Third-Party Risk Management Bootcamp 2026

Most organizations have a risk appetite statement. Few use it to make vendor decisions. This session is about closing that gap — translating risk appetite into practical vendor strategy across the full lifecycle, using a real-world example to show what alignment between strategic and risk conversations looks like.

What You'll Learn:

• How to connect risk appetite to real vendor selection and management decisions
• A framework for evaluating the risk implications of strategic vendor choices
• How to approach an emerging technology deployment from a TPRM lens — what questions to ask and when
• How to bring vendor risk conversations into strategic planning earlier, positioning TPRM as a business enabler rather than a compliance checkpoint

Vendor tiering isn't a regulatory checkbox — it's the foundation of a program that directs oversight resources where they matter most. This session covers what tiering is for, where programs commonly go wrong, and how to build a classification structure that holds up under examiner scrutiny and works in practice.

What You'll Learn

• Why identified risk — not contract value or spend — should drive vendor classification
• The key differences between operational risk management approaches and traditional TPRM tiering models
• Common tiering mistakes: over-classifying, under-classifying, and why "if everything is critical, nothing is critical"
• How to build vendor profiles that are meaningful, defensible, and scalable
• How tiering drives due diligence depth, monitoring frequency, and contract requirements

Continuous monitoring is one of the most misapplied concepts in TPRM. Most programs treat it as an extension of performance reviews — same cadence, same questions, same audience — when it's designed to do something fundamentally different. This session breaks down what continuous monitoring is actually built to catch, how it differs from performance management, and how to connect the two so your program generates real intelligence instead of activity logs.

What You'll Learn

• Why continuous monitoring and performance reviews answer different questions — and what breaks when programs treat them as the same
• How to structure each so findings in one sharpen what you look for in the other
• What monitoring that generates real intelligence looks like versus activity that fills a dashboard
• How to right-size intensity based on vendor tier and service criticality

A vendor outage doesn't stay a vendor problem for long. In most organizations, TPRM and business continuity management operate in separate silos — each unaware of the other's data, assumptions, and triggers. This session covers how to bridge that gap before an incident forces it: mapping vendors to the critical functions they support, identifying when a vendor issue becomes a BCM event, and ensuring data flows between TPRM and BCM in both directions.

What You'll Learn

• • How to identify the threshold at which a vendor incident becomes a BCM event
  • Why TPRM and BCM data must flow in both directions — and what breaks when they don't
  • How to map vendors and specific services to the business functions that depend on them
  • How your BIA connects to vendor contract requirements, RTOs, and incident escalation
  • Practical steps for aligning TPRM and BCM so incident response is coordinated, not chaotic

Most vendor contracts are written to protect the vendor. Yours should be written to protect your organization. This session breaks down how to turn a standard vendor agreement into an enforceable control — translating risk appetite, due diligence findings, and BIA data into terms that hold up when something goes wrong.

What You'll Learn

• How to connect contract requirements directly to your BIA, risk appetite, and vendor tier
• What makes an SLA a control vs a statement of intent
• What regulators expect to see and where agreements don’t deliver
• Key provisions that matter most for risk mitigation and how to negotiate for them
• How ecosystem dependencies should shape liability limits, RTOs, and insurance requirements

Most TPRM programs have the right pieces. What they're missing is the connection between them. This session shows what it looks like when tiering, due diligence, contracts, monitoring, and performance reviews work as a system — and what that makes possible beyond compliance. We'll also cover where the field is heading: AI in vendor services, shifting expectations, and what mature programs are doing now to stay ahead.

What You'll Learn

• • How to connect the components of your TPRM program so each one reinforces the others
  • What a mature program produces beyond passing exams — faster decisions, better contracts, stronger vendor relationships
  • What AI integration in vendor services requires from your oversight program
  • How expectations are evolving and where scrutiny is increasing
  • Why the practitioners who add the most value aren't the ones who say no — they're the ones who explain what yes requires