Veteran third-party risk manager Lindsay Baker on evolving TPRM from pain multiplier to business enabler.

By Sweta Bhattacharya
In Episode 7 of The SAFE Cyber Risk Podcast, SAFE’s Chief Product Officer, Saket Bajoria, is joined by Lindsay Baker, a veteran third-party risk management (TPRM) leader with experience spanning high-growth startups and Fortune 500s. Lindsay shares what many TPRM teams know but rarely say out loud: the current process is broken — reactive, manual, and ineffective at surfacing risk before it’s too late.
And yet, there is hope. With automation, smarter design, and early collaboration, TPRM can finally become what it was meant to be — a business enabler.
Watch the new episode with Lindsay Baker now.
Seven key takeaways from the conversation:
1. Reconciliation is a major time and credibility drain.
Third-party assessments are often derailed by the effort it takes to manually stitch together information from intake forms, vendor questionnaires, and dozens of compliance documents. This reconciliation step not only consumes weeks of analyst time — it introduces inconsistency, errors, and fatigue.
“You’re jumping through different systems… you’re looking at different inputs… it’s a lot of back and forth, a lot of trying to figure out what’s correct.”
Lindsay argues for AI-powered reconciliation tools that can ingest inputs, highlight mismatches, and surface risk — without human effort.
2. Trying to assess 10,000 vendors equally is a recipe for failure.
Most large enterprises have thousands of third-party vendors. But not all of them touch sensitive data or impact mission-critical systems. Yet, many programs assess each vendor the same way, creating bottlenecks and wasting time on low-risk relationships.
“You need to narrow down your subset to the most critical vendors… Not all of your vendors need to be assessed the same across the board.”
Lindsay advocates for a tiering approach based on data sensitivity, business impact, and inherent risk.
“If you have a vendor that’s processing all your biometric data… that instantly becomes a higher inherent risk… That warrants more of your attention than something lower risk like a Slack or a Zoom.”
3. TPRM must shift from “risk avoidance” to “risk alignment.”
Historically, TPRM teams have been viewed as blockers — intervening late in the process with a checklist, often when business teams have already chosen their vendor. The goal isn’t to stop innovation. It’s to ensure it moves forward safely.
“A vendor that’s already a good fit from both of our perspectives… allows the business to innovate. And then the risk decision is aligned. So not risk avoidance — but risk aligned.”
“We already know the vendor has the basic controls in place… then the risk decision is aligned.”
This mindset shift reframes TPRM as a partner in strategic growth — not a speed bump.
4. Shift left: get involved before the RFP is closed.
When TPRM is introduced after a vendor is selected, options are limited.
“The blocker model is where third-party risk is a gatekeeper; it slows everything down. It’s reactive and it blocks the business. If your TPRM team is slowing down the business, you don’t have a risk management problem — you have a design problem.”
The solution? When security teams engage during vendor evaluation — even before the RFP is finalized — they can proactively guide the business toward safer, faster decisions. This kind of early involvement can significantly reduce friction, accelerate onboarding, and build trust with business stakeholders.
5. Chasing vendors and stakeholders takes weeks of effort.
Getting timely input from business owners and responses from vendors can drag an assessment into a multi-week delay — with no guarantee of accuracy or completion. This “chasing” consumes time and erodes confidence in the process.
“You’re just in a holding pattern… you’re waiting, waiting, waiting… for the right information, the right person, the right team.”
Lindsay’s vision is clear: automate the follow-ups.
“I’d love for an AI agent to track people down!”
6. By the time the risk is communicated, it’s already too late.
After reconciliation and chasing are finally complete, many TPRM teams find themselves ready to deliver a risk summary — but the business has already moved on. The vendor is live. The contract is signed. The risk has been silently accepted.
“You spent all this time trying to get to what actually is the risk… and they don’t want to hear you out. They just want to move forward and ignore you.”
“By the time the risk is found, the vendor’s already in production and six months into an auto-renewal.”
To be relevant, TPRM findings need to be timely, targeted, and delivered while decisions are still being made.
7. End-to-end autonomous TPRM is not science fiction — it’s overdue.
TPRM has changed little in the last decade, but the demands on risk teams have exploded. Lindsay is optimistic about the future — one where intelligent agents streamline the entire lifecycle, and risk professionals focus only on what matters.
“Automating vendor reconciliation doesn’t just save you time — it gives TPRM its job back.”
“You’re not just frantically trying to reconcile, chase, and communicate risks that are six months overdue.”
Her north star? A world where AI helps detect vendors, enrich profiles, triage findings, chase contacts, and elevate only the highest-risk issues for human review.
If third-party risk feels like punishment, the business will treat it like a checkbox. But it doesn’t have to be this way.
“We didn’t sign up to spread the pain. We signed up to help the business.”

SAFE’S Autonomous TPRM Brings this Vision to Life
SAFE’s 100% Autonomous TPRM is about freeing your teams from spreadsheets and follow-ups, so they can focus on strategic risk decisions. To learn how SAFE TPRM enables 100% automation in your third-party risk management program, test drive it yourself!
✅ Automate reconciliation, chasing, and communication with Agentic AI
✅ Prioritize third-party risk based on business impact
✅ Focus remediation efforts where they move the needle most🚀 Test Drive SAFE TPRM today.