Craig Callé talks about third party risk management (TPRM) and cyber security. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their relationships and monitor them more carefully, which requires a variety of tools and processes. Chris explains that third party risk management includes cybersecurity, reputation management, supply chain issues, and other risk categories such as financial liability. Cybersecurity has become the primary focus due to the numerous issues it addresses. Privacy is another important risk, with regulations like GDPR in Europe, CCPA in California, and others worldwide ensuring companies have a firm grip on consumer data. Companies must follow through with privacy regulations unless they can follow data to third parties. Areas of Scrutiny in Third Party Risk Management Craig mentions that ESG and sustainability are also areas of scrutiny, as companies must ensure their third parties align with their company's goals and objectives. However, he stresses that one must also be aware of laws pertaining to sanctions around the world. Issues of reputation, child labor, anti-money laundering, and bribery, are also important to be attentive to, not just for their own company but also for third parties they work with. Defining Third Party Risk Management Chris explains that third party risk management and enterprise risk management, are all subcomponents of GRC. He mentions that the term includes outsource providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and counterparties. Emergency third party risk management is a broader category that includes enterprise risk management, business continuity or operational resilience, compliance, and internal compliance. Global Risk Control (GRC) includes enterprise risk management, a risk register, business continuity or operational resilience, and compliance. A risk register compiles all the potential threats that can impact a company, and it is crucial to continually build a more predictable and measurable system to achieve its objectives at the lowest possible risk. GRC Frameworks Craig adds that business continuity or operational resilience is an important aspect of GRC, as it involves a set of controls and risks in place to understand where the company is in the journey and be able bounce back when bad things happen. Compliance is another area under GRC, as it involves creating a methodology for ongoing monitoring of operations and ensuring compliance with global rules and regulations. He mentions that a lot of GRC work involves picking a framework and building a program around it; for example, in cybersecurity circles, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation. Governance in Risk Management Strategy Craig states that, in the context of Global Risk Control, the governance aspect is a crucial part of the organization's overall risk management strategy and that it is set in the roadmaps that have been developed with a team for each area, such as compliance or continuity.  The head of GRC is responsible for overseeing the system and ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, a C-suite executive responsible for GRC would report to a Chief Risk Officer or CRO, with a solid line to the CEO and a dotted line to the board audit and risk committee.He goes on to explain various titles that may be given to the person in charge of GRC and why he believes there is a deficiency in putting all risks under one umbrella. The Director of Third Party Risk Management Role Explained The director of third party risk management might hav