What's the Purpose of Third-Party Risk Management? A Practitioner's Answer

Most vendor management programs at financial institutions are built to satisfy an examiner. Michael Carpenter, VP of Risk Management at Ncontracts and author of The Upside of Third-Party Risk Management, spent decades building third-party risk management programs at community banks, credit unions, and large financial institutions — and in this episode of Ncast, he explains what that experience revealed about why so many TPRM programs fail to deliver real business value. Ncast host Rafael DeLeon, SVP of Industry Relations at Ncontracts and former OCC examiner, sits down with Michael Carpenter to discuss the strategic gap in vendor management programs, what the military taught him about risk and redundancy, and how financial organizations can build a TPRM program that goes beyond compliance. In this episode: Why vendor management programs at community banks and credit unions often look strong on paper but fail in practice — the "theater" problem in third-party risk management What it means to treat vendors as your operating model rather than a risk list — and how that shift changes how financial organizations approach TPRM The closed fist framework: a practical tool for connecting organizational strategy to vendor risk management What military mission essential task lists (METL) reveal about redundancy, single points of failure, and vendor oversight Why vendor selection fails when financial organizations can't define what winning looks like before signing a contract The controls problem in TPRM: why financial institutions pay for vendor controls they aren't using — and how to fix it Frequently Asked Questions: What is The Upside of Third-Party Risk Management? The Upside of Third-Party Risk Management is a book by Michael Carpenter, VP of Risk Management at Ncontracts, that helps compliance officers and risk practitioners at financial institutions build vendor management programs that create strategic value — not just regulatory compliance. What is the biggest mistake financial organizations make in vendor management? According to Michael Carpenter, the most common mistake is building a TPRM program around passing an exam rather than around the organization's actual strategy and operating model. Vendors aren't a risk list — they're part of how the organization functions. Who is this episode for? This episode is for risk officers, compliance officers, vendor management practitioners, and C-suite leaders at banks, credit unions, and other financial organizations who want to build third-party risk management programs that go beyond the compliance checklist. #ncontracts #tprm #vendormanagement #thirdpartyrisk #RiskManagement #ComplianceOfficer #FinancialServices #VendorRisk #CommunityBanks #CreditUnions #RegTech