Build a vendor risk program that satisfies regulators and holds up under pressure
Master the end-to-end discipline of identifying, assessing, and controlling the risks your vendors and partners bring into your organization. Build programs that satisfy regulators, protect operations, and earn boardroom confidence.
"A vendor risk program that can't perform under pressure isn't a program — it's paperwork, and I'll show you the difference."— George Koduah
What you'll learn
What you'll be able to do
- Design a tiered vendor classification framework that focuses due diligence effort where it matters most
- Conduct structured risk assessments across cybersecurity, financial, operational, and compliance domains
- Build and manage a vendor inventory with risk scoring that can be presented to senior leadership and regulators
- Negotiate contract clauses — SLAs, audit rights, data protection addenda — that transfer and limit third-party risk
- Establish a continuous monitoring program with meaningful triggers for reassessment and offboarding procedures
- Respond to a third-party incident with a documented escalation and remediation playbook your team can execute under pressure
How it works
A school that adapts to you
This isn't a set of static videos. Every lesson is generated live and tuned to where you actually are.
We learn your level
A quick placement check tailors your starting point so you're never bored or lost.
Lessons adapt as you go
Each lesson is written for your pace and your goal, adjusting as your skills grow.
Your AI coach keeps you moving
Checkpoints, feedback, and gentle nudges turn progress into a real result.
The curriculum
What's inside your school
6 modules · 14 lessons
Foundations of Third-Party Risk Management
Establish the conceptual and regulatory foundation every practitioner needs before touching a vendor file. Learners map the modern third-party risk landscape, understand why vendor relationships create strategic exposure, and benchmark their organization against a mature TPRM program model. This module is deliberately placed first because all downstream classification, assessment, and monitoring work depends on a shared mental model of what TPRM is trying to achieve.
- 1.1The TPRM Landscape: Why Vendors Are a Strategic RiskIncluded
- 1.2Anatomy of a Mature TPRM ProgramIncluded
Vendor Classification and Inventory Management
Before any risk assessment begins, practitioners need a complete, governed vendor inventory and a principled way to direct due-diligence effort. This module teaches learners to build and maintain a defensible vendor inventory — the operational backbone of any TPRM program — and then layer a tiered classification framework on top of it so that critical vendors receive rigorous scrutiny and low-risk vendors do not consume disproportionate resources. Inventory precedes classification in sequencing because you cannot tier what you have not catalogued.
- 2.1Building and Governing the Vendor InventoryIncluded
- 2.2Designing a Tiered Vendor Classification FrameworkIncluded
Risk Assessment Across Domains
With a classified vendor inventory in hand, learners now execute the core analytical work of TPRM: structured due diligence across cybersecurity, data privacy, financial, operational, and compliance domains. The module builds from domain-specific assessment techniques to an integrated risk-scoring model that produces defensible residual risk ratings and board-ready reporting. A dedicated lesson on data protection due diligence is added here to close the gap between cybersecurity controls review and the legal/privacy requirements that typically live in a separate team but must be integrated at assessment time.
- 3.1Cybersecurity and Data Privacy Due DiligenceIncluded
- 3.2Financial, Operational, and Compliance Risk AssessmentIncluded
- 3.3Risk Scoring, Residual Risk, and Assessment ReportingIncluded
Contracting for Risk Transfer and Control
A strong assessment is worthless if the contract does not codify the controls and remedies the organization needs. This module equips learners to negotiate and draft the contract provisions that legally transfer, limit, and enforce third-party risk — from core risk-allocation clauses through SLA design to data protection addenda. A new lesson on data protection and audit-rights provisions is added here because these are consistently the most contested clauses in vendor negotiations and are not adequately covered by SLA mechanics alone.
- 4.1Contract Clauses That Move Risk: Core ProvisionsIncluded
- 4.2Data Protection Addenda, Audit Rights, and Subprocessor ControlsIncluded
- 4.3SLA Design, Negotiation, and EnforcementIncluded
Continuous Monitoring and Ongoing Risk Management
Onboarding due diligence is a point-in-time snapshot; risk evolves continuously. This module builds the ongoing monitoring apparatus that keeps the organization's vendor risk picture current between formal reassessments. Learners design a monitoring framework, define meaningful triggers for reassessment, manage fourth-party (sub-vendor) risk, and execute a structured offboarding process that prevents data leakage and contractual exposure when a vendor relationship ends.
- 5.1Designing a Continuous Monitoring FrameworkIncluded
- 5.2Reassessment Cycles, Fourth-Party Risk, and OffboardingIncluded
Third-Party Incident Response and Program Governance
Even the best-designed TPRM program cannot eliminate all third-party incidents. This module prepares learners to respond effectively when a vendor is breached or fails, and to govern the TPRM program itself so it earns sustained organizational investment, adapts to change, and can be confidently presented to boards and regulators. Sequenced last because effective incident response and governance both draw on every prior module — the playbook references the inventory, classification, contracts, and monitoring frameworks built earlier.
- 6.1Building and Executing a Third-Party Incident Response PlaybookIncluded
- 6.2Program Governance, Metrics, and Earning Boardroom ConfidenceIncluded
Who it's for
Is this you?
Risk Managers
You own the TPRM function and need a rigorous, end-to-end architecture — from vendor classification through incident response — that you can defend to leadership and regulators alike.
Procurement Leads
You're at the table before the contract is signed, and this school gives you the risk-transfer provisions, SLA negotiation tactics, and due diligence criteria to make vendor selection a controlled decision.
Compliance Officers
Regulatory expectations for third-party oversight keep rising, and this curriculum gives you the program structure and documented evidence trail to satisfy examiners with confidence.
Internal Auditors
Understanding what a mature TPRM program looks like from the inside makes your assessments sharper and your findings more actionable for the business.
GRC Professionals
You're responsible for weaving third-party risk into the broader governance fabric, and this school gives you the domain depth to do it with credibility across cybersecurity, financial, and operational risk dimensions.
Program Builders
If you've been handed the mandate to stand up a TPRM function — or to mature one that's outgrown its spreadsheets — this curriculum is the structured playbook you need to do it right the first time.
Questions
Frequently asked
Your teacher
A note from your teacher
George Koduah
If you're reading this, you probably already know what a fragile TPRM program looks like from the inside. You've seen the vendor inventory that lives in a spreadsheet no one fully trusts. You've watched a questionnaire go out, come back 80% complete, and get filed away without anyone asking what the answers actually mean. You've been in the room when an auditor or regulator asks about your third-party oversight and the honest answer is more complicated than you'd like.
I built this school because that gap — between having a vendor risk process and having a program — is where organizations get hurt. Not just in audit findings, but in real operational disruptions, real data incidents, and real boardroom credibility problems. The discipline of TPRM is mature enough now that there's no reason to keep improvising it. There's a right way to classify vendors so your due diligence effort lands where it matters. There's a right way to structure a risk assessment across cybersecurity, financial, operational, and compliance domains so the output is defensible, not decorative. There's a right way to write contract provisions that actually move and limit risk — and a very common wrong way that looks thorough and does almost nothing.
This curriculum covers all of it, in sequence, the way a working program actually operates. We start with classification and inventory because you can't assess what you haven't catalogued. We move through domain-based due diligence and risk scoring because assessments that don't produce a clear, communicable risk position aren't worth the effort. We go deep on contracting because your leverage is highest before signature, and most risk professionals underuse it. We build the continuous monitoring framework because a point-in-time assessment is a snapshot of a risk that keeps moving. And we finish with incident response and governance because the program isn't real until it performs under pressure and earns the confidence of the people who fund it.
Every module is grounded in the scenarios and decisions you actually face — the ones with regulatory implications, budget constraints, and organizational politics attached. I'm not here to teach you theory. I'm here to give you the structure, the tools, and the judgment to run a program that holds up when it counts.
If you're ready to build something that survives scrutiny — from your auditors, your regulators, and your board — this is where to start.
— George Koduah
Start your journey today
Join get instant access — learn at your own pace with an AI coach in your corner.
$79/mo
Recurring billing · cancel anytime
Secure checkout · Instant access
- 6 modules, 14 lessons
- AI-adaptive lessons tuned to your level
- Quizzes & checkpoints to lock in progress
- Your own AI learning coach
- Learn on any device, at your pace
- Full access for as long as you're subscribed