Authorities on Risk Assurance
The Shared Assessments Blog
Published on April 11, 2017 By Catherine A. Allen | Posted in: Best Practices, Board's, Business Resiliency, Certified Third Party Risk Professional (CTPRP) program, Cybersecurity, Education, Framework, Outsourcing, Risk, Risk Management, Security, Third Party Risk, Third Party Risk Management, Vendor Risk Managment
The Shared Assessments Program is the only organization that has uniquely positioned and developed standardized resources for managing the complete third party relationship lifecycle. Such standardization is critical to the advancement of effective, secure third party controls and risk management in an otherwise fractured market. As part of our 2017 initiative, we’re formalizing the Shared Assessments Third Party Risk Management Framework. This agnostic and holistic framework will be freely available and will further raise the bar for all organizations that want to achieve rigorous third party controls.
regulated industries to all outsourcers
- Third party risk is rapidly escalating as
a major business concern in Executive
Perspectives on Risks for 2017.
- Trustwave’s Global Security report of
450 global data breach investigations
linked 63% of those breaches to a third party
- Third party involvement is shown in
the 2015 Cost of Data Breach Study:
US to increase cost per record from
$158 to $172.
- The 2016 Data Breach Investigations
Report shows new sectors have joined
the financial sector in high frequency
of cyberattacks, notably Gaming,
Information Technology and IT
services, Public Entities, Professional
Services and Healthcare.
The Challenge: Risk management has reached a critical inflection point. Third and fourth party risk management, as well as risks posed by new, transformative technologies (IoT, Fintech, etc.), are increasingly on the agenda at the Board and C-Suite levels. Outsourcing and emerging technology open up strategic, financial, quality and business resiliency risks; each with the potential to affect the outsourcer’s compliance posture, services integrity and, ultimately, the organization’s reputation and market position.
Increased training and improved third party risk control discipline respond directly to this growing need. However, the proliferation of unstandardized questionnaires and processes complicates advancement of vigorous third party controls and risk management. Success within this evolving third party landscape means establishing and consistently employing best practices in the field.
Solution Building: Shared Assessments is a mature organization that has worked with industry members for over a decade to bring the efficiencies in vendor management to the market that make robust third party risk management affordable. Shared Assessments is founded on an unequalled, cross industry knowledge base and has become a standard for more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency.
Shared Assessments resources are developed by members and powered by the experienced thought leaders at The Santa Fe Group, who work collaboratively:
- Raising awareness about third party risk issues;
- Bringing best practices to light for our members and for the larger community;
- Providing resources with the efficiencies that only standardization of third party risk tools and processes can achieve; and
- Providing training and skills certification that holistically address the key elements of a solid third party risk management program.
The Shared Assessments Program’s 2017 Strategic Risk Management Initiative: This initiative addresses the needs of the business community through:
- Third Party Risk Management Framework: Shared Assessments was the first to articulate a framework that embodies a ‘trust, but verify’ approach. We are taking this to a new level in our end-to-end process framework unique to the third and fourth party risk management landscape. The Framework will be available to all and is relevant to both beginner and advanced practitioners.
- Research and Publications: Expansion of member committees to capture and disseminate best practices and expand the learnings of the marketplace in the form of publicly available white papers, case studies and independent research studies.
- Awareness Groups: Building off the tried and true Best Practices and Regulatory Compliance Awareness Groups, 2017 sees the creation of vertical strategy groups that hone in on the unique third party risk needs of currently underserved industries.
- Certification and Leadership Group Training: Expansion of the tool agnostic Certified Third Party Risk Professional (CTPRP) program, with online training and testing availability to extend our capability to educate assessors, information security and other third party risk professionals. A new Certified Third Party Risk Assessor (CTPRA) training is being developed that will explore the deeper level of understanding of risk controls required for an assessor. In 2017, we will be adding specialized add-on training can be gained that is specific to the use of the Shared Assessments Program Tools.
- Up-to-Date Third Party Risk Management Program Tools: Our member-led development committees ensure that our tools help create efficiencies and lower costs; are kept current and aligned with regulations, industry standards and guidelines for cybersecurity, IT, privacy, data security and business resiliency and the current threat environment; and have been adopted globally across a broad range of industries both by service providers and their customers. The Vendor Risk Management Maturity Model (VRMMM) is now provided FREE to the third party risk community. This tools allows organizations to evaluate their program against a comprehensive set of best practices. The Standardized Information Gathering (SIG) questionnaire provides the most comprehensive and only standardized third party risk questionnaire in the industry. As outsourcer needs and third party relationships differ, not every relationship requires every question be answered. That is why Shared Assessments is creating enhanced, automated SIG scoping capabilities to fit specific risk needs. The Standardized Control Assessment (SCA) procedures (formerly the Agreed Upon Procedures – AUP) is being renamed to better reflect the Tool’s purpose and role as a validation methodology for verifying questionnaire answers. Standards are being developed to guide assessors in the use of the SCA in order to ensure appropriate qualifications are met for assessors using the Tool and quality assurance checks.
- Increased International Third Party Risk Involvement: Shared Assessments is responding to the increased request for guidance from businesses globally, including the UK and APAC (Asia-Pacific) markets, which includes many US organizations that operate globally. These efforts take the form of convening roundtables, summit participation and publications, and inclusion of more international players to increase the knowledge base in this area, as more organizations understand the growing need to address global marketplace and regulatory concerns.
Catherine Allen is the Chairman and CEO of The Santa Fe Group, a strategic advisory company providing thought leadership expertise and management support for strategic industry and institutional projects across the supply chain, providing expertise to all industry verticals and critical infrastructure organizations, in the areas of cybersecurity, emerging technologies, and other areas surrounding third party risk management. The Shared Assessments Program in managed by The Santa Fe Group. Catherine currently serves as a board member of Synovus Financial Corporation, El Paso Electric Company, and Analytics Pros, and is a member of the Risk, Energy and Natural Resources, External Affairs and Nominating and Governance Committees. She chairs the Security Committee for El Paso Electric.