2020 has brought unique risk challenges that have significantly shifted the focus of risk managers. New operational risks emerged with the pandemic, with major shifts to work from home security and service availability issues, vendor stability, and socioeconomic uncertainty. The 2021 Third Party Risk Management Toolkit responds to these challenges with expanded content and controls around resilience, privacy, data governance, data loss, and remote risk. The Tools have also been updated to allow more automation in the creation and analysis of questionnaires and collaboration among teams working with assessments.
This new 2021 edition is considered by risk management professionals to be an invaluable resource. “The Shared Assessments Toolkit is foundational in the area of third party risk,” said Ron Bradley, Director, Cybersecurity Risk Management, Trane Technologies. “2020 has been particularly challenging for those navigating vendor risk, and third party risk managers rely on tools, such as the SIG and the SCA to gather, assess, and verify controls with ease and efficiency.”
The Toolkit was developed based on the needs and experience of over 300 member organizations and the thousands of organizations they serve, as well as the collective needs of non-member Toolkit users who trust and depend on the Shared Assessments Program to develop and maintain comprehensive tools for third party risk management. The Toolkit enables organizations to manage their full vendor assessment relationship life cycles, and to more effectively execute, benchmark, and assess third party risk management programs.
In preparation for regulatory changes in addition to emerging threats, we refreshed the tools with the following risks in mind:
- Increased fraud risk
- Long-term virtual workforce
- Data loss prevention and remote access
- Inability to conduct onsite assessments
- Economic disruption
- Supply chain disruption
- Inability to manage cross-border data transfers
- Travel restrictions
- Vendor failures
“2020 has a been a monumental year for risk managers – a global pandemic, shutdowns, a rapid, widescale shift to a virtual workforce, and increased instability of the critical vendors has only emphasized the strategic importance of a mature third party risk program,” said The Santa Fe Group CEO, David Perez. “The Shared Assessments’ Third Party Risk Management Toolkit incorporates these risks and others identified by the ecosystem of our membership. These tools along with our suite of best practices are essential to helping organizations build program assurance.”
New this year, the 2021 Toolkit is accompanied by a series of online workshops to help Tool purchasers and members optimize the value they gain from the Tools. The workshops for the SIG Tools provide a session for new users and a more detailed course for advanced practitioners.
The components of the 2021 Toolkit include:
1. Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: The VRMMM has been updated and improved annually since 2013. The industry’s longest running third party risk maturity model, it has been continuously vetted and refined by hundreds of the most experienced third party risk management professionals.
The VRMMM evaluates third party risk assessment programs against a comprehensive set of more than 200 program elements and best practices. Program managers can utilize the Target Maturity to create action plans or incorporate peer benchmark data in setting their maturity targets.
VRMMM Benchmark Tools are free and available at: sharedassessments.org/vrmmm.
2. Standardized Information Gathering (SIG) Questionnaire Tools: The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency, and data security risks. These Tools serve as the “trust” component for outsourcers who wish to use industry–vetted questions to obtain succinct, scoped initial assessment information on a service provider’s controls.
The SIG is also used proactively by service providers to reduce initial assessment duplication and assessment fatigue through proactively supplying their own pre-completed Response SIGs to outsourcers.
3. Standardized Control Assessment (SCA) Procedure Tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of third party risk programs. The SCA mirrors the 18 critical risk domains from the SIG and can be scoped to an individual organization’s needs. The SCA package includes templates and checklists, which provides a standardized approach to conducting and documenting control reviews, performing testing of controls, and reporting assessment results.
4. Third Party Privacy Tools: The Privacy Tools were built to track requirements from various privacy regulations and framework updates, including CCPA. The Tool includes a Target Data Tracker (TDT) that focuses on privacy data governance obligations that identify, track, and document the use of personal information within specific third party relationships, including subcontractors. The TDT serves as a project management tool that streamlines the collection of information for data classification, data flows, and third party disclosures.
The Target Data Tracker is now free and available at: sharedassessments.org/privacy-tools.
A webinar will be held on October 6, 2:00 pm ET to review the new control areas and functionality of the 2021 Third Party Risk Management Toolkit.