About Shared Assessments

The Shared Assessments Program has been setting the standard in vendor risk assessments since 2005

Streamlining Control Assessments

The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse client information requests. Inconsistencies from questionnaire-to-questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the outsourcer and the service provider.

Shared Assessments was created in 2005 by leading financial institutions, the Big 4 accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process. These founding organizations saw the need for a standardized and objective vendor management assessment methodology that would help outsourcers meet regulatory and vendor risk management requirements while significantly reducing costs for all stakeholders. The Shared Assessments Program pilot was completed in 2005, and Version 1 of the Shared Assessments Program Tools was launched in February 2006.

Members of the Shared Assessments Program continue to refine the Program’s Tools on at least an annual basis. New risk control areas are added, and existing risk areas are enhanced, by committees of risk professionals based on the issues they encounter everyday. Recently added risk areas include: cloud security, mobile devices, 4th party risk and software security. This member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.

Managing the Vendor Risk Life Cycle

As the trusted source in third party risk assurance, the Shared Assessments Program provides the resources necessary to effectively manage the critical components of the entire vendor risk management lifecycle. The program follows a two-step approach to managing third party risks. Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.

The trust component of the Program is the Standard Information Gathering (SIG) questionnaire. By using the SIG an outsourcer can obtain all of the information necessary to conduct an initial assessment of a service provider’s IT, privacy and data security controls. Questions within the SIG are filtered by the user to apply to the specific type of service outsourced to the third party. Assistance in developing a service type specific SIG is facilitated by a How To Guide provided with each SIG.

The verify portion of the Program is facilitated by the Shared Assessments Agreed Upon Procedures (AUP). The AUP provides several vital functions. First it allows an outsourcer to validate the answers provided by a third party in the SIG. Secondly, it sets forth the risk control areas to be assessed as part of an onsite assessment as well as the procedures to be followed while conducting the assessment and the sampling procedures to be used. The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results further enhancing the efficiency of the onsite assessment process.

Service Provider Benefits

All of the participants in the vendor risk management lifecycle were considered during the development of the SIG and the AUP. Service providers share an equal role, along with outsourcers and assessment firms, in the ongoing development of the Program Tools helping to insure that all parties’ needs are considered. As a result, the SIG is regularly used proactively by service providers in response to RFP’s (to help demonstrate their security controls) and as a component of an annual assessment standard information packet to provide to their customers as part of an annual assessment process. A How To Guide, which specifically addresses the needs of service providers, is also provided to assist in responding to client issued SIG questionnaires.

Shared Assessments – A Global Community

Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies. They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

The Santa Fe Group’s Role

The Santa Fe Group manages the Shared Assessments Program and is dedicated to supporting the development of the Shared Assessments Program. They provide a trusted forum for dialogue and collaboration among all stakeholders on issues that matter to outsourcers, their service providers, assessment firms, regulators and others. Contact us for more information.

Shared Assessments Licensee ZS logo
Shared Assessments Logo dtcc
Shared Assessments Logo yodlee
Shared Assessments Licensee Protiviti
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee Telerex
Shared Assessments Logo radian
Shared Assessments Licensee Pivot Point Security
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo usbank
Shared Assessments Licensee Caanes
Shared Assessments Logo Bank Of New York Mellon
Shared Assessments Licensee-Brainshark
Shared Assessments Licensee BSI
MetricStream logo
Shared Assessments Logo Lerner Sampson & Rothfuss
Shared Assessments Licensee Bank of the West
Shared Assessments Licensee LTD Financial Services
Aujas Information Risk Services Logo
Shared Assessments Licensee White Hat
Online Business Systems logo
Shared Assessments Licensee Lockpath
Shared Assessments Licensee Identity Theft 911
Shared Assessments Licensee Pro Teck
Alsbridge Logo-Tag 176x84bw
el paso electric logo
Shared Assessments Licensee-Copytalk
Shared Assessments Licensee ctg
Shared Assessments Logo first data
Ellie Mae Logo
Shared Assessments Logo tsys
Shared Assessments Logo sei
Shared Assessments Logo jpmorgan
Shared Assessments Logo Deloitte
Shared Assessments Program licensee Nice logo
Viewpoint Logo
Shared Assessments Licensee ControlCase
Early Warning Logo
Shared Assessments Logo Ernst & Young
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee TD Ameritrade
Shared Assessments Licensee Power Advocate
Shared Assessments Licensee Rsam
Shared Assessments Logo pwc