Risk Leader Roundtable: Navigating the Complexity of Third-party Risk

Insights from Liminal’s latest report on trending risk challenges, plus real-world lessons and emerging best practices.

With vendor and supplier risk rising—and traditional approaches breaking down—risk leaders are rethinking how they manage third-party exposure.

Watch the full replay below and scroll down for session highlights and actionable insights.

This roundtable highlights takeaways from Liminal’s latest analyst report, paired with real-world insights from leaders who are scaling smarter, automating faster, and reducing real-world risk.

Join industry experts and the Evident team to explore the strategies and tactics that leading organizations are using to stay ahead of the growing complexity and rising stakes of vendor risk.

Meet the Experts

• Joe Stuntz, Principle Advisor at Liminal
• Terri Weatherly, Senior Risk & Compliance Manager at Amazon
• Larry Murrell, CertSecure Executive at HUB International
• David Thomas, CEO at Evident

You’ll learn:

• What’s behind the increasingly difficult job of managing third-party risk today
• How top organizations are modernizing their risk programs
• Key takeaways from the latest analyst data
• Practical strategies to increase compliance, reduce liability, and protect your operations

Why This Matters

Third-party contracts are the backbone of how cities, counties, and agencies get work done—but vague indemnity clauses, outdated insurance language, and siloed processes can leave governments exposed. And when coverage isn’t verified or risk isn’t transferred correctly, public entities often end up footing the bill.

Key Takeaways

1. Third-party risk is expanding quickly and the stakes are getting higher

As organizations scale and outsource, risk is spreading across a larger and more complex vendor ecosystem.

“Litigation risk has existed forever… but these nuclear verdicts are something we’re having daily discussions about – where is our exposure, and where do we need to tighten up a little bit?”— Terri Weatherly, Amazon

2. Treat risk as a living system, not a checklist

Third-party risk isn’t static. Your approach shouldn’t be either. Shift from one-way processes and static questionnaires to continuous visibility.

“Are we mitigating our risk? Or are we just sort of checking the box? We don’t want to just check the box that shows someone did something once in the past, you know. We need to move to a continuous approach.”
— Joe Stuntz, Liminal

3. Automation isn’t optional

Automation isn’t just about speed — it’s about scaling precision, visibility and accountability.  Use automation to collect attestations, verify compliance, and trigger alerts — not to avoid human judgment, but to enhance it.

“The obvious selling point is efficiency gains. But the other point is that you can apply it to real life business impact and risk reduction, how to be more proactive and address sources of risk before they become a real issue.  Be more proactive, get a better understanding of the types of risks you do have, understand your trends, then set up the programs to mitigate those areas ahead of time.”
— Larry Murrell, HUB International

4. One size does not fit all

Effective risk management is about context — tailor your approach based on your org and your unique risk exposure, data sensitivity, and vendor criticality.

“We help them define these different risk profiles, these different tiers that match their risk exposure and their approach.  You can’t do it with a broad brush, you’ve got to come up with a tailored risk management approach for different profiles where you can define the right coverages, right limits, right requirements for both you and your third parties.” 
— Larry Murrell, HUB International

5. Segment vendors, then prioritize

All vendors aren’t equal. A nuanced, risk-tiered approach helps you act faster and focus where it matters most.

“What’s interesting is that the folks that were with us from the start, they came on when our program was really early.  And they’re tenured and helped us make our operation successful, but they don’t have the compliance mechanisms our new vendors do.  We’re having to go back and help them get more training, because maybe this was great 6 or 7 years ago, but at this point we have gaps we need to address together.” — Terri Weatherly, Amazon

6. Embed Risk Thinking Across Teams

Risk leaders can’t do it alone. The best programs are embedded across legal, procurement, security, and operations.

“Knowledge is power, but we’re so big there’s a siloed effect, and we don’t have the collaboration that we need for everybody to understand the risk exposure that exists.  We have leaned in on this in the last year, to make sure leaders again aren’t just operating in their own little silo, but can highlight some hits and some misses and help educate all of our leaders. So now everybody’s leveling up to understand what kind of exposure is out there, and that’s been a big benefit for us.”
— Terri Weatherly, Amazon

7. Executive support is critical, and can be a game-changer

Risk programs need strong executive backing to evolve from reactive to strategic.  This is becoming more and more important as the stakes of third-party risk keep rising.

“Risk leaders have a seat at the table now — and they need to use it to push for smarter, faster, more strategic programs.”
— David Thomas, Evident