About Shared Assessments
The Shared Assessments Program has been setting the standard in vendor risk assessments since 2005
Streamlining Control Assessments
The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse client information requests. Inconsistencies from questionnaire-to-questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the outsourcer and the service provider.
Shared Assessments was created in 2005 by leading financial institutions, the Big 4 accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process. These founding organizations saw the need for a standardized and objective vendor management assessment methodology that would help outsourcers meet regulatory and vendor risk management requirements while significantly reducing costs for all stakeholders. The Shared Assessments Program pilot was completed in 2005, and Version 1 of the Shared Assessments Program Tools was launched in February 2006.
Members of the Shared Assessments Program continue to refine the Program’s Tools on at least an annual basis. New risk control areas are added, and existing risk areas are enhanced, by committees of risk professionals based on the issues they encounter every day. Recently added risk areas include: cloud security, mobile devices, 4th party risk and software security. This member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
Managing the Vendor Risk Life Cycle
As the trusted source in third party risk assurance, the Shared Assessments Program provides the resources necessary to effectively manage the critical components of the entire vendor risk management lifecycle. The program follows a two-step approach to managing third party risks. Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.
The trust component of the Program is the Standard Information Gathering (SIG) questionnaire. By using the SIG an outsourcer can obtain all of the information necessary to conduct an initial assessment of a service provider’s IT, privacy and data security controls. Questions within the SIG are filtered by the user to apply to the specific type of service outsourced to the third party. Assistance in developing a service type specific SIG is facilitated by a How To Guide provided with each SIG.
The verify portion of the Program is facilitated by the Shared Assessments Agreed Upon Procedures (AUP). The AUP provides several vital functions. First it allows an outsourcer to validate the answers provided by a third party in the SIG. Secondly, it sets forth the risk control areas to be assessed as part of an onsite assessment as well as the procedures to be followed while conducting the assessment and the sampling procedures to be used. The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results further enhancing the efficiency of the onsite assessment process.
Service Provider Benefits
All of the participants in the vendor risk management lifecycle were considered during the development of the SIG and the AUP. Service providers share an equal role, along with outsourcers and assessment firms, in the ongoing development of the Program Tools helping to insure that all parties’ needs are considered. As a result, the SIG is regularly used proactively by service providers in response to RFP’s (to help demonstrate their security controls) and as a component of an annual assessment standard information packet to provide to their customers as part of an annual assessment process. A How To Guide, which specifically addresses the needs of service providers, is also provided to assist in responding to client issued SIG questionnaires.
Shared Assessments – A Global Community
Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies. They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.
The Santa Fe Group’s Role
The Santa Fe Group manages the Shared Assessments Program and is dedicated to supporting the development of the Shared Assessments Program. They provide a trusted forum for dialogue and collaboration among all stakeholders on issues that matter to outsourcers, their service providers, assessment firms, regulators and others. Contact us for more information.