In spring of 2017, Jon Ehret was approached by a fellow third-party risk management professional after sharing his project experience in a conference presentation. Julie Gaiaschi was just starting a similar third-party risk management project herself and wanted to be able to benchmark it against what Jon had done. Sharing their experiences was so helpful that the pair soon came to the conclusion that others might also find it helpful to join a call where they could discuss their third-party risk management challenges and pain points.
In the fall of 2017, they set up their first quarterly call with 15 “friends and family” from 13 companies. A year later, they decided they must be on to something when the group had grown to 135 people in 92 companies, so in October 2018 they founded the Third Party Risk Association (TPRA), a 501(c)(6) not-for-profit dedicated to forming a community of like-minded third-party risk professionals.
“Third party risk doesn’t get a lot of attention,” says Jon. He points to the fact that many security conferences, for instance, devote very little of their agendas to third party risk. And even though most CISOs would name vendors as one of their biggest risks, the programs themselves are often under-served. “We’re not talking about departments with 20 or 30 people on staff; we’re often talking about one or two, even in some of the largest companies.”
Yet despite these challenges, Jon says that there is a passionate global community of third-party risk professionals who want to engage with their peers to share best practices, exchange ideas, and raise the profile of their contribution to the business. And a growing number of these practitioners are outside of the traditional risk-averse vertical markets like healthcare and financial services.
TPRA is Born
TPRA was established as a formal entity in October of 2018 and continues to grow. Today Jon and Julie serve as TPRA’s president and CEO, respectively, working in conjunction with leadership and oversight from a five-person board of directors with experienced risk professionals from GE, Allianz Life, Cree, Asurion, and Intermountain Health.
To support its mission, TPRA plans to conduct the following activities:
TPRA is open to third-party risk practitioners, regardless of geography, industry, or experience. The annual membership fee includes access to peer meetings, conferences, knowledge sharing, networking opportunities, and soon training and awareness.
Engaging with Third-Party Risk Management Peers
TPRA members currently meet monthly via conference call to discuss a pre-determined topic. Depending on the content, the meeting could be a roundtable format, like a recent discussion of continuous monitoring, or a more formal presentation, like a recent presentation in which a lawyer provided advice on third-party risk management. Other topics have included contract language, tiering third parties, and questionnaires and other tools. Sessions are recorded, so members can always catch up on meetings they miss or review them again.
TPRA also hosts an online forum in which members can post questions and get responses from other third-party risk professionals. People who are just getting started with their third-party risk management program can get their questions answered by those who’ve had similar experiences. Those with more experience can also benefit when they are evaluating new products, expanding their geographical reach, or beginning to address new risk domains.
“We have lots of members from huge companies and we’ve identified about nine vertical markets so far,” Jon says. “It’s really interesting when we have people from lots of different verticals together. Someone can be really experienced in one industry, but hearing about the experience of someone in another vertical opens their eyes to something they hadn’t thought about previously.”
“Our philosophy is that a rising tide lifts all boats,” Jon observes. “Our members are doing what we can to make programs better and help the vendors get better too.” Though TPRA does accept vendor memberships from companies like Aravo to help offset costs and keep member dues reasonable, the organization is committed to being 100% vendor neutral. Vendors do not receive contact lists or any other information about members, but Jon hopes that TPRA can be a source of information for members who want to learn more about available vendor tools.
What’s Ahead for TPRA
Monthly calls and member forums are just the beginning for TPRA, which is still less than a year old. In November, the organization is hosting a virtual vendor fair for members who are considering projects and have a desire to learn more about the vendor landscape. In the first half of 2020, TPRA will move from being a strictly virtual organization to hosting its own in-person event, the details of which are still being finalized.
Having access to the combined wisdom of the third-party risk community benefits all members, but especially those in smaller and/or growing programs that are on a path to maturity. For example, TPRA helped one member make a business case for additional staff by sharing the results of a salary survey the organization conducted. As the community continues to grow, members will be able to bring more attention to third-party risk management, improving their ability to execute, elevating their roles in their organizations, and protecting their organizations from financial and reputational damage.
Learn more about Third Party Risk Association (TPRA).
Jon Ehret is the President and co-founder of the Third Party Risk Association, a non-profit professional association for third party risk practitioners and vendors. Mr. Ehret has over 20 years of experience with the last 15 years specializing in information risk. During that time, he helped to grow and mature various third party risk teams in the finance and healthcare industries. He holds a Bachelor of Science in Information Technology from the Rochester Institute of Technology. Mr. Ehret is also a holds the CISSP, CISA, and CRISC certifications.
Share with Your Friends:
