ask on a vendor risk questionnaire, identify the appropriate due diligence documents, and provide ongoing support for vendor risk reviews. If you don't have access to this expertise within your organization, you may need to engage external resources or consultants.   By taking this simple approach, your organization can begin to identify vendor AI usage within your organization and start taking steps to mitigate the risks. This will leave your organization in a safer, more prepared position.

With our 2024 in-person conference  just around the corner, Third Party Risk Association (TPRA) would like to share the wide array of benefits which come from attending an industry-specific conference. In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike. Today’s blog focuses on the Impact of Conferences on Industry Insight & Innovation .  It highlights how these events provide a platform for professionals to engage with peers and leaders in the exchanging of research, trends, and innovative ideas. Attendees benefit from interactive sessions, panel discussions, and networking events, gaining insights that fuel forward-thinking strategies. This blog will explore how attendees can maximize these opportunities for staying updated, engaging with industry leaders, and contributing to their respective fields' growth. Embracing Technology, Trends, & Research Conferences are a conduit for collaboration on emerging risks, solving for TPRM challenges, and working together on new and innovative approaches to mitigate third party risk. These interactions not only deepen individual knowledge, but also contribute to industry growth and development by promoting innovation and shaping future techniques. Attending the Third Party Risk Madness  conference will help you stay updated on the latest advancements in technology and industry trends. With 56 total sessions spread over 4 days, including three keynote speakers, 12 roundtables, and four demo sessions, you can gain insights from knowledgeable industry professionals. Participate in sessions on technology and emerging risks, engage with industry leaders during networking events and roundtable sessions, and follow up with speakers and attendees post-conference for further discussions and insights. View the full agenda > Following a conference, thank speakers and attendees for their insights, follow-up through email or social media, share thoughts on their presentations, ask about resources available, and offer to connect via coffee meetups, virtual discussions, or collaborative projects to strengthen relationships and foster knowledge sharing.  This ensures that conversation don’t stop with the conference.  That you, as a practitioner, can further develop ideas discussed at the event, and work to implement new TPRM strategies. Conference materials can be a great resource for deepening your understanding of the topics covered.  They allow you to not re-create the wheel and implement strategies and processes that have worked for others.  They can also validate mature processes your organization has in place; thereby, adding credibility to your program.  Do some research before and learn about the latest research and trends that the conference may be addressing. Before attending a conference, conduct thorough research to understand the latest research findings and emerging trends. Explore publications, industry reports, and articles to understand the current landscape and find key topics, challenges, and innovations to discuss.  Bring those thoughts, ideas, and questions to the conference and actively participate in conversations during presentations and roundtables.  Also come with pain points and questions from your own program to benchmark off fellow peers in similar situations.   Professional Development Conferences offer professional development opportunities to enhance attendees' skills, knowledge, and capabilities. Workshops and training sessions cover emerging technologies, best practices, and industry-specific regulations. Networking opportunities promote mentorship, knowledge sharing, and learning, allowing attendees to broaden their perspectives and gain insight from experienced professionals. Take notes during sessions to capture key insights, ideas, and strategies shared by speakers and panelists. This will help you gather key insights, ideas, and strategies that you do not want to forget. Use these notes to transform concepts into plans, driving change within your organization, and start discussions about innovative TPRM approaches.  Often times, an idea from a conference can influence your perspective on processes and activities within your organization. Use networking breaks and social events to set up connections with industry peers, potential mentors, and collaborators. As we discussed in our last blog, networking is the best way to connect with fellow attendees and collaborate with industry peers. Make sure to take advantage of opportunities such as networking events and lunchtime meetups to foster conversations that could lead to future partnerships. Conclusion Attending conferences like our very own Third Party Risk Madness provides opportunities for professional growth and networking. Attendees can stay updated on technological advancements and engage in discussions with industry leaders. Post-conference follow-ups allow for collaborations. Conference materials promote understanding, particularly in Third Party Risk Management, pushing for deeper exploration. Networking breaks allow connections with professionals, mentors, and potential collaborators, paving the way for future partnerships. Prior to attending the conference, research emerging trends to ensures active participation and meaningful contributions.   Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers here . Hurry, space is limited, and you won't want to be left on the bench for this thrilling event.

With our 2024 in-person conference just around the corner, TPRA would like to share the wide array of benefits which come from attending an industry-specific conference.   In the ever-evolving landscape of professional development and networking, conferences stand out as vibrant hubs for knowledge exchange, innovation, and collaboration. Throughout this five-part blog series, we will delve into the multifaceted advantages that conferences offer. Each installment will explore a different facet of how conferences empower individuals and organizations alike.   Today’s blog will highlight the notable benefit of NETWORKING in conference settings, including sharing industry insights & trends, building connections, and participating in collaborative forums, as well as some tips for enhancing your networking skills at conferences.   Learn from industry experts: Within a networking environment like a conference, you can discuss a wide variety of topics with industry experts and peers. This allows you to gain a deeper understanding of your particular area of interest. It can also expand your horizons with new conversation topics by interacting with established and seasoned industry professionals within, or even outside of, your field.   Attending conferences provides a special chance to network with peers and fellow industry professionals within an in-person setting. Engaging and participating in activities offered such as panels, roundtables, and in-house networking events provides you with valuable knowledge and understanding not regularly gained from an online setting. By simply talking to other seasoned professionals and tapping into their knowledge and expertise, you are able to gain a more in-depth understanding of new technological innovations, industry trends, and best practices. Through these interactions, you can evaluate ideas, deepen your knowledge base, and get access to expertise and information that is not typically available through conventional channels.   Building meaningful connections: Professionals from various organizations, backgrounds, and positions come together at conferences, which results in the perfect setting for building deep connections. Whether it is during a special networking event, a roundtable, or even just a coffee break, conferences offer a plethora of networking opportunities. During these opportunities, you are able to build potential connections, partnerships, and collaborations by striking up conversations and exchanging contact details. These relationships grow your professional network and offer a helping hand in overcoming current challenges as chances are that someone else has already gone through what you are going through.   “Networking is so important for any professional and is how TPRA was founded,” Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association , said. “I met my former partner at a TPRM-related conference.  He was a speaker and after his presentation, I went up to him to ask him questions as it relates to developing a new TPRM program. The discussion turned into benchmarking sessions over Zoom.  I then said if we have these questions, others do as well. Thus started a roundtable that turned into TPRA.  At the time, I had no idea what that conversation would lead to.  So often I hear from others how networking has led to a career opportunity, a program enhancement, or a personal opportunity.”   Conference networking makes it possible to create lasting relationships that go beyond the mere exchange of business cards and LinkedIn connections. These relationships act as a bases of support, providing motivation, guidance, and useful knowledge that promotes both professional and personal development. Conference goers create the basis for collaborative projects, shared knowledge, and ongoing relationships that strengthen their careers and personal lives by dedicating time and energy to developing these connections.   Exploring Collaborative Opportunities Among the main advantages of networking at conferences is the chance to explore collaborative efforts with peers and business associates. Conferences serve as a nurturing environment for creativity and cooperation, creating settings in which concepts can be exchanged, improved upon, and cooperatively carried out. You might find opportunities for collaboration on joint research projects or business ventures with other practitioners through discussions, brainstorming sessions, and informal interactions. Conference discussions have the power to push innovation, advance your industry, and leave a lasting impression.   Keeping Up With Industry Trends Keeping up with industry trends and developments is crucial for professional development and organizational success in today's rapidly shifting business landscape.  Attending conferences offers networking opportunities that give you a firsthand look at the newest developments in technology, industry trends, and changes in laws and regulations. Through talks with key individuals, attending keynote discussions, and taking part in sessions specific to your industry, you can learn a great deal about the opportunities and problems that are new to your field. You can use this knowledge to position your organization and yourself for future success by preparing for changes in the market and adjusting your strategies accordingly.   Here are some additional tips for enhancing your networking skills: Set Objectives:  Establish your networking objectives before you go to the conference.  Think through your goals, whether they involve expanding your professional network, looking for collaborative opportunities, or learning about the latest market developments. Do Your Research: Prior to the conference, spend some time learning about the panelists, speakers, and other attendees. Learn about their professional backgrounds, accomplishments, and areas of specialization to find common ground and possible conversation starters. Don't Be Afraid To Initiate The Conversation: Instead of waiting for a professional to approach you, strike up a conversation with other attendees. During meals, breaks, or networking events, approach people and introduce yourself with confidence. Utilize networking games and activities provided by the hosting organization as a jumping off point for striking up conversations. These games are designed to encourage discussion and create a platform for attendees to interact with each other in meaningful ways, so take advantage of them. Attend The In-House Networking Events: Take advantage of the social events, receptions, and networking opportunities that are planned as part of the conference schedule. Our upcoming conference features two all-attendee network events, plus additional invite-only events for select attendees! These casual settings offer incredible opportunities to establish stronger connections, share contact details, and engage with peers. Use Social Media: Make use of social media sites like Instagram, X (formerly known as Twitter), and LinkedIn to expand your professional network outside of the conference room. Engage online with other attendees and share thoughts, pictures, and highlights from the conference. Follow Up: Follow up with people you met at the conference to stay in touch and keep the conversation going even after the event ends. Send personalized emails thanking the recipient for their time while giving ideas for future collaboration or interactions.   Attending conferences provides plenty of networking opportunities, such as access to industry knowledge, opportunities to form close relationships, a look into collaboration possibilities, and staying up to date on industry developments. Participating in networking activities during conferences can help you build a larger professional network, acquire valuable insight, and establish yourself as an expert in your field. As you prepare for your next conference, take advantage of the opportunities for networking and collaboration, and don't pass up the chance to grow both yourself professionally, as well as your company's success.   And where better to use your new networking skills than at TPRA’s very own Third Party Risk Madness conference! Join us at Third Party Risk Madness – where basketball, business, and TPRM unite for an epic showdown of innovation and success. Dribble your way to victory in Phoenix, Arizona, on April 9-12, 2024! Secure your court-side seat and take advantage of exclusive offers. Hurry, space is limited, and you won't want to be left on the bench for this thrilling event. [Register Here]   Our discounted hotel room block ends on March 11t h.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder This past year was an eventful one for the third-party risk management (TPRM) industry. New headlines seemed to appear each month that brought attention to third-party risk, whether it was a significant cybersecurity event, like the MOVEit data breach, or the ongoing discussion of the potential risks and rewards of artificial intelligence (AI). The mid-year release of the Interagency Guidance on Third-Party Relationships: Risk Management was perhaps the most obvious reminder of the increased regulatory focus on TPRM. We’re going to review some of the lessons learned from the past year’s events and look forward to some best practices for 2024. Significant TPRM Events of 2023 and Lessons for 2024 The following list of events highlights a few TPRM trends that are worth exploring in greater detail. Although we can’t predict what 2024 will bring, TPRM leaders can stay informed of these trends and determine how to implement these best practices into their programs. Release of Interagency Guidance on Third-Party Relationships : Risk Management – The OCC, FDIC, and Federal Reserve released the final guidance in June, which brought a unified approach to TPRM best practices. The guidance offers a clear framework for how an organization should manage its third-party relationships, such as identifying critical and high-risk vendors and having awareness of subcontractors that can elevate risk. MOVEit Data Breach  – Thousands of organizations in the U.S. and abroad were impacted by the MOVEit data breach, either from using the software directly or being indirectly exposed to it through a third- or fourth-party vendor. The situation unfolded in June, but victims are still coming forward months later, indicating that this incident may not be resolved anytime soon. Emerging Risks of AI –  As AI continues to evolve with new possibilities, many experts are reminding business leaders to acknowledge the potential risks such as data manipulation and hard-to-detect automated cyberattacks. Because AI is changing so quickly, the Biden administration even released an executive order to promote new standards for the safe and secure use of this technology. TPRM continues to be a growing topic and 2024 will no doubt bring new regulatory expectations that will influence best practices across all industries. Third-party cyberattacks and data breaches will likely continue to grow in complexity and occurrence, so it’s important to have a strategy in place to respond and limit their impact to your organization. Staying aware of new risks and industry trends will help protect your organization as we head into a new year.

By: Heather Kadavy, Sr. Membership Success Coordinator for TPRA In the ever-evolving landscape of Third Party Risk Management (TPRM), sometimes called Vendor Risk Management (VRM), staying ahead of the game is crucial. One tool that has gained recognition and attention in recent times is the SPARK Matrix™, an assessment and ranking framework. About the SPARK Matrix™ The SPARK Matrix™ includes, but is not limited to: 1.      Informed Decision-Making : One of the primary benefits of the SPARK Matrix™ is its ability to provide organizations with a benchmark for selecting VRM solutions. With the complexities of vendor-related risks growing, it is crucial to have a standardized framework for evaluating the available options. The SPARK Matrix™ facilitates informed decision-making by comparing capabilities, features, and performance across different solutions. 2.      Risk Mitigation : Effective VRM is all about identifying and mitigating risks associated with third party vendors. The SPARK Matrix™ helps organizations to understand the landscape of VRM solutions and their capabilities, allowing them to tailor their risk mitigation strategies effectively. It can be a valuable tool for staying proactive in the face of evolving risks. 3.      Regulatory Alignment : As regulations around data protection and privacy evolve, it is essential for VRM solutions to stay aligned with these changing requirements. The SPARK Matrix™ assesses the level of alignment with regulations, reducing the risk of non-compliance and associated penalties. This is particularly crucial for organizations handling sensitive data.   Congratulations to Our TPRM Vendor Members Noted on the Matrix We would like to extend our warmest congratulations to TPRA's current Vendor Members who were recognized in the SPARK Matrix™: Vendor Risk Management (VRM), 2023 . These companies (listed below in alphabetical order) have demonstrated their commitment to excellence and innovation in the TPRM space: Aravo Solutions : has consistently been at the forefront of TPRM innovation, offering robust solutions to manage third-party risks effectively. Ncontracts : has been a valuable partner in helping organizations streamline their vendor management processes and mitigate risks. OneTrust : is known for its comprehensive privacy, security, and third-party risk management solutions, which align with the evolving regulatory landscape. ProcessUnity : integrated risk and compliance management solutions continue to empower organizations to proactively manage vendor risks. Venminder : dedication to third party risk management has been unwavering, providing organizations with tools and expertise to enhance their TPRM programs.   What Sets VRM Groups Apart? The SPARK Matrix™ is an assessment and ranking framework designed to evaluate and rank Vendor Risk Management (VRM) solutions based on numerous factors, including capabilities, features, and performance. It aims to provide organizations with a benchmark for selecting the most suitable VRM solution for their unique requirements. While the SPARK Matrix™ is a valuable resource, we want to emphasize that it does not represent a comprehensive list of all TPRM vendors in the market. Instead, it reflects those vendors who participated in the evaluation process. The TPRM landscape is diverse and continually evolving, with numerous vendors offering specialized solutions to meet the unique needs of different organizations. Therefore, it is crucial that TPRM teams look for competitive factors & differentiators when evaluating potential technology partnerships: 1.      Tailored Solutions : Exceptional VRM groups recognize that one size does not fit all. They offer tailored solutions that align with the specific needs and risk profiles of their clients. Customization and flexibility are key. End to End Vendor Lifecycle Management to enable cost optimization, operational excellence, and growth through vendor selection, contract negotiation, vendor onboarding, vendor continuous monitoring of performance and risk management. Issue & Incident Management: to enable event identification, assessment and resolution of issues or incidents with third party vendors to maintain the security, compliance, and reliability of the vendor relationships. Compliance with Laws & Regulations: to keep organizations aligned with changing regulations and ensure that vendors comply with application laws, and industry standards. [e.g., cloud computing, APIs (Application Programming Interface), RPA (robotic process automation), cognitive automation, big data analytics, blockchains, etc.] Reporting, Dashboarding & Analytics: to provide comprehensive reporting, visualization, and analytics capabilities to business owners, risk committees, executive management and/or an organization’s board of directors.  These powerful visualizations are derived by deep insights and assist leadership in making informed business decisions. 2.      Continuous Innovation : Stagnation is the enemy of progress. The best VRM groups are constantly innovating, integrating automation, AI (artificial intelligence), and emerging technologies to improve the efficiency and effectiveness of their solutions. 3.      Proactive Risk Monitoring: The ability to proactively identify and mitigate risks is a significant differentiator. VRM groups that offer real-time monitoring and alerts are better equipped to tackle the dynamic nature of vendor-related risks. 4.      Scalability and Adaptability:  The ability to scale and adapt to an organization's evolving needs is another distinguishing factor. VRM groups that offer scalability and flexibility ensure that their solutions grow with the businesses they serve.   TPRM Teams should take note of the Technology Excellence & Customer Impact factors that each market participant was analyzed against when designing their own TPRM Service Provider analysis components:   Technology Excellence: Vendor Lifecycle Management: Ability to handle the end-to-end vendor lifecycle management process. Risk-Scoring and Assessment: Evaluate and quantify potential risks associated with vendors. Usability: Quality of a product or system in terms of how easy it is to use, learn, and navigate. Continuous Monitoring and Remediation: Actively monitor and respond to events and issues as they occur. SLA (Service level agreements) & Performance Monitoring: Outlines the level of service expected, the metrics used to measure performance, and the consequences for not meeting the agreed-upon standards. Configurability and Scalability: Ability of a system or software to be easily customized or configured and scalable to meet specific requirements without requiring extensive changes. Dashboarding, Reporting and Analytics: Insights into various aspects of the business, customer behavior, and performance. Workflow and Process Automation: Automate and streamline manual tasks and processes. Integration & Interoperability: Ease of integration with other internal modules and API-based integration with third-party data providers and partners, extent of operability with third party partners. Competition Differentiation: Set it apart from its competitors and give it a competitive advantage in the marketplace. Vision & Roadmap: To what extent does the product vision align with its buyers’ needs in terms of acquiring, satisfying, and retaining customers? Does the vision promote a strong focus on the customer and a positive customer experience? How well does the vision align with current and future customer preferences? Does the company have a clear plan in place for implementing its vision through product improvements, innovation, and partnerships within the next year? Does the company possess the necessary resources and abilities to accomplish its planned roadmap? Customer Impact Product Strategy & Performance: Evaluation of multiple aspects of product strategy and performance in terms of product availability, price to performance ratio, excellence in GTM strategy, and other product-specific parameters. Market Presence: The ability to demonstrate revenue, client base, and market growth along with a presence in various geographical regions and industry verticals. Proven Record: Evaluation of the existing client base from SMB, mid-market and large enterprise segment, growth rate, and analysis of the customer case studies. Ease of Deployment & Use: The ability to provide superior deployment experience to clients supporting flexible deployment or demonstrate superior purchase, implementation, and usage experience. Additionally, vendors’ products are analyzed to offer user-friendly UI and ownership experience. Customer Service Excellence: The ability to demonstrate vendors capability to provide a range of professional services from consulting, training, and support. Additionally, the company’s service partner strategy or system integration capability across geographical regions is also considered. Unique Value Proposition: The ability to demonstrate unique differentiators driven by ongoing industry trends, industry convergence, technology innovation, and such others. Trust the Data, Verify the Path Forward In an era where data reigns supreme, the Spark Matrix™ provides TPRM practitioners with a compass for navigating the intricate vendor landscape. The insights derived from this research empower practitioners to make informed decisions, ensuring that the partnerships they forge are not just built on trust but are also fortified by a robust verification process. Empowered by this, the practitioner is now responsible for practicing their Risk Management skills when leading their organizations forward. Resources: TPRA’s TPRM Tools List:   https://www.tprassociation.org/tprm-vendor-list TPRA’s Service Provider Profiles: https://www.tprassociation.org/service-provider-profile   SPARK Matrix™ Domain Link:   https://quadrant-solutions.com/ SPARK Matrix™ Link to the Report (Payment Required):   https://quadrant-solutions.com/market-research/spark-matrix-vendor-risk-management-vrm-q4-2023-2990     Note:  SPARK Matrix™ is NOT Sponsored by TPRA.

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder Most third-party risk professionals understand the importance of conducting thorough due diligence. After all, it’s essential to ensure that your potential vendors have the appropriate practices and controls to address the risks of the products and services they’ll provide to your organization. However, it’s important to remember that performing initial due diligence and signing a contract doesn't eliminate vendor risks. Due diligence only captures a snapshot in time. Vendor risks, controls, quality, and service fluctuate. To lessen the impact and severity of vendor risks on your organization, it's crucial to practice continuous monitoring – also known as ongoing monitoring. This ensures that your vendors remain in compliance with applicable laws and regulations, provide quality products and services, and address any issues effectively and promptly. What Does Continuous Monitoring on Vendors Mean? Continuous monitoring is the practice of constantly and consistently keeping your eye on your vendors and their risk and performance. You’ll need to periodically reassess their risks and validate controls throughout the contract term to verify vendor performance aligns with contractual requirements and industry standards. It's important to keep continuous monitoring risk based. This means that the frequency and rigor of monitoring is proportionate to the vendor's (and their products’ and services’) risk. A rule of thumb for reviews is annually for all critical and high-risk vendors, every 18-24 months for moderate-risk vendors, and every two to three years for low-risk vendors. Four Benefits of Vendor Continuous Monitoring Not only is continuous monitoring a best practice, but for many industries, it's a regulatory requirement. This may be your organization’s only incentive for performing continuous monitoring, but it has other important benefits, including: Decisions based on real-time data – As vendor risk is subject to change, it’s essential to gather multiple forms of data to compare and analyze. Initial due diligence can help you quickly compare two vendors, but continuous monitoring tracks changes over time in a specific vendor's risk. It offers the most comprehensive understanding of your vendors' risks and enables better organizational decision-making. Maximized productivity – To use your limited resources effectively, it’s important to clearly understand which vendors need the most attention. By identifying which vendors are a priority, you can allocate your time and resources so that pressing issues are addressed on time. Confirmed vendor value – Continuous monitoring keeps your vendor relationships productive and beneficial for your organization. This enables you to evaluate whether your vendors fulfill contractual expectations. You can then make the necessary adjustments to improve the partnership. Avoided expensive surprises. With continuous monitoring, you can identify and address potential costly situations, including regulatory violations, data breaches, and vendor instability. A proactive approach ensures your operations are efficient and mitigates the risk and expense of potential issues. How Vendor Continuous Monitoring Safeguards Your Organization It's crucial to have a clear understanding of how your organization should handle any issues that arise during vendor monitoring. It's not enough to simply recognize a problem exists, but you have to take action. Here are three significant outcomes of continuous monitoring: Identifying problems and issue management: Identified problems should be added to a formal issues log. The log should include a full description of the issue, root causes, ownership, remediation steps, and timing. Issues must be tracked and monitored until closed. Issues at risk or past due should be escalated to management to ensure proper closure. Identifying emerging risks: It's important to keep an eye on emerging risks that could affect your vendor relationship. Changes in vendor management or ownership, regulatory requirements, or even declining financial health are all examples of emerging risks. You should discuss any emerging risks with your vendor and gather additional documentation or remediation plans as needed. You may also need to perform vendor control assessments or other risk reviews. Don’t hesitate to sign up for vendor risk monitoring and alerts, such as Google Alerts, or seek help from outside risk intelligence firms that specialize in this. By taking these steps, you can ensure that emerging risks are kept in check. More frequent monitoring. If vendors have any issues or emerging risks, it's important to monitor them more frequently and rigorously. This is because problems rarely occur in isolation and can signal the presence of other potential issues or emerging risks. By keeping a close eye on problem areas, you can identify and address any problems before they become more significant or difficult to manage. Vendor risk is always changing, and continuous monitoring is an essential activity to minimize vendor risks and their potential impact on your organization and customers. By implementing a risk-based approach to continuous monitoring, your organization can identify and address issues early on before they become unmanageable. Although it may seem like a daunting task, don't view monitoring as a chore. Instead, embrace it as a valuable tool for successful third-party risk management.

Author: Heather Kadavy, TPRA's Sr. Membership Success Coordinator Whether you are a board member, shareholder, or executive management assigned to review and provide credible challenge to a report on Third Party Risk Management (TPRM) effectiveness; a TPRM Leader or member of the TPRM team conducting oversight and reporting; or business unit who owns the risk of their outsourced relationship(s), it is important that everyone understands your organization’s risk appetite and risk tolerance. This will help ensure the effectiveness of a TPRM Program and align the program to the overall Enterprise Risk Management (ERM) program. Risk Appetite is the threshold of risk that an organization is willing to assume in order to achieve a desired result or its objectives. Risk Tolerance is the acceptable deviation from the organization’s risk appetite. 1. Understand Your Organization’s Enterprise Risks. Starting at the top – executive management under the direction of the Board of Directors typically identifies key risks and emerging factors facing their organizations. While the list may vary organization by organization, typically such risks will include but not be limited to compliance risk, credit risk, environmental risk, fiduciary risk, financial risk (e.g. interest rate risk, liquidity risk), legal risk, operational risk (e.g. transactional risk, fraud risk, information security risk), third party and supply-chain risk, Environmental Social Governance (ESG) risk, reputational risk, and strategic risk. 2. Understand Your Organization’s Risk Appetite & Risk Tolerance. Typically for each risk category, key performance indicators (KPIs) and key risk indicators (KRIs) are outlined along with a risk target. On a periodic basis (typically quarterly), each business unit provides metrics for each risk category and through analysis, the organization is able to assess if the organization's operations are aligned to their risk appetite and tolerance thresholds, as well as analyze inherent and residual risks that impact the organization. Any outliers are typically discussed and managed (either via remediation plans, risk acceptances, and/or via other avenues). 3. Understand How TPRM Risk Appetite & Risk Tolerance align to ERM. Similarly, a TPRM Program will typically base their risk appetite and tolerance metrics on those of the ERM program. This ensures all departments are speaking the same language with regards to risk and very high-risk issues are escalated to the appropriate stakeholders. This also ensures TPRM activities are and remain risk based. To ensure your TPRM program is aligned with your ERM program, TPRM leaders should ensure: a. The overall TPRM program considers the full threat landscape that each outsourced relationship faces. Different third parties pose different threats that typically roll up under one of the ERM umbrella risk categories. b. Risk appetite & tolerance are known, understood, and reviewed on a regular basis. Risk appetite and tolerance may be influenced by legal, regulatory requirements, industry, corporate expectations, geography, and technology. c. The total risk associated with an outsourced party is considered as a third party may provide your organization with several products and/or services. 4. Establish TPRM Risk Metrics for managing and monitoring outsourced relationship to ensure risks are mitigated in a timely manner. Some more common metrics linked to TPRM Program can include, but not be limited to: Third parties in total, by risk tier, by classification, by geographic region/location, and by risk category. Third parties by division, department/business unit, and TPRM member Assessments past their due date Risk acceptances and or escalations Active continuous monitoring alerts Service level agreements not being met Service level agreements which do not meet corporate thresholds (e.g. RTO/RPO timelines, incident or event notification timeline requirements that do not meet corporate, legal or regulatory expectations) Contracts signed prior to TPRM completion (e.g. due diligence) Risk assessments incomplete or missing information Third Parties that represent concentration risk to the organization Emerging risks and/or threats Regulatory matters Whether an individual is reviewing risk appetite and tolerance from the bottom up (TPRM metrics to ERM risk appetite) or alternatively from the top down, the key take-away is that the two are aligned to ensure risk is treated similarly throughout the organization and high-risk items gain the visibility they deserve. If your organization does not have a documented risk appetite or tolerance levels, then review what types of risks your organization accepts (either through a risk acceptance process or by not addressing specific risks). This is the risk appetite your organization has indirectly implemented. Therefore, it is crucial for all TPRM members to understand how their role impacts this overall alignment with the organization's risk appetite.

By Heather Kadavy, CERP, CBVM CFSSP (Ret.) Today, organizations rely on the expertise of TPRM Leaders, risk subject matter experts and business lines otherwise known as the TPRM team to understand the insurance coverage carried by the third parties they engage to prepare for transferring loss as warranted. Certificates of Insurance (COI) provide first-level evidence of coverage and provide a sense of security to protect against accidents and lawsuits that are a result of the contractor’s negligence, data breach, or a faulty product, when entering or continuing a working relationship. The 4 P’s of Why To Review Certificates of Insurance Proves Third Party’s Insurance Status. The COI is a summary of an insurance policy and serves as evidence of insurance. Provides Quick Access to Data. The COI constitutes a one page express version of a larger insurance policy, which can save you hours of review work. Prepares Organization to Reduce Liability – By requesting & reviewing COI, you are in fact preparing for a loss transfer (aka Risk Transfer) to the third party’s insurer in the event something goes wrong. Protects Organization When Outsourcing . Ensuring that the third party's insurance aligns to your organization’s requirements, risk tolerance, and risk appetite when it comes to protecting against incidents could help alleviate costly litigation that would ultimately affect your bottom line. The ACORD Form template is the most common certificate of insurance used for businesses in the U.S. and was designed to standardize historical forms. However, note there could be other forms provided that may be specific to insurance purchased through a state rather than through a private insurance broker or carrier. Typically an organization will work with their insurance agent or broker when setting the organizations “bottom-line” when it comes to insurance types, limits and endorsements that they will require from different types of third parties they work with. TPRM teams should focus on building and nurturing the relationships with their insurance agents or brokers so that when they run into questions, they have a known expert partner to reach out to. If a third party is slow or hesitant in providing a COI, it could be an indicator that they are underinsured or not insured at all. A COI is a non-binding document and does not alter coverage. Agents and brokers do their best to ensure that the coverage provided on the COI is accurate because they face legal ramifications for providing false information; however, just because the COI states there is a certain type of coverage, limits, or endorsements (e.g. additional insured, waiver of subrogation, etc.) does not mean the “policy” has that exact same coverage and/or that endorsement changes hands. If the TPRM team or the organization's insurance agent or broker is concerned, they can always request the more detailed evidence – a copy of the third party’s insurance policy.

Authors : TPRA Team & Practitioner Focus Group The way in which organizations leverage third parties has evolved over the years; thereby, increasing the quantity and severity of risks posed by third parties on an organization. Parallel to this evolution is an increase in the regulations surrounding organizations and their relationships with third parties. To ensure third parties are operating securely and effectively, by adequately monitoring and mitigating risks related to the data and/or processes that have been outsourced, an organization must have in place an effective Third Party Risk Management (TPRM) program. At the end of the day, an organization’s ability to effectively detect, manage, and mitigate third party risk is reliant upon the foundation in which an organization has built their TPRM program on. Building the Foundation A TPRM program consists of six phases, which make up the TPRM Lifecycle. This article will focus on the first phase, Planning and Oversight . Program Planning and Oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This phase ensures the program can address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phases will ensure key stakeholders are aware of, support, and help implement program requirements. This phase also ensures your entire organization is on-board as the TPRM program will touch every department within your organization (from Business Owners to Legal and Information Security). Let's review the activities associated with the Planning & Oversight phase. Executive Support The success of your TPRM program depends on the support you receive from your C-Suite, as well as your Board. To gain leadership support, you must first market and sell the need for your program. To assist with this, a strong Business Case should be leveraged. A good business case should include, but not be limited to, the following components: A description of what third-party risk management is, to include definitions, to ensure the program's scope is understood. Essential program features, including leadership support, enterprise-wide implementation, the TPRM framework, budget considerations, the need for a risk committee, transparency and communication, and reporting mechanisms. Avenues for benchmarking to ensure the program leverages processes that already exist, can maintain flexibility when new risks are discovered, grows with the business, and continuously improves. Defining expected program outcomes, or the return on investment for implementing a TPRM program. Such expected outcomes may include, but not be limited to, visibility into third party risk, defining impact third parties pose to your organization, continuous monitoring of third parties to proactively mitigate risk, a reduction in residual risk through mitigation efforts, compliance with specific regulations and policies, and operational resiliency in the event of a disruption due to a third party. The Third Party Risk Association (TPRA), in conjunction with Shared Assessments, created “The Business Case for Third Party Risk Management: A Starting Point for Senior Leadership” in an ongoing effort to support the global community of TPRM practitioners. The document walks through the components above in greater detail and exists for you to leverage within your own program. Policies and Procedures Once leadership is on-board with the program's implementation, it is time to develop comprehensive TPRM program policies and procedures to establish consistent and effective TPRM practices across the organization. Your policies and procedures should align with current internal policies, pertinent regulations, and industry best practices. Gain and use input from key stakeholders throughout the organization to ensure the establishment of your policies and procedures is successful. Your organization should then review the policies and procedures annually and perform updates, if necessary, to align with best practices and respond to emerging risks. Note: Policies should note the terms and expectations of your TPRM program; whereas procedures should detail the actions required to implement your program. At a high level, policies and procedures should: Provide a purpose statement that notes the role TPRM will play within your organization. Include definitions for third party risk management terms to ensure a consistent understanding throughout your organization. List all job functions that play a key role in the implementation and management of your TPRM program, as well as the responsibilities for each . Document each stage of the TPRM lifecycle to ensure the structure and processes of your TPRM program are clear and adoptable. Make clear that third party due diligence requirements must be completed before a contract is executed. Inventory of Third Parties It is imperative that you develop and maintain an up-to-date inventory of your third parties to ensure your TPRM program has sufficient coverage of third party risks. Please keep in mind that based on your organization’s definition of a third party, your inventory may not simply be based off the contracts you have in place with other organizations. There are several sources you can leverage (such as Accounts Payable, software discovery tools, and Business Owner surveys) to better understand the third party relationships your organization has in place. All third parties, whether contracts are in place or monies are exchanged, should be noted within your inventory. You may then choose to note certain third parties as in or out of scope once you move through the TPRM process; however, you will at least be able to evidence that you reviewed all third parties in some capacity. Within this activity, you may find it beneficial to establish sub-service categories for products/services third parties provide to your organization. Categories may include, but not be limited to, Marketing Services, Professional Associations, Software Providers, Hosted Solutions, etc. This ensures you better understand how the business leverages third party products/services, as well as allows you to determine if a third party should be in or out of scope for specific due diligence activities. Once you have an established your third party inventory, you will want to collect and maintain certain data elements related to your third parties within a central repository. Establish a process to add, maintain, and remove third-party information from your inventory regularly to ensure it is always up to date. This will allow you to look across third parties for risk trends, as well as ensure due diligence efforts are conducted for each product/service provided. Organizational Risk Appetite Next, establish risk ratings for your TPRM program and ensure they are in line with your organization’s risk appetite (the risk your organization is or is not willing to accept). Developing an organizational risk appetite is important in that it allows leadership to make enterprise-wide, strategic decisions on how to effectively manage and mitigate risk. It also allows your TPRM program to define risk thresholds for activities and controls that must be in place to ensure your organization meets its business objectives and protects its confidential data. Risk ratings are used to identify the potential impact and likelihood of a third party risk occurring. Once an inventory of third parties is established, the next step is to run them through an inherent risk questionnaire (IRQ) to identify the risk before controls are assessed. This then drives the level of due diligence required for a third party. It also assists with tiering your third parties to ensure your program is risk-based. The risk identified after due diligence is performed (after controls are assessed), is the residual risk rating. This rating then further drives your continuous monitoring efforts and reassessment cycle times. Program Oversight and Governance Senior leadership, as well as Board support, are essential to ensuring your TPRM program is successful by setting the right “tone from the top.” Absent that support, an organization is unlikely to achieve consistent and timely adoption across all business and risk functions. Since third parties support all aspects of a company’s operations and revenue-generating activities, the scope of their risks mirrors every aspect of your organization. As a result, only enterprise-wide implementation will ensure a TPRM program covers all relevant business risks for a firm. In addition, it is important to implement program oversight activities, which may include the establishment of a Risk Committee. The committee should determine the thresholds for risk escalation and risk acceptance, as well as the frequency of reporting on third party risks to leadership (including the Board). Essentially, the oversight (or risk) committee takes the information gained from your TPRM program and uses it to drive risk-informed decisions. Metrics and Reporting Ensure you establish measurable, specific, and relevant metrics for your program. Metrics should guide the development and execution of your program, as well as inform stakeholders of the risk landscape related to your organization’s third parties. Reporting should be tailored to specific target audiences to ensure they make better, data-driven decisions after reviewing the information. Target groups that should receive regular TPRM program updates, can include, but not be limited to: Board – Receives updates on the TPRM program's overall health and the mitigation strategies for higher–risk third parties. Executives – Receive the risk ratings for third parties assessed and updates on risk–mitigation activities for higher–risk third parties. Risk Committee(s) - Receive risk ratings for third parties assessed and updates on risk-mitigation strategies, escalations, and risks requiring acceptance. Business/Relationship Owners - Receive updates on third party due diligence efforts and assessment outcomes. Other Key Stakeholders (such as Compliance Teams) – Receive data on specific risks posed to the organization (such as regulatory/compliance risk). TPRM Managers – Receive updates on program maturity, resource allocation, risk mitigation efforts, process exceptions, escalations, and any risks requiring business acceptance. Education and Training Transparency and communication are key when developing, implementing, and maintaining any TPRM program. All stakeholders must be familiar with TPRM program policies and procedures, as well as their role within the program. Business owners need to understand they are the owners of their third party’s risk and that the TPRM program’s role is to support their risk-based decisions related to said third party. Best practice is to develop a TPRM training and education program and tailor it to your specific business partners. At a minimum, organizational training should be held annually, as well as when a new relationship owner is established. Your education program should also include third parties, to ensure they are aware of your program’s due diligence activities, expectations, risk remediation and follow up processes, and escalation procedures. Regulatory Compliance Regulatory compliance has been a stable item on many board agendas, due to the increase in regulations related to third party oversight. There are a variety of reasons behind this focus, but the main drivers are related to the threat landscape growing in complexity, momentum of digital transformation, political and social unrest, as well as responses to the global pandemic. The regulatory risks your third parties do not address can present both reputational and financial risk for your own firm if your organization’s name comes up as purchasing services from said third party should an issue arise. As a result, regulatory agencies are mandating you to understand the risks associated with doing business with your third parties. Ensuring your third party is complying with pertinent regulations may result in a reduction of regulatory fines on your organization, ensure they are operating with integrity, and actively prevent attempts at bribery, corruption, and other threats. Budgeting Establishing basic or even aspirational objectives under a TPRM framework requires a realistic alignment with available budgets to support risk operations. For example, if a TPRM framework requires diligence for all higher inherent risk third parties before and after a contract is signed, then the budget should be commensurate with activities in support of achieving this objective. Budget considerations can include, but not be limited to: Resources – Current and future employees and/or contractors. Operations – Any cost associated with daily tasks and running the business. Maturity Model – Process enhancements required and what resources are needed to get to the next level of maturity. Travel – Costs associated with onsite visits and training. Training – Fees for conferences, training, and certifications to ensure maintenance of knowledgeable & skilled professionals that are appraised of risk trends. Tools – Budget for TPRM program tools. Consider estimating cost savings a tool(s) will bring by automating certain processes. TPRM is a non-revenue generating discipline; therefore, it is a good idea to also quantify your program’s value by emphasizing what could occur if the program is not established. Also, provide a financial impact questionnaire as proof of the program’s financial impact and/or savings from mitigation of risk. Conclusion Your TPRM program will touch every department within your organization. As such, it is necessary to ensure alignment and support across the enterprise. As you establish your TPRM program, it is important to thoughtfully and strategically implement the above activities to ensure your program can successfully meet its business objectives and effectively mitigate third party risk.

By: Heather Kadavy, CERP, CBVM CFSSP (Ret.) “Individuals who execute the Third Party Risk Management process for [Enter Your Company Name] are qualified and competent, have clearly defined responsibilities, and are accountable for their actions. They understand our risk culture and appetite. They have a robust understanding and oversight of our core and ancillary activities, third party relationships and the various ecosystems leveraged by our organization to address operational and technical capacities to ensure our TPRM Program is aligned with our strategies, to appropriately balance risk-taking and rewards.” Every businesses board of directors, shareholder or executive team probably wants to hear some variation of this solid assurance statement regarding their TPRM Program’s effectiveness. In reality, it is increasingly more difficult to truly accomplish. Why? The Transitioning of the Workforce is Fast and Furious. Onboarding a new employee typically means they hit the ground running with limited time on the job necessary to acquire the depth and breadth of knowledge to fully understand the complexities of the critical process, services, and activities of the organization let alone the third party relationships, contractual obligations, and internal risk, control and gap decision alignments both internally and externally that each organization faces. TPRM Teams are often physically, or through priorities, siloed in their view and actions. It takes a team of subject matter experts from each line of business, as well as the TPRM team, to fully understand risks associated with third parties and to do so effectively means articulating strategies and priorities; ultimately, everyone rowing in the same direction and everyone pulling their own weigh. Employees are Re-prioritizing, Exhausted or Disengaged. Today’s workforce are either (a) focused on the immediate priorities of making or saving money (e.g. sales, processing and client satisfaction), (b) exhausted and taking short cuts; or (c) disengaged (aka “quiet quitting”). This can potentially lead to sub optional oversight of third party relationships; thereby, increasing the potential for damage to your businesses through reputation or operational loss. Resources are earmarked for Client Facing solutions. TPRM teams are often asked to “get by one more year” with the resources at hand in a growing and complex ecosystem. Third Party, 4th and Nth Parties All Face the Same Problems. Each has an ecosystem that has its own shifting workforce, cultural, operational and technical uniqueness to manage, so proving answers to our TPRM teams sometimes takes a back seat. All of these complexities make it harder to achieve the utopia idea that each TPRM team will have an in-depth knowledge of each relationship, while also managing risks effectively. As a result, key TPRM processes become abstract concepts that our fast paced society with shortened attention spans have to balance. Knowing this, how can TPRM programs operate effectively? It Starts with the Right Team. Engagement and alignment across the three lines of defense is critical to your success. Get Real! By acknowledging the reality of either your starting point or the areas of improvement that your TPRM Program still needs to address, you and your team will be more aligned on the direction and priorities to strategically roadmap your needs. Take a long-term view of the opportunities to incrementally enhance your TPRM Program Effectiveness. It’s a marathon not a sprint. However, that does not mean your TPRM team shouldn't prioritize the areas of improvement needed to mature your program. Begin by breaking your strategic priorities down into incremental sprints. making the overall process less overwhelming. Know Your Third Parties (KYTP) - Create opportunities to develop the relationship between your employees and third parties, building upon collaboration and mutual trust. Many times a third party will provide: A due diligence packet or answers to inherent risk questionnaires. Implement a “If they provide it you need to review it” motto. Receiving and archiving information is NOT risk management. It is only through the review that you can understand, identify, assess and prepare to mitigate risks. A number of interactive touch point meetings , leverage these meetings to incrementally address due diligence concerns and continue learning about the complex eco-systems of your third party. Be purposeful when engaging with them and remember that one size does not fit all. Schedule these discussions on a risk-based frequency and recognize your third party is an extension of your own security program. A set number of free or discounted online working groups, customer forums, webinars, conferences, etc. This is a great way to network and build relationships with the third party’s personnel with the greatest organizational, operational, and technical knowledge regarding their products, services, and ecosystem. When your organization is intentional about improving the effectiveness of the relationships with your third parties, it will indirectly drive better collaboration, allow for the sharing of more information, protect your assets and reputation, maintain compliance with regulations, improve your third party's overall experience, and ultimately better mitigate the impact third parties pose to your organization.

Third Party Risk Management (TPRM) is a critical process for organizations that rely on third parties to provide goods or services. It involves identifying, assessing, and mitigating risks associated with these third parties, in order to ensure that they do not negatively impact the organization's operations or reputation. As the number of third parties and the complexity of their relationships with organizations increase, managing third party risk has become a more difficult and time-consuming task. This is where automation comes in. Areas to Automate in the TPRM Lifecycle Automation can streamline and improve the process by eliminating human completion of repetitive tasks, reducing error, and increasing efficiency. There are several key areas where automation can be applied in the TPRM process, including: 1. Third Party Onboarding Third Party onboarding is the process of evaluating and accepting new third parties into the organization's TPRM program. It can be a time-consuming and resource-intensive process, involving a significant amount of paperwork and documentation. Automation can help streamline this process by handling the collection and verification of third party information, such as tax IDs, business licenses, and insurance certificates. This can significantly reduce the time and resources required to onboard new third parties. 2. Risk Assessment Risk assessment is the process of identifying and evaluating the risks associated with a third party. This can be a complex and time-consuming process, involving a significant amount of data collection and analysis. Automation can help simplify this process by performing data collection and analysis and providing an objective and consistent approach to risk assessments. Automation can also help identify and evaluate risks that may not be immediately obvious to human reviewers. 3. Continuous Monitoring Continuous monitoring is the ongoing process of monitoring a third party's performance, as well as compliance with the organization's TPRM program. This can involve monitoring the financial stability, regulatory compliance, and incident reporting of third parties. Automation can assist with simplifying this stage by creating a real-time data collection and analysis process and providing alerts of any potential issues. This then helps organizations to quickly identify and respond to any potential risks in a shorter period of time. 4. Reports and Communication Reports and communication are important aspects of the TPRM lifecycle, as they provide decision-makers with the information they need to make informed decisions about their third parties. Automation can help to simplify this process by removing the need for a human to generate reports and ensure real-time updates on third party performance and compliance. As with continuous monitoring, this can help organizations to quickly identify and respond to any potential risks. Benefits of Automation in TPRM The use of automation can provide several benefits to organizations, including: 1. Increased Efficiency Automation can help to streamline and simplify the TPRM process, reducing the time and resources required to manage third party risk. This can help organizations to focus on more important tasks, such as identifying and mitigating high-priority risks. 2. Improved Accuracy Automation can help to reduce human error and provide a more objective and consistent approach to risk assessment. This then helps organizations to make more informed decisions about their third parties. 3. Increased Visibility Automation can provide organizations with real-time visibility into third party performance and compliance. This then helps organizations to quickly identify and respond to any potential risks. 4. Compliance Automation can also help organizations to comply with regulatory requirements by providing real-time alerts of any potential issues, as well as provide an audit trail for the alerts. Challenges of Automation in TPRM Despite the many benefits of automation, there are also some challenges that organizations may face when implementing automation. These challenges include: Challenge #1: Lack of Flexibility One of the biggest challenges of using automation in the TPRM process is the lack of flexibility. Automated systems are often inflexible and may not be able to adapt to the unique needs of different organizations, as well as third party relationships. This can make it difficult for organizations to customize their TPRM processes to meet their specific requirements. Additionally, automated systems may not be able to handle unexpected situations or changes in third party risk levels. Challenge #2: Data Quality and Integrity Another challenge of using automation in the TPRM process is data quality and integrity. Automated systems rely on accurate and up-to-date data to function properly. However, TPRM data can be complex and difficult to collect and maintain. Organizations may struggle to ensure the accuracy and completeness of their TPRM data, which can lead to inaccuracies and inconsistencies in their automated systems. This can make it difficult to accurately assess third party risks and develop effective mitigation strategies. Challenge #3: Security Concerns Security is a major concern when it comes to using automation in the TPRM process. Automated systems may be vulnerable to cyber threats, such as hacking and malware. This can put sensitive TPRM data at risk and make it difficult for organizations to protect themselves against potential data breaches. Additionally, automated systems may not be able to detect and respond to advanced threats, such as social engineering and phishing attacks. Challenge #4: Limited Human Involvement Another challenge of using automation in the TPRM process is limited human involvement. Automated systems may not be able to fully replicate the expertise and judgement of human analysts. This can make it difficult for organizations to identify and assess third party risks, while also developing effective mitigation strategies. Additionally, automated systems may not be able to provide the same level of transparency and accountability as human-led processes. Challenge #5: Cost and Complexity Finally, using automation in the TPRM process can be expensive and complex. Organizations may need to invest in expensive software and hardware to implement and maintain automated systems. Additionally, organizations may need to hire specialized personnel to manage and maintain their automated systems. This can make it difficult for organizations to justify the cost and complexity of using automation in TPRM processes. Conclusion Automation can be a powerful tool for improving the TPRM process, but it also presents several challenges. These challenges may include a lack of flexibility, data quality and integrity issues, security concerns, limited human involvement, and cost and complexity. Organizations need to carefully consider these challenges when deciding whether to use automation in their TPRM processes. By understanding these challenges and taking steps to address them, organizations can improve their TPRM processes and better protect themselves against potential risks.