Vendor & Third Party Risk Dallas 2025
November 4-5, 2025
TABLE OF CONTENTS
• What are you most worried about in regards to third-party resiliency?
• Where have you travelled from today?
• As you evaluate your own TPRM programs, is there anything that you are doing to mitigate risk in times of uncertainty? Are there any KRIs or metrics that you have developed to trigger alerts to adjust risk plans or change vendors.
• What is the first thing which comes to mind when you consider ‘Exit Strategies?’
• What do you feel is the current biggest challenge when selecting locations for off shoring vendors?
• Off shoring has traditionally been used to tackle many business challenges. Do you think AI could replace that role?
• Name one capability that would most improve your organization’s resilience.
• Are you under mandates/guidance to increase AI use this year?
• Biggest concern using AI in TPRM today?
• Does your company have a strong AI governance policy and/or governing body/review committee/team to approve solutions?
• Do you require vendors to provide AI evaluation evidence (accuracy/bias/tests)?
• What is the first thing that comes to mind when you consider Vendor Concentration?
• Does your organisation currently monitor vendor concentration across critical services(e.g. cloud, data, SaaS) as a standalone risk metric?
• About how many AI related cyber incidents have you had in the past 12 months?
• Which certifications will you receive from AI vendors?
What are you most worried about in regards to third-party
resiliency?
Concerned that third parties are not upholding their SLA’s and responsibilites
IT Architecture Decisions
The secret 4th parties
Cloud service provider assessing parties impact Regulations Strategies accurately Dependency SPoFs Cyber security Risk Risks Including Over reliance on cloud business Outages
Concentration risk
4th party risk party Nth party
More regulations recovery resiliency 4th
concentration Adequacy
Cyber hacks of nth party
Nation State cyber attacks determine disruptions Nth parties Regulations
Where have you travelled from today?
Multiple-choice poll
As you evaluate your own TPRM programs, is there anything that you are doing to mitigate risk in times of uncertainty? Are there any KRIs or metrics that you have developed to trigger alerts to adjust risk plans or change vendors.
Table tops Country Exposure Index
What is the first thing which comes to mind when you consider ‘Exit Strategies?’
Timelines
Speed to exit Does it exist
Change the supplier
Contingency plans
Not simply filling out a checklist
Transfer of services and impact throughout
Time Preparation Contingency planning
Need to be realistic timelines
Transition Support
Speed to exit
How fast Dependency Sh’t show
Insourcing
Return data
What do you feel is the current biggest challenge when selecting locations for off shoring vendors?
Multiple-choice poll
What areas attend your ALCO meetings: (select all that apply)
Yes, and it’s coming soon
Yes, but not anytime soon
Not in any meaningful way
Multiple-choice poll
What is the first thing which comes to mind when you consider ‘Exit Strategies?’
Collaboration
Better data Integrated Simulations
Data and tool integration
Reduce concentration risk Accepting Our systems that drive resiliency
Data lake Governance
Better reporting mitigate Culture Data integration
Communication
Centralization transparency ties strategies nitigation
3rd Desiloing
Long term decision making
Continued collaboration across LODs Tone at the top
Eliminate silos party Risk register Tool integration Data accuracy
Communication between departments
Are you under mandates/guidance to increase AI use this year?
Multiple-choice poll
Biggest concern using AI in TPRM today?
Data disclosure
False positive
Bad results
Accuaracy
Data leaks
Black box
Security of data
Shadow AI
Data leak Over reliance on AI Hallucinations
AI slop
Limitations of data Permission
Hidden risk
Accuracy
Use of our data
Security Deepfake
Data use
Data
LAZY HUMANS
Reduce staff too soon Over promises Knowledge loss
Does your company have a strong AI governance policy and/or governing body/review committee/ team to approve solutions?
Yes — Policy & review process
Multiple-choice poll
Do you require vendors to provide AI evaluation evidence (accuracy/bias/tests)?
Multiple-choice poll
What is the first thing that comes to mind when you consider Vendor Concentration?
Is there a viable alternative?
#TPRMDALLAS
Loss of revenue
Undefined risk threshold. When is it too much
Potential dooms day
Many to one Systemic risk
Resilience
Dependency risk
Widespread business disruption Interconnectedness
Increased risk reliance
Potential failure SPOF
Criticality
Too much dependency
Single point of failure
Overrelying
Poor strategy
Geographic location
Breaches
What’s the first thing I should be considering vendor concentration Nth party
Impact of incidents
Alternate sourcing
Too much services or products in one area, or in hands of one vendor
Single points of failure/risk throughout supply chain
Does your organisation currently monitor vendor concentration across critical services(e.g. cloud, data, SaaS) as a standalone risk metric?
Yes, regularly
Somewhat (as part of broader vendor risk assessments)
No, but we’re planning to
Multiple-choice poll
Multiple-choice poll About how many AI related cyber incidents have you had in the past 12 months?
Which certifications will you receive from
Multiple-choice poll