The Shared Assessments Program Tools
For the Effective Management of the Vendor Risk Management Lifecycle
The Shared Assessments Program Tools provide rigorous standards for building and enhancing risk management capabilities.
Managing Third Party Risk
The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse client information requests. Inconsistencies from questionnaire-to-questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the outsourcer and the service provider.
Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.
Which Tool Is Right For You?
Standardized Information Gathering Questionnaire (SIG)
If the primary focus of your program (or your role in the organization) is obtaining information from your service providers through the use of questionnaires, then the SIG (the trust component of Shared Assessments) is right for you. You may want to start with the SIG Lite to conduct an initial evaluation of your vendors and use the full SIG for more complex services. Or, you can use the full SIG and simply filter the questions presented to the vendor based on the services they provide. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.
Agreed Upon Procedures (AUP)
If the driving force of your third party risk program is the evaluation of service providers through onsite assessments, then the AUP is the tool for you. The AUP was created for use by a company’s IT/audit departments, and accounting and assessment firms that conduct independent onsite audits of service provider controls. The AUP includes a comprehensive list of the controls a service provider should have in place to properly protect your data and systems. In addition, the AUP specifies the procedures to be used to conduct controls testing and recommends sampling parameters to obtain consistent and cost effective results. If this sounds like your approach to managing third party risk, then check out all of the details on the AUP on the AUP Learn More page. If you are uncertain which approach is right for you, or you believe that executing both components of the trust, but verify model is the way to go, we offer special pricing for a Complete Bundle for companies that want to use all of the Shared Assessments Program Tools.
Vendor Risk Management Maturity Model (VRMMM)
|INCLUDED FEATURES||SIG 2016 BUNDLE||SIG LITE 2016 BUNDLE||AUP 2016 BUNDLE||VENDOR RISK MANAGEMENT MATURITY MODEL 2016||COMPLETE 2016 BUNDLE|
|SIG 2016 LITE||X||X||X|
|SIG 2016 MANAGEMENT TOOL||X||X|
|SIG LITE 2016 MANAGEMENT TOOL||X||X||X|
|SIG ISSUER’S GUIDE||X||X|
|SIG RESPONDENT’S GUIDE||X||X|
|SIG ISSUER’S QUICK START GUIDE||X||X|
|SIG RESPONDENT’S QUICK START GUIDE||X||X|
|SIG SCOPING COMPANION SAMPLE (NEW)||X||X|
|AUP 2016 REPORT TEMPLATE||X||X|
|AUP 2016 OVERVIEW||X||X|
|VENDOR RISK MANAGEMENT MATURITY MODEL 2016||X||X|
|Vendor Risk Management Maturity Model Overview 2016||X||X|
Select Your Assessment Tools
Complete 2016 Bundle
Buy the Complete Bundle, which includes the Tools in both the SIG and AUP bundles, as well as the VRMMM, and save $7,500 off the cost of purchasing the Tools separately.
SIG 2016 Bundle
The Standardized Information Gathering (“SIG”) questionnaire contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment.
SIG Lite 2016 Bundle
The SIG Lite consists of a subset of questions duplicated from all of the detail tabs found in the full SIG.
AUP 2016 Bundle
The Shared Assessments Agreed Upon Procedures (AUP): a tool for standardized onsite assessments, is used by outsourcers as well as independent assessment firms who conduct onsite audits of an organization’s controls.
Vendor Risk Management Maturity Model (“VRMMM”) 2016
Using governance as the foundational element, the Vendor Risk Management Maturity Model (VRMMM) identifies the framework elements critical to a successful program.
"Early Warning adheres to a security program ensures we protect all of our customers’ data, including Personally Identifiable Information (PII). Through active participation and membership in the Shared Assessments program, we leverage the Program’s tools and resources to make our customer audits as efficient as possible."
— Glen Sgambati, CISM, CIPP, CRISC, CTP
Chief Risk and Security Officer
Become a Shared Assessments Program Member
Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.
They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.
- Free access to the Shared Assessments Program Tools.
- Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
- Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
- Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
- Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
- Access to third party risk management training and education, white papers, project documents, and case studies.
- Discounts on registration for Shared Assessments events and educational workshops.
Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.