Third Party Therapy

How do you build a supply chain that doesn't just survive disruption but thrives through it? Mike Day is joined by Professor Richard Wilding OBE, Emeritus Professor of Supply Chain Strategy, to bridge the gap between academic theory and frontline risk management.Professor Wilding shares his expert perspective on why the "Cost to Serve" must be applied to risk, how to segment vendors effectively, and why "Robustness" is no longer enough in a volatile global economy.🕒 Timestamps:00:00 – Introduction: Bringing the Academic Lens to TPRM.03:45 – Richard’s journey: From Engineering and the "Brit Industry" to OBE.14:20 – Why "Efficiency" is a dangerous goal for modern supply chains.25:10 – Resilience vs. Robustness: What’s the difference?38:45 – The Cost to Serve: Why you shouldn't treat every vendor the same.52:30 – Advice for the next generation of supply chain leaders.SEO Keywords: #SupplyChain #Logistics #Procurement #RichardWilding #RiskManagement #Resilience #Strategy #OBE

Is the pace of change in Third-Party Risk Management (TPRM) keeping up with the complexities of the modern marketplace? In this episode of Third Party Therapy, Mike Day sits down with Clarence Chio, founder of Coverbase.Clarence, a Stanford-trained engineer and cybersecurity veteran, shares his unique perspective on the "assessor fatigue" felt by both sides of the table. They dive deep into how AI can move beyond just making existing processes "faster horses" and instead fundamentally change how trust is established between organizations.🕒 Timestamps00:00 – Introduction: Is TPRM falling behind the market?03:45 – Clarence’s Journey: From Stanford to Anti-Money Laundering (AML)12:10 – The "Assessor’s Dilemma": Why busy work doesn't always equal risk reduction21:30 – The Pace of Change: Why traditional assessments are static in a dynamic world30:50 – AI & Coverbase: Moving from manual checklists to automated trust38:15 – The "Faster Horse" Problem: Re-imagining the future of TPRM47:40 – Elevating the Job: How automation allows risk managers to focus on strategy55:30 – Closing thoughts: Mapping out the next 5 years of TPRM💡 Key TakeawaysThe Problem with Static Assessments: Clarence explains why an annual review is often obsolete the moment it's finished and how the pace of software updates requires a new approach to monitoring.Assessor Fatigue: Insight into why critical vendors feel "put through the wringer" and how this friction actually hinders true risk transparency.AI as an Efficiency Engine: How Coverbase uses AI to bridge the gap, allowing for a more holistic and real-time understanding of vendor security postures.Rethinking the Function: Why the industry needs to stop asking for "faster horses" (doing the same manual tasks quicker) and start looking for the "automobile" (fundamentally changing the workflow).🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comGuest Info: Learn more about Clarence Chio and Coverbase at Clarence Chio | LinkedInSearch & SEOKeywords: #TPRM #ThirdPartyRisk #ClarenceChio #Coverbase #Cybersecurity #AI #RiskAutomation #VendorManagement #SupplyChainSecurity #ThirdPartyTherapy #Innovation

TPRM at Speed: Using AI to Bridge the Gap Between Risk and ProcurementEpisode Summary: How do you build a world-class Third-Party Risk Management (TPRM) function in a digital-first, fast-paced environment? In this episode of Third Party Therapy, Mike Day sits down with Mo Randeree from Atom Bank. Mo shares his journey from a PwC auditor to a TPRM leader, discussing how to break down the traditional silos between Procurement, Risk, and Resilience.The highlight of this episode is Mo’s deep dive into the practical use of Google Gemini (AI) to automate risk assessments, moving the dial from "policing" the business to "partnering" with it.🕒 Timestamps00:00 – Introduction: Managing risk at the speed of a digital bank 03:45 – Mo’s Background: Stumbling into TPRM via PwC 12:10 – The Integrated Operating Model: Merging Procurement, TPRM, and Resilience 20:30 – Speed to Market: Why "Check-the-Box" compliance doesn't work in FinTech 28:50 – AI in Action: Using Google Gemini to solve the "data mountain" problem 37:15 – Shifting the Culture: Moving from a "No" function to a "Business Enabler" 45:40 – Proactive Supplier Management: Having hard conversations about control gaps 53:00 – Closing thoughts and advice for the next generation of risk leaders💡 Key TakeawaysThe "One-Stop-Shop" Model: Discover how Atom Bank integrates procurement and risk into a single lifecycle, ensuring risk is considered at the start of a project, not as a final hurdle.Leveraging Generative AI: Mo explains the specific prompts and processes used with Google Gemini to digest complex supplier documents, allowing a lean team to achieve massive scale.Bridging the Gap: Practical tips on how to align the conflicting goals of Procurement (speed/cost) and Risk (safety/compliance).Relationship-Driven Risk: Why the most effective TPRM tool isn't a piece of software, but the ability to build trust across the organization.🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comJoin the Community: Sign up for our mailing list to receive our "AI in TPRM" guide.Guest Info: Connect with Mo Randeree on LinkedIn to follow his work at Atom Bank.Search & SEO Keywords: #TPRM #ThirdPartyRisk #AtomBank #GoogleGemini #GenerativeAI #RiskManagement #ProcurementStrategy #FinTech #BusinessResilience #ThirdPartyTherapy #SupplyChainRisk

Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers – with Layla White (TechPassport)Episode overviewSeason 2 opens with a practical deep dive into one of the hardest problems in modern third-party risk management: understanding what sits beyond your immediate suppliers. Mike is joined by Layla White, founder of TechPassport, to unpack why fourth- and fifth-party dependencies remain opaque, how early-stage suppliers change the risk profile, and why traditional questionnaires and web-scraping approaches struggle to keep up with today’s supply chains.The conversation blends lived experience from financial services procurement and vendor management with a grounded look at how supply chain mapping actually works in the wild, where outages, cloud concentration, geopolitics, and cyber incidents collide.What you’ll hear in this episodeWhy fourth- and fifth-party risk is still a blind spot for many organisationsThe limits of questionnaires and AI/web-scraped data for mapping supply chainsHow to identify critical dependencies deeper in the supply chainThe problem of hidden concentration risk (especially with cloud and shared infrastructure)Why small suppliers and early-stage tech firms introduce different resilience risksThe importance of validating supplier-provided data rather than guessing from public sourcesHow outages propagate through unseen dependenciesWhy supply chain risk now stretches beyond cyber into resilience, data, ESG, and modern slaveryWhere regulation is pushing firms to understand and evidence extended dependenciesKey takeawaysSupply chain risk is no longer a third-party problem. The real fragility often sits further down the chain.Public signals and scraped data are useful clues, not ground truth. Critical dependencies usually only emerge when suppliers confirm them directly.Concentration risk is rarely obvious until something breaks. Mapping dependencies before an incident is the difference between response and surprise.Early-stage suppliers need structure and support to meet enterprise expectations, not just scrutiny.Effective TPRM is a system of approaches, not a single tool. Questionnaires, live data, mapping, and supplier engagement all have different strengths.Guest bioLayla White is the founder of TechPassport, a platform focused on improving how organisations gather and manage supplier information, map extended supply chains, and engage early-stage technology providers. Layla previously worked in financial services procurement and vendor management, where she experienced first-hand the friction, delays, and blind spots that exist in traditional third-party onboarding and supply chain visibility.Who this episode is forThird-Party Risk and Operational Resilience leadersProcurement and Vendor Management teamsCyber and Cloud risk practitionersRisk, Compliance, and Resilience professionalsAnyone grappling with fourth-party visibility, concentration risk, or supplier onboarding in complex ecosystemsListen to the episode🎧 Full episode: https://thirdpartytherapy.comTags / themesTPRM, Fourth-Party Risk, Supply Chain Mapping, Concentration Risk, Operational Resilience, Early-Stage Suppliers, Cloud Dependencies, Cyber Resilience

Great conversation with Robert Hannigan from Blue Voyant, former Director of GCHQ and author of "Counter Intelligence - What The Secret World Can Teach Us About Problem Solving & Creativity". Talking about the business model of cyber crime, how companies can protect themselves and the role of the human in combatting the cyber criminal.

A great conversation with Charlie Lewis from McKinsey exploring the cyber risk that develops from a complex supply chain and how companies can take a business focussed approach to risk managementRead Charlie's article on Taking a business-critical approach to supplier nth-party IT risk managementDistributed in conjunction with CEFPRO Connect

Third Party Therapy – Episode 13AI Unleashed: Transforming Third-Party RiskGuest: Natalie Druckmann, Head of EMEA at CertaHost: Mike DayEpisode SummaryHow is artificial intelligence reshaping third-party risk management? In this episode, Mike Day speaks with Natalie Druckmann from Certa, exploring how AI can transform due diligence, regulatory compliance, and supplier oversight. Natalie shares her journey from delivery and procurement into technology leadership, before unpacking the real-world use cases that are redefining TPRM—from automating document review to interpreting complex regulations like DORA. Together, they discuss how organisations can move from spreadsheet chaos to continuous monitoring, and from compliance overhead to strategic insight.Key TopicsNatalie's path from practitioner to tech leaderThe evolution of TPRM tech: from Excel → platforms → modular AI solutionsIndustry maturity: financial services vs pharma, retail, and defenceUsing AI to analyse supplier evidence, interpret new regulations, and enable 'risk management by exception'Why 'process → people → platform' is the right order for successCommon pitfalls in adopting technologyThe future of TPRM: faster onboarding, smarter risk insight, and human + AI collaborationMemorable Quotes“We fixed the problem of not knowing—and created the problem of knowing too much.”“AI in TPRM isn’t about replacing people; it’s about freeing them to focus where it matters.”“Process first, people second, platform third.”Takeaways✅ Start with why and who, before deciding what or how.✅ Design your process first—technology won’t fix a broken one.✅ Use AI for transparency, not black-box decisions.✅ Adopt a base-plate approach: start simple, build as you mature.✅ Aim for risk management by exception, not exhaustion.Links & Resources🌐 thirdpartytherapy.com – show archive 🤖 certa.ai – learn more about Certa’s AI-driven risk solutions💬 Connect with Mike Day on LinkedIn for future episodes

Join me in a conversation with Dharminder Mehmi from Legal & General as we explore regulation in the UK Finance sector, the experience of moving from the regulator to the regulated and how regulation may develop in the future.Distributed with support from CEFPRO Connect

I get to explore my TPRM nerdy side with Harj Mattu from Deloitte as we explore the world of TPRM technology. Who are the big players, who are the new entrants bringing something difference and our favourite topic of AI in TPRM.Published in partnership with CEFPRO Connect

A conversation with Oliver Jones from H&Z Consulting on the evolution of TPRM from a sub-function of Procurement to a key function on its own with board level focus - how far from Procurement should it go and what are the technology solutions that can help bring them together?

Great conversation with Nathan Hopkins from The ESCROW Company discussing the evolution of ESCROW, how it brings resilience to SaaS solutions and what happens when you invoke it

A great conversation with WIll Cooke and Jack Birch from Procurement Heads on the shortage of good TPRM talent, barriers to entry, how companies are recruiting and why there are no 12 year olds wanting to get into TPRM.

Join me in a conversation with Charlie Jones from Reversing Labs to talk about the limitations of traditional cyber controls, a new approach to testing - Static Binary Analysis - and the impact of recent regulations.

Great conversation with Stephen Boyer - Chief Innovation Officer and co-founder of Bitsight about the growth of the cyber threat and how TPRM can use data to dynamically monitor this risk.

Ian Ellis | The Emerging Tech companies view of TPRMEpisode Summary: What does your Third-Party Risk Management (TPRM) process look like from the other side of the table? In this episode of Third Party Therapy, Mike Day is joined by Ian Ellis, an innovation expert who has spent years working with Microsoft for Startups and various tech accelerators.Ian shares the "bruising" reality of how emerging tech companies experience corporate due diligence. They discuss why a "one-size-fits-all" questionnaire can paralyze a 5-person dev team and how organizations can adapt their risk appetite to foster innovation without compromising security.🕒 Timestamps 00:00 – Introduction: The challenge of assessing small, high-impact suppliers 04:20 – Ian’s Journey: From corporate innovation to the startup trenches 11:50 – The "Startup View": How a 100-question spreadsheet feels to a founder 19:15 – The Resource Gap: Why startups don't have "Compliance Departments" 27:40 – Litmus Test: Does your process actually measure risk or just persistence? 35:10 – Right-Sizing Risk: How to scale assessments for emerging tech 44:30 – The Human Element: Building respect and transparency into the onboarding flow 52:15 – Closing thoughts: Moving toward a more inclusive TPRM ecosystem💡 Key TakeawaysThe "Bruising" Effect: Understand the operational impact that heavy-handed corporate processes have on small, agile companies.Proportionality is Key: Why asking a 5-person startup for the same evidence as a global conglomerate is a barrier to entry for innovation.Contextual Due Diligence: Learn how to look past the "missing" controls to understand the actual risk profile of a niche technology provider.The Reputation Risk: How your onboarding process defines your company's reputation in the tech community—are you a partner or a hurdle?🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comJoin the Community: Sign up for our mailing list to receive our guide on "Right-Sizing TPRM for Startups."Guest Info: Connect with Ian Ellis and learn more about his work with emerging tech EnterpriseTech.London: Posts | LinkedInSearch & SEO Keywords: #TPRM #Startups #EmergingTech #Innovation #RiskManagement #ThirdPartyRisk #Procurement #FinTech #BusinessAgility #ThirdPartyTherapy #Podcast

A great conversation with an ex-colleague of mine from Zurich Insurance. Gemma Stewart has been designing and evolving their approach to concentration risk for a number of years and she joins me on the podcast to share that experience on what to do and what not to do...

Aki Eldar | Using AI to Solve the TPRM Data OverloadEpisode Summary: The volume of data in Third-Party Risk Management has become unmanageable for manual teams. In this episode of Third Party Therapy, Mike Day sits down with Aki Eldar, founder of Mirato, to discuss how Artificial Intelligence is moving from a "future concept" to a practical tool. Aki explains how AI can automate the heavy lifting of evidence analysis—reading SOC2s and ISO certs for you—so that risk professionals can focus on making actual decisions rather than just processing paperwork.🕒 Timestamps 00:00 – Introduction: AI as a risk vs. an opportunity 03:15 – Aki’s 30-year journey: From Cybersecurity & DLP to TPRM 11:40 – The "Mountain of Evidence" problem in modern risk management 19:25 – How AI actually "reads" and validates third-party documentation 27:50 – "Shadow AI": Managing the risks of unauthorized AI use in your business 36:10 – Why AI won't replace the human-in-the-loop 44:30 – The "MVP" Strategy: Why you should start standalone and scale later 52:15 – Closing thoughts and how to avoid the "Everest" trap💡 Key TakeawaysAutomated Analysis: Move beyond simple data collection. Learn how AI can cross-check supplier questionnaires against their actual evidence (like SOC2 reports) to find gaps instantly.The Productivity Shift: By automating the "boring" work, AI allows risk managers to focus on the 20% of high-risk cases that actually require human expertise.Managing Shadow AI: Aki shares critical insights on how to handle employees using tools like ChatGPT and the data privacy risks that come with "dirty" AI models.Don't Climb Everest at Once: Why a "Minimum Viable Product" (MVP) approach is the most successful way to implement AI without disrupting your entire organization.🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comJoin the Community: Sign up for our mailing list for the latest in AI and TPRM.Search & SEO Keywords: #AI #ArtificialIntelligence #TPRM #ThirdPartyRisk #RiskAutomation #Mirato #CyberSecurity #RiskManagement #DigitalTransformation #ThirdPartyTherapy #SupplyChainRisk

Episode Summary: Modern slavery isn’t just about chains and locks—it’s a hidden, systemic crisis embedded in global supply chains. In this episode of Third Party Therapy, host Mike Day sits down with Shayne Tyler from TylerBladon Practical Ethics, a supply chain expert with 20+ years of experience in worker exploitation. Shayne reveals why traditional audits often fail, how to spot the subtle signs of exploitation, and why TPRM professionals are uniquely positioned to save lives by looking beyond the paperwork.🕒 Timestamps 00:00 – Intro: Why Modern Slavery is a TPRM priority04:15 – Shayne’s story: From the food industry to the front lines 11:30 – The "Invisible" Victim: Defining modern slavery today 19:45 – Why your current audit process might be missing the truth 28:10 – The tiers of risk: Going deeper than your primary suppliers 36:50 – Practical advice for risk managers: Trusting your gut 45:20 – The human cost of the "race to the bottom" on price 52:00 – Final thoughts and where to start💡 Key TakeawaysBeyond Compliance: Moving from the "UK Modern Slavery Act" checklist to active, ethical risk management.The Audit Trap: Why pre-announced audits allow exploiters to coach victims and hide evidence.The Power of Curiosity: Why asking "How is this price possible?" is your best defence against slavery in your supply chain.Operational Reality: Understanding that exploitation often hides in the recruitment and labor agencies used by your suppliers.🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comJoin the Community: Sign up for our mailing list to receive episode deep-dives and TPRM resources.Guest Info: Connect with Shayne Tyler [Insert LinkedIn/Website Link].Search & SEO Keywords: #ModernSlavery #TPRM #SupplyChainEthics #RiskManagement #HumanRights #ThirdPartyRisk #ESG #Sustainability #ThirdPartyTherapy

Third Party Therapy - Series 1, Episode 1Paul Huggett: What Does Community Due Diligence Deliver?In this debut episode of Third Party Therapy, host Mike Day sits down with Paul Huggett, Managing Director at Hellios and former TPRM lead at major financial institutions like Nationwide and Lloyds Banking Group.Here is the optimized, "copy-paste" set of show notes for Episode 1: Paul Huggett, designed to perform across Spotify, Apple Podcasts, and YouTube.Show Notes: Paul Huggett | What Does Community Due Diligence Deliver?Episode Summary: TPRM has moved from a "check-the-box" exercise to a high-stakes regulatory requirement. In this debut episode of Third Party Therapy, Mike Day is joined by Paul Huggett, Managing Director at Hellios and former TPRM lead at Nationwide and Lloyds. Paul shares his journey from "poacher to gamekeeper" and explains how the Community Due Diligence model is solving the industry's biggest headache: the "many-to-many" web of repetitive supplier questionnaires.🕒 Timestamps (Clickable on YouTube)00:00 – Introduction: The evolution of TPRM since the 90s 05:20 – Paul’s Journey: From Practitioner to Managing Director 12:45 – The "Many-to-Many" Problem: Why the current model is broken 18:10 – What is Community Due Diligence? (The "Collect Once, Share Many" model) 26:30 – Big Banks vs. Small Firms: How different sized companies benefit 34:15 – Crisis Management: Using community data during the Russia-Ukraine conflict 42:50 – The Future of Tech: Why AI is the "new cloud" 51:10 – The Golden Rule: Why technology won't solve a data problem 55:30 – Closing thoughts and how to get started💡 Key TakeawaysThe Efficiency Win: In a community model, suppliers provide data once to a central "pool," which is then accessed by dozens of buying firms, saving thousands of hours in administrative work.Speed of Response: Learn how community models allowed firms to map their entire supply chain exposure to global conflicts in minutes rather than weeks.Avoid the "Shiny System" Trap: Paul warns against buying expensive workflow tools before you have a solid data strategy—don't just buy a "shinier problem" to grapple with.ESG & Pooled Audits: The next frontier is moving beyond data collection into virtual site visits and shared environmental, social, and governance assessments.🔗 Connect & ResourcesOfficial Website: thirdpartytherapy.comJoin the Community: Sign up for our mailing list for TPRM deep-dives.Guest Info: Learn more about Helios and Paul Huggett at [Insert Link].Search & SEO (Optimized for YouTube)Keywords: #TPRM #ThirdPartyRiskManagement #CommunityDueDiligence #SupplyChainRisk #Helios #FSQS #RiskManagement #FinancialServices #ThirdPartyTherapy #RegulatoryCompliance

Introduction to the Third Party Therapy podcast - an independent bi-weekly podcast bringing insights and ideas from different industries to the TPRM community.Why not visit www.thirdpartytherapy.com to sign up for more information