The Trusted Source in
Third Party Risk Assurance

  • Creating efficiencies and cost savings to effectively
    manage the vendor risk management lifecycle
  • Tools follow "a trust, but verify" standardized approach,
    adopted globally across a broad range of industries
  • Kept current with regulations, industry standards
    and guidelines, and the current threat environment
  • Education, resources and tools for outsourcers,
    service providers, assessment firms and solution providers

Membership & Tools

Join our global community of risk management professionals and access our Tools and resources
Learn more about becoming a member of the Shared Assessments Program
Learn More »

Become a member of the Shared Assessments Program

Shared Assessments Portrait Niall Browne
"Shared Assessments Program tools allow enterprise organizations to evaluate and measure the level of IT risk across their vendors in an quantifiable, objective and repeatable process."
— Niall Browne, Shared Assessments Steering Committee Member
  • Participate in a global community of information security, privacy, and third party risk management leaders
  • Gain access to members-only resources and the Shared Assessments Program Tools, including the SIG and AUP
  • Develop and demonstrate knowledge with industry peers on challenging issues in information and data security, privacy and business continuity
  • Gain opportunities to build, shape and refine vendor risk management tools and best practices
  • Network with information security officers, privacy officers, and other subject matter experts

Just the Tools

Purchase icon
Purchase our ready-to-use Tools to develop and manage your third party vendor assurance program.
Learn more about purchasing the world’s most comprehensive third party risk management tools
Learn More »

The world’s most comprehensive third party risk management tools

"Adopting the Shared Assessments Program enabled Deluxe to reduce cycle time, improve quality, & streamline the due diligence process. At Deluxe, two-thirds of our due diligence requests use Shared Assessment tool."
— Linnea Solem, CIPP, CIPP/C, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corp, Shared Assessments Program Chair
  • Obtain efficiencies and cost savings by using just one document to establish and define your risk control environment
  • Reduce FTE costs by using one document to satisfy multiple client requests, rather than responding to multiple proprietary questionnaires
  • Used globally by financial institutions, healthcare organizations, energy/utility, retailers, telecommunications and others
  • Shared Assessments Program Tools kept current with regulatory and industry standards
"Implemented correctly, the Shared Assessments Program serves two critical purposes: satisfying requisite regulatory requirements, and, honoring one's fiduciary responsibility to maximize the overall cost efficiency of their third-party vendor risk management program."
— Ken Peterson, President and CEO, Churchill & Harriman, Inc., Shared Assessments Program Advisory Board Member

Failed Risk Controls – The Wells Fargo Saga, Part Two

Published on April 17, 2017 By | Posted in: Blog, Board of Directors, Tone at the Top, Wells Fargo

By: Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program and Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program. The

Setting a New Benchmark – New York State Cybersecurity Requirements

Published on April 17, 2017 By | Posted in: Best Practices, Business Resiliency, Compliance, Education, Framework, Newsletter, Outsourcing, Risk Management, Third Party Risk Management, Vendor Risk Managment

For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500

The Shared Assessments Program 2017 Strategic Risk Management Initiative

Published on April 11, 2017 By | Posted in: Best Practices, Board's, Business Resiliency, Certified Third Party Risk Professional (CTPRP) program, Cybersecurity, Education, Framework, Outsourcing, Risk, Risk Management, Security, Third Party Risk, Third Party Risk Management, Vendor Risk Managment

The Shared Assessments Program is the only organization that has uniquely positioned and developed standardized resources for managing the complete third party relationship lifecycle. Such

Fourth Party Risk Management White Paper

Examining Fourth Party Risk Management Issues

Emerging Best Practices within the Supply Chain

Risk from downstream parties is increasing as outsourcing organizations engage more and more third parties who themselves have their own outside provider relationships. The proliferation of fourth party relationships provides the undesired opportunity for the existence of significant risk management gaps.

Learn More and Access the Report »

Continuous Monitoring of Third Party Vendors: Building Best Practices

Continuious Monitoring

Moving the Needle on Longitudinal Tracking for More Effective Processes

Continuous monitoring, a subset of ongoing monitoring, moves the risk posture of systems to a level that allows tracking over time, often in real-time, to raise awareness of changing vulnerabilities and processes for more effective decision-making and achieve discernable gains in risk management.

Learn More and Access the Report »

2016 Shared Assessments Benchmark Study

Benchmark 2016 Infograp The 2016 Vendor Risk Management Benchmark Study by Shared Assessments in collaboration with global consulting firm Protiviti examines the maturity of vendor risk management.

Learn More and Access the Report »

Building Best Practices in Third Party Risk Management: Involving Procurement White Paper

Screen Shot 2016-05-02 at 9.03.38 AM

Establishing a strong standard for risk management means including all stakeholders before a third party is brought on board. With the right tools and framework, the Procurement function can work closely, efficiently and effectively with all areas of an organization to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship. Procurement can also help facilitate a centralized process that is designed to mitigate many of the risks associated with these relationships and should therefore be seen as a critical function that organizations can leverage for more than just achieving cost savings.
The paper focuses on ways to effectively integrate Procurement into the third party oversight function.

Learn More and Access the Paper. »

2016 Tone at the Top and Third Party Risk Survey

Screen Shot 2016-05-02 at 9.03.38 AM

Tone at the Top and Third Party Risk examines the role of executives in third party risk management in a broad range of industries and the effect of tone at the top on minimizing business risks within organizations. This study is sponsored by Shared Assessments and conducted by the Ponemon Institute.

Key findings indicate that third party vendor risk is not being effectively implemented:

  • Only 26% of respondents believe that their organization’s third party risk assessment of controls is effective.
  • 50% of respondents do not believe the risk management process is aligned with their organization’s business goals.
  • Just 11% say their organizations are very effective at communicating values throughout the enterprise or to business partners, vendors and other third parties.

Learn More and Access the Paper. »

Financial Services Industry Call to Action

Call to Action Cover

The increased connectivity and complexity of critical infrastructure systems both nationally and globally puts economic and public security squarely at the forefront of risk management in every sector and industry vertical. A proactive stance is clearly required to establish best practices for more mature risk management programs industry-wide.

The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels to collectively raise the bar and establish effective industry-wide risk management solutions.

Learn More and Access the Paper »

Onsite Assessments Best Practices White Paper

BP White Paper Cover

In 2015, a Shared Assessments awareness committee was established to create a best practice assessment and scoping guideline practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope. The guideline will work in concert with existing onsite assessment tools and processes. It provides a clear, consistent methodology to keep the assessment process on target and therefore reduce duplication of effort and assessment fatigue.

Learn More and Access the Paper »

Tone at the Top White Paper



Consensus is quickly growing that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues. The right Tone at the Top and risk culture can become important drivers of improved organizational performance – companies that incorporate risk management into their strategic planning process and operating model gain clear competitive advantage

Learn More and Access the Paper »

Incident Response Briefing Paper

IRBP ImageThe Shared Assessments Program is pleased to announce our briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.

To help organizations be better prepared against increasingly inevitable incidents, the Shared Assessments Program SIG Committee has released Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper outlines a newly developed best practices model of incident event management program creation.

Learn More and Access the Paper. »

Collaborative Onsite Assessments Case Study

COA CoverThe Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program.

The goal of this pilot program is to create the opportunity for multiple industry outsourcers to perform a collaborative onsite assessment of a single service provider, performed by an independent assessment firm, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as a common onsite assessment vehicle. The case study outlines the methodology used and the results of this first pilot.

Access the Report »

Registration Now Open: 2017 Shared Assessments Summit

2017 Shared Assessments Summit Dates
June 28-29, 2017
Ritz Carlton Pentagon City
Arlington, VA

Click here to learn more and register.

Click here for hotel information.

Click here to learn about our Pre-Conference Workshops.

Sponsorship opportunities available. Click here to view Sponsorship Brochure.

June 26:

  • How to Start a Third Party Risk Management Program Pre-Summit Workshop(s)

June 27:

  • Shared Assessments SIG 101 and AUP 101 Pre-Summit Workshop(s)
  • Cloud Use - How far should I go? Pre-Summit Workshop
  • Shared Assessments SIG 201 and AUP 201 Pre-Summit Workshop
  • Continuous Risk Monitoring Pre-Summit Workshop

June 28:

  • Shared Assessments Summit (full day session)

June 29

  • Shared Assessments Summit (full day session)

June 30

  • CTPRP Certification Workshop & Exam

2017 Program Tools

Our 2017 Shared Assessment Program Tools deliver comprehensive assessment of IT, privacy and data security controls to manage threats.

Learn which Program Tool is right for you »

Newsletter Archive

April 2017
New York State Cybersecurity Requirements and Third Party Risk Management
March 2017
Including Risk Rating in Due Diligence
February 2017
Lines of Defense
January 2017
2016 Year in Review
December 2016
2017 Program Tools Released
November 2016
2016 Vendor Risk Management Benchmark Study
October 2016
Achieving a Robust Third Party Risk Program
September 2016
Best Practices for Building Third Party Risk Programs
August 2016
New Opportunities, New Obligations
July 2016
UK Brexit Vote
June 2016
Shared Assessments Summit 2016
May 2016
EU's GDPR and the EU-US Privacy Shield
April 2016
2016 Tone at the Top and Third Party Risk Study
February 2016
2016 Program Tool Updates
January 2016
FFIEC Examination Handbook
December 2015
Incident Event Management
November 2015
2015 - A Year in Review
October 2015
Tone at the Top
September 2015
International Standards
August 2015
Privacy Defense
July 2015
2015 Vendor Risk Managment Benchmark Study
June 2015
May 2015
2015 Shared Assessments Summit
April 2015
Payments Security: Will PCI Play a Role in Our Future?
March 2015
Voice Privacy: An Issue that Needs to be Heard
February 2015
The Boards Role in Third Party Risk
January 2015
2015 Third Party Risk Resolutions
December 2014
2014 A Year in Review
November 2014
Third Party Risk Certification
October 2014
The Emerging Mobile Payments Battle
September 2014
Obligations of HIPAA Business Associates
August 2014
Vendor Classification
July 2014
Third Party Software Security
June 2014
Experts Weigh In On Third Party Risk
May 2014
2014 Vendor Risk Management Benchmark Study
April 2014
The Board's Role in Risk Management
March 2014
Third Party Data Breach Incidences
February 2014
Shared Assessments Launches New 2014 Program Tools

Shared Assessments Licensee ZS logo
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee TD Ameritrade
Shared Assessments Licensee Identity Theft 911
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee ctg
Shared Assessments Logo radian
Shared Assessments Logo yodlee
Shared Assessments Logo usbank
Shared Assessments Logo dtcc
Shared Assessments Licensee ControlCase
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Licensee Bank of the West
Shared Assessments Licensee Protiviti
Shared Assessments Logo Ernst & Young
MetricStream logo
Shared Assessments Licensee Lockpath
Shared Assessments Logo Deloitte
Shared Assessments Logo Bank Of New York Mellon
Viewpoint Logo
Shared Assessments Licensee Pivot Point Security
Shared Assessments Licensee Rsam
Shared Assessments Logo pwc
Shared Assessments Logo sei
Shared Assessments Licensee-Copytalk
Shared Assessments Licensee Power Advocate
Shared Assessments Logo first data