BlogMembership & Tools
The Trusted Source in
Third Party Risk Assurance
- Creating efficiencies and cost savings to effectively
manage the vendor risk management lifecycle - Tools follow "a trust, but verify" standardized approach,
adopted globally across a broad range of industries - Kept current with regulations, industry standards
and guidelines, and the current threat environment - Education, resources and tools for outsourcers,
service providers, assessment firms and solution providers
Become a member of the Shared Assessments Program
"Integrating the full range of Shared Assessments content into our GRC platform gives our customers streamlined vendor management tools, empowering them to better manage the governance, risk and compliance issues surrounding their third-party relationships."
— Chris Caldwell, CEO, LockPath
- Participate in a global community of information security, privacy, and third party risk management leaders
- Gain access to members-only resources and the Shared Assessments Program Tools, including the SIG and AUP
- Develop and demonstrate knowledge with industry peers on challenging issues in information and data security, privacy and business continuity
- Gain opportunities to build, shape and refine vendor risk management tools and best practices
- Network with information security officers, privacy officers, and other subject matter experts
Just the Tools
Purchase our ready-to-use Tools to develop and manage your third party vendor assurance program.
Learn more about purchasing the world’s most comprehensive third party risk management tools
Learn More »The world’s most comprehensive third party risk management tools
"Shared Assessments Program tools allow enterprise organizations to evaluate and measure the level of IT risk across their vendors in an quantifiable, objective and repeatable process."
— Niall Browne, Shared Assessments Steering Committee Member
- Obtain efficiencies and cost savings by using just one document to establish and define your risk control environment
- Reduce FTE costs by using one document to satisfy multiple client requests, rather than responding to multiple proprietary questionnaires
- Used globally by financial institutions, healthcare organizations, energy/utility, retailers, telecommunications and others
- Shared Assessments Program Tools kept current with regulatory and industry standards
"Early Warning adheres to a security program ensures we protect all of our customers’ data, including Personally Identifiable Information (PII). Through active participation and membership in the Shared Assessments program, we leverage the Program’s tools and resources to make our customer audits as efficient as possible."
— Glen Sgambati, CISM, CIPP, CRISC, CTP, CTPRP
Early Warning
Using Risk Rating to Optimize Your Third Party Risk Program
Risk rating of third party providers is an essential aspect of a comprehensive risk management program. When based on pre-determined criteria, outsourcers can use risk rating to identify actual versus perceived risk as it relates to specific risk areas, such as financial health, security controls and resiliency.
The Internet of Things (IoT): A New Era of Third-Party Risk
“Ready or not, IoT third party risk is here. Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” said Charlie Miller, Senior Vice President with the Shared Assessments Program. “In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats.”
Fourth Party Risk Management White Paper
Examining Fourth Party Risk Management Issues
Emerging Best Practices within the Supply Chain
Risk from downstream parties is increasing as outsourcing organizations engage more and more third parties who themselves have their own outside provider relationships. The proliferation of fourth party relationships provides the undesired opportunity for the existence of significant risk management gaps.
Continuous Monitoring of Third Party Vendors: Building Best Practices
Moving the Needle on Longitudinal Tracking for More Effective Processes
Continuous monitoring, a subset of ongoing monitoring, moves the risk posture of systems to a level that allows tracking over time, often in real-time, to raise awareness of changing vulnerabilities and processes for more effective decision-making and achieve discernable gains in risk management.
2016 Shared Assessments Benchmark Study
The 2016 Vendor Risk Management Benchmark Study by Shared Assessments in collaboration with global consulting firm Protiviti examines the maturity of vendor risk management.
Building Best Practices in Third Party Risk Management: Involving Procurement White Paper
Establishing a strong standard for risk management means including all stakeholders before a third party is brought on board. With the right tools and framework, the Procurement function can work closely, efficiently and effectively with all areas of an organization to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship. Procurement can also help facilitate a centralized process that is designed to mitigate many of the risks associated with these relationships and should therefore be seen as a critical function that organizations can leverage for more than just achieving cost savings.
The paper focuses on ways to effectively integrate Procurement into the third party oversight function.
2016 Tone at the Top and Third Party Risk Survey
Tone at the Top and Third Party Risk examines the role of executives in third party risk management in a broad range of industries and the effect of tone at the top on minimizing business risks within organizations. This study is sponsored by Shared Assessments and conducted by the Ponemon Institute.
Key findings indicate that third party vendor risk is not being effectively implemented:
- Only 26% of respondents believe that their organization’s third party risk assessment of controls is effective.
- 50% of respondents do not believe the risk management process is aligned with their organization’s business goals.
- Just 11% say their organizations are very effective at communicating values throughout the enterprise or to business partners, vendors and other third parties.
Financial Services Industry Call to Action
The increased connectivity and complexity of critical infrastructure systems both nationally and globally puts economic and public security squarely at the forefront of risk management in every sector and industry vertical. A proactive stance is clearly required to establish best practices for more mature risk management programs industry-wide.
The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels to collectively raise the bar and establish effective industry-wide risk management solutions.
Onsite Assessments Best Practices White Paper
In 2015, a Shared Assessments awareness committee was established to create a best practice assessment and scoping guideline practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope. The guideline will work in concert with existing onsite assessment tools and processes. It provides a clear, consistent methodology to keep the assessment process on target and therefore reduce duplication of effort and assessment fatigue.
Tone at the Top White Paper
DID YOU KNOW?
Consensus is quickly growing that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues. The right Tone at the Top and risk culture can become important drivers of improved organizational performance – companies that incorporate risk management into their strategic planning process and operating model gain clear competitive advantage
Incident Response Briefing Paper
The Shared Assessments Program is pleased to announce our briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
To help organizations be better prepared against increasingly inevitable incidents, the Shared Assessments Program SIG Committee has released Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper outlines a newly developed best practices model of incident event management program creation.
Collaborative Onsite Assessments Case Study
The Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program.
The goal of this pilot program is to create the opportunity for multiple industry outsourcers to perform a collaborative onsite assessment of a single service provider, performed by an independent assessment firm, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as a common onsite assessment vehicle. The case study outlines the methodology used and the results of this first pilot.
