Question 1

Keynote: Third Party Risk Management: Better, Faster, Smarter

Accepted Answer

Third Party Risk Management: Better, Faster, Smarter

Session Overview
Technology and creativity are reshaping the risk landscape, driving third party risk at a faster pace than organizations can respond to. Leaders and practitioners are under pressure to make their third party risk management practices smarter, faster, and more scalable. Renowned expert Linda Tuck Chapman will take you through on a journey of discovery into proven, real-world solutions to reduce effort while increasing control. Whether your program is nascent or mature, you’ll hear how to level up your program, increase its efficiency and effectiveness, and be better prepared for what’s next.

Question 2

Session 3: Contract Management

Accepted Answer

Session Objectives
By the end of this session, participants will be able to:
 • Understand the role of contracts in managing third-party risk.
 • Identify key contractual clauses that mitigate cyber, compliance, and operational risks.
 • Learn how to align contract terms with regulatory requirements.
 • Apply best practices for monitoring and enforcing vendor obligations.
Session Breakdown (45 minutes)
1. Introduction: Why Contract Management Matters (5 minutes)
 • Contracts as the foundation of vendor governance.
 • Linking contracts to TPRM lifecycle (onboarding → monitoring → offboarding).
 • Real-world examples of contract gaps causing risk exposure.
2. Key Clauses in TPRM Contracts (15 minutes)
 • Data protection & privacy (GDPR, HIPAA, DORA alignment).
 • Information security requirements (encryption, SOC 2, ISO 27001).
 • Audit rights (access to assessments, penetration tests).
 • Incident notification & breach response (timelines, responsibilities).
 • Business continuity & disaster recovery obligations.
 • Subcontracting / fourth-party management clauses.
3. Aligning Contracts with Regulations (10 minutes)
 • GDPR: Data processing agreements (DPAs).
 • DORA: Critical vendor oversight and resilience requirements.
 • OCC/FFIEC: Financial services vendor guidelines.
 • ISO & NIST frameworks for standardization of language.
4. Monitoring & Enforcement (7 minutes)
 • Establishing contract scorecards.
 • Leveraging technology (CLM – Contract Lifecycle Management systems).
 • Renewal/termination triggers.
 • Common pitfalls (unenforceable clauses, vague language).
5. Preparing for Challenges (5 minutes)
 • Negotiating with large vendors (cloud providers, SaaS giants).
 • Balancing risk transfer vs. shared responsibility.
 • Legal vs. business priorities in contract negotiations.
6. Wrap-Up & Q&A (3 minutes)
 • Recap: Top 5 must-have TPRM clauses.
 • Future trends: AI in contract analysis.
 • Questions & discussion.
Session Aids
 • Slide deck with sample contract language.
 • Case study (breach without proper contractual protections).
 • Handout: “TPRM Contract Clause Checklist.”

Question 3

Session 4: Sourcing and Risk Rankings

Accepted Answer

Session Objectives
By the end of this session, participants will be able to:
 • Understand the sourcing lifecycle in TPRM.
 • Apply structured approaches to evaluating and ranking vendors.
 • Recognize common risk categories (security, financial, regulatory, reputational).
 • Use scoring and tiering models to prioritize oversight and resources.
Session Breakdown (45 minutes)
1. Introduction: Why Sourcing & Rankings Matter (5 minutes)
 • Vendors as critical extensions of the business.
 • Poor sourcing decisions → higher compliance, operational, and reputational risk.
 • Example: vendor selection missteps leading to breaches.
2. The TPRM Sourcing Lifecycle (10 minutes)
 • Needs identification → market scan → RFP/RFI → vendor evaluation → contract.
 • Importance of aligning sourcing with business and regulatory strategy.
 • Role of procurement vs. risk/compliance vs. IT/security teams.
3. Risk Categories to Consider (10 minutes)
 • Information Security Risk (data handling, SOC 2, ISO 27001).
 • Operational Risk (process reliability, staffing).
 • Regulatory/Compliance Risk (GDPR, DORA, HIPAA, OCC).
 • Financial Risk (vendor solvency, cost volatility).
 • Reputational Risk (brand damage, public trust).
 • Concentration Risk (dependence on one/few vendors).
 • Geopolitical/ESG Risk (location, sustainability, ethics).
4. Vendor Risk Ranking Models (12 minutes)
 • Inherent vs. Residual Risk frameworks.
 • Scoring methodologies: weighted criteria, heat maps, radar charts.
 • Tiering vendors:
    • Tier 1: Critical (cloud providers, data processors).
    • Tier 2: Important (HR, payroll, facilities).
    • Tier 3: Low impact (non-core suppliers).

• Examples of scoring matrices (likelihood x impact).
5. Challenges & Best Practices (5 minutes)
 • Balancing cost vs. risk in sourcing.
 • Managing 4th-party risk visibility.
 • Avoiding checklist-only approaches — need for continuous monitoring.
 • Using automation and AI tools for vendor scoring.
6. Wrap-Up & Q&A (3 minutes)
 • Recap: sourcing lifecycle + key risk categories.
 • Top 3 takeaways: structured evaluation, transparent scoring, continuous monitoring.
 • Open floor for questions.
Session Aids
 • Slide deck with sample scoring matrix and heat map.
 • Case study: vendor ranking failure → breach exposure.
 • Handout: “TPRM Vendor Risk Scoring Framework.”

Question 4

SESSION 5: Inter-Affiliate Relationships Panel Discussion

Accepted Answer

In the context of Third-Party Risk Management (TPRM), inter-affiliate relationships present unique challenges and opportunities. Unlike traditional vendor engagements, affiliates often operate under shared ownership structures, yet maintain separate governance, processes, and risk profiles. This can blur accountability and create assumptions that affiliates pose less risk simply because they are “part of the same group.” In reality, affiliates may be subject to different regulatory environments, data handling practices, or operational controls, introducing vulnerabilities into the enterprise ecosystem. A strong TPRM program must therefore extend due diligence and ongoing monitoring to affiliates, with clear contractual agreements, standardized policies, and aligned risk frameworks. By treating affiliates as critical third parties—while leveraging the trust and transparency of intra-group relationships—organizations can balance efficiency with compliance and resilience

Question 5

SESSION 7: Workshop: Building Effective TPRM Programs

Accepted Answer

Duration: 3 hours (flexible)
Workshop Objectives
By the end of the workshop, participants will be able to:
 • Understand the core components of a TPRM framework.
 • Apply regulatory and industry requirements to vendor oversight.
 • Conduct a third-party risk assessment using real-world tools.
 • Create a vendor risk ranking model (heat map or tiering).
 • Develop actionable strategies for contract management and ongoing monitoring.
Workshop Agenda
1. Introduction to TPRM (10 minutes)
 • Why TPRM is critical in today’s interconnected ecosystem.
 • The TPRM lifecycle: sourcing → onboarding → monitoring → offboarding.
 • Key terminology and regulatory drivers (GDPR, DORA, OCC, ISO 27001, NIST CSF).
Interactive: Quick poll on participants’ top TPRM challenges.
2. Case Study: Vendor Data Breach (15 minutes)
 • Walkthrough of a real-world vendor breach scenario.
 • Discussion: What went wrong? How could it have been prevented?
 • Identify the risks: information security, compliance, financial, reputational.
Exercise: Small groups list risk categories and controls that should have been in place.
3. Risk Assessment Workshop (30 minutes)
 • Introduction to risk assessment methodologies.
 • Inherent vs. residual risk.
 • Tools: SIG Lite, CSA CAIQ, questionnaires, evidence validation.
Exercise: Participants complete a sample vendor risk assessment using a pre-filled questionnaire.
 • Score vendor risk (High, Medium, Low).
 • Rank vendors by criticality.
4. Risk Ranking & Heat Map (20 minutes)
 • Building a scoring model: likelihood × impact.
 • Visualizing risks with heat maps and vendor tier pyramids.
Exercise: Teams create a simple risk heat map for assigned vendors.
 • Present results back to the group.
5. Contract Management & Monitoring (10 minutes)
 • Key contract clauses: data security, audit rights, breach notification, subcontractors.
 • Continuous monitoring: automated vs. periodic assessments.
 • Aligning with AI-driven risk monitoring.
Exercise: Review a sample vendor contract — identify missing TPRM protections.
6. Wrap-Up & Action Planning (20 minutes)
 • Group discussion: What are the top 3 improvements you’ll take back?
 • Share practical resources (checklists, templates, toolkits).
 • Q&A.
Workshop Materials
 • Slide deck (TPRM framework, lifecycle, scoring models).
 • Case study handout.
 • Risk assessment questionnaire (sample SIG Lite/CAIQ).
 • Vendor contract excerpt.
 • Heat map template (Excel or printed grid).
 • “TPRM Quick Reference Guide” handout.

NAVIGATING SUPPLY CHAIN CYBER RISK
IN PERSON COURSE
JANUARY 13 -16, 2026

TPRM Certification
Based on our best selling book
Navigating Supply Chain Cyber Risk

4 Day Certification Course

COURSE DETAILS

NAVIGATING SUPPLY CHAIN CYBER RISK IN PERSON COURSE JANUARY 13 -16, 2026

TPRM Certification Based on our best selling book Navigating Supply Chain Cyber Risk

4 Day Certification Course

COURSE DETAILS

NAVIGATING SUPPLY CHAIN CYBER RISK
IN PERSON COURSE
JANUARY 13 -16, 2026

TPRM Certification
Based on our best selling book
Navigating Supply Chain Cyber Risk