Blogpost

2022 Third-Party Risk Management TPRM Toolkit FAQs

Standardized Information Gathering (SIG)

SIG Basic Functionality

What is SIG Manager?
  • SIG Manager is the engine that creates and manages the Standardized Information Gathering (SIG) Questionnaires (templates). The Tool allows organizations to build, customize, analyze, store, and recall third party assessments. See page 2 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What is a SIG Questionnaire?
  • The SIG Questionnaire is the template produced by SIG Manager (electronic questionnaire)—quickly, simply and out-of-the-box, or with as much specificity and detail as you need. See page 2 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

The SIG Manager was downloaded, so how do I get started?
  • SIG Manager operates within Excel. Make sure you have Excel open, enable content, and enable editing if prompted. Start with page 3 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide for complete instructions.

Why do I need to enter my company name?
  • Access to the Tool is licensed to Tool purchasers and members. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

After creating a SIG scoping template, can I rename it?
  • The Recall/Modify function allows you to save a template under the same or a different name. See page 23 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Can macros be disabled on the SIG Manager?
  • No, the SIG Manager requires macros to function properly.

Can macros be disabled on a SIG Questionnaire?
  • Yes, macros are not required for completion of a Questionnaire. However, disabling macros will then display all questions that may not be applicable to the scoped services.

How do I download the most recent version of the SIG Manager?
  • You will receive instructions with your membership or Tool purchase, generally associated with your new login to the website. Any new versions to the SIG are posted to the website. https://sharedassessments.org

How do I upgrade from a 2021 SIG Manager to 2022 version?
  • On the SIG Manager tab, click Upgrade in the Manage SIG Data field and select the file to upgrade, then click Open. See page 21 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What details are included in a transfer from an earlier version of the SIG Manager to the 2022 version?
  • Any content in the Content Library, and all templates are included in a transfer. See page 21 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Is the SIG Manager available in other formats besides Microsoft Excel, such as XML?
  • The Shared Assessments Program only provides the SIG for user interfaces in Microsoft Excel at this time. The SIG can export configuration and/or responses in a standardized format called “JSON” (JavaScript Object Notation) that is recognized by various types of software and interfaces. See page 22 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What is “Scoping” and how do I do it?
  • The term scoping is used to describe the act of configuring or creating a SIG questionnaire by choosing the type and level of questions that are appropriate to your assessment requirements. Important: You must scope or create a SIG Scoping Template before you can save it, use it, or use a default SIG Questionnaire.  See page 9 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

How do I know which level of a SIG to choose?
  • The level of SIG to choose is based on the depth and breadth of due diligence you need based on the vendor’s risk rating and vendor classification. Two default SIG Questionnaire templates are provided. The SIG Lite provides a foundation with 150 program level questions, while the SIG Core provides a comprehensive set of questions for higher risk vendors. Each company can tailor, scope or filter the number and type of questions using the SIG Manager based on what type of assessment is being performed. See page 6 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Would a service provider ever need to respond to all the questions in the Content Library?
  • No. The SIG Content Library provides an inventory of accessible, vetted questions simply that are available to choose from for detailed configuration level risk assessments, or deep-dive assessments on very specific industry sector topics.  Detail level questions are not included in default SIG Questionnaires since they are designed for more customized assessments.

Can I change the wording of a question?
  • According to the Terms of Use, questions may not be edited without written permission from Shared Assessments. However, custom questions can be added to the Content Library. The SIG Manager allows you to add up to 100 custom questions within the Content Library for inclusion in your scoped questionnaires. See page 28 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Can I remove or hide tabs in the SIG?
  • The SIG Manager enables you to create your SIG with single or multi-tab formats. The sections included in the SIG depend on whether default SIG Scoping Templates or custom scoped SIG Scoping Templates were used to create the SIG. Default SIG Scoping Templates create the Standard SIG Lite and Standard SIG Core using out-of-the-box functionality to create standardized, tiered questionnaires. See page 10 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Why can’t I choose more than two mapping references for scoping?
  • The SIG Questionnaire cannot accommodate more than two mapping references at this time, due to space limitations in Excel. For more information on Mapping, see page 10 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

If I choose to exclude a question, would all the other questions related to it be excluded as well?
  • No. Choosing to exclude one question does not mean related questions won’t apply. See page 11 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

SIG Advanced Functionality

How do I include the Maturity field in my questionnaire?
  • The option to include the Full Tab and/or Maturity field in a questionnaire is included on the Common Options tab in the SIG Manager. See page 25 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide for instructions on how and why you can include these fields.

What is a Category and how is it used?
  • A (Control) Category is a scoping method used to classify risk types. Choose the SIG Scoping Template option in the Create Questionnaires and Templates section on the SIG Manager tab, and the Scoping Method options appear. See page 9 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Where are the sub-categories?
  • Sub-categories have been renamed as Attributes in the Content Library. See page 11 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Can I add additional questions outside of the Content Library inventory?
  • Up to 100 additional questions can be added during the scoping phase of the SIG creation after adding these custom questions to the Content Library tab to be included in a created SIG.  See page 28 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What is a Master Answer Key and how do I create one?
  • A Master Answer Key contains the completed SIG questions and answers that an Assessor expects to receive from a Third Party. The Master Answer Key provides a way to automate the analysis of a vendor’s completed SIG questionnaire by using the answer key to compare the results. In the 2022 SIG Manager, the Master responses are located on the Content Library tab.  See page 14 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide to create a Master Answer Key and automate SIG Questionnaire reviews.

Is there a way to transfer my responses from an earlier version of a SIG Questionnaire to the latest version of the SIG Questionnaire?
  • Earlier versions of a completed SIG questionnaire may be transferred to newer versions, and newer versions may be transferred to older versions. You can transfer responses from any version of the SIG Manager back to version 3.1 using the Migrate function within SIG Manager. You need an answered SIG questionnaire as a source file, and another SIG questionnaire as a destination file to do the transfer. See page 21 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide for further instructions.

How do I analyze the data in a returned SIG Questionnaire?
  • Analyze becomes available (on the SIG Manager tab) after you have entered Master Responses into the Content Library and saved the SIG Manager. You can analyze data by comparing answers against the Content Library, or another SIG. See page 19 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What is Tab Automation used for?
  • The Tab Automation feature is default-enabled to activate dynamic function of the parent and subsidiary questions at all levels. When enabled, the function allows for greater efficiency in response keeping other questions hidden when a “No” response is provided. When the tab is disabled, all questions are revealed providing full transparency.

Regulation References

Has the SIG been updated to address obligations under CCPA/CPRA?
  • Yes. The Privacy section of the SIG and the SCA have been updated to include questions related to CCPA/CPRA and other state regulatory privacy obligations. In addition, the updated Target Data Tracker Tool can be used to assist with CCPA readiness efforts for collecting information about the use of classifications of data in third party relationships. State privacy regulations are focused specifically on the privacy domain and are included in questions, while only global or federal privacy regulations/frameworks that impact multiple risk domains are mapped directly as mapping reference in the Content Library. See page 10 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

TPRM Toolkit Support

Are the Shared Assessments Tools available in multiple languages?
  • The Tools are available in English–other languages are not currently available. Please refer to the Shared Assessments website for future updates. https://sharedassessments.org

What types of Tool training and personalized assistance do you offer?

Do you offer free usage of your Tools for educational purposes?
  • No. Tools are provided to tool purchasers and members via license. Refer to the Copyright tab on the SIG Manager tool.

 

Standardized Control Assessment (SCA)

Can I use the Documentation and Artifacts Request Checklist outside of an onsite assessment?
  • Yes. Members and Tool purchasers that receive the Standardized Control Assessment (SCA) Procedures will receive a stand-alone Documentation and Artifacts Checklist that can be used as a template or artifact in any due diligence process to provide efficiency in the due diligence process. The SCA Best Practices Checklist will refer to this tool in the planning phase of a risk assessment.

Are there multiple ways to use the SCA Control Assessment Procedures?
  • Yes. The SCA Procedures provide a library of test procedures that can be used for onsite or virtual assessments. The SCA Procedures can be used by internal audit or assurance teams to conduct readiness or control assessment reviews. The procedures can be used internally for gap analysis, self-assessment, or in any process such as M&A, where control assessments are indicated.

Are there any guidelines I should follow when utilizing the SCA?
  • Yes. The Shared Assessments Program has developed a set of SCA Guidelines that are included in the bundle. The SCA Procedures provide risk professionals a set of resources (tools, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments. This is the “verify” portion of a third party risk program and was created leveraging the collective intelligence and experience of our vast member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Do I have to use every procedure when conducting a SCA?
  • No. The SCA is a library of best practice assessment procedures and should be scoped based on risk factors determined by the organization.

Are there multiple ways the SCA can be used?
  • Yes. The SCA can be used to provide independent testing of controls. It can be used by outsourcers and service providers in the due diligence process, and it can be used as an internal self-assessment.

Data Governance (Target Data Tracker – TDT)

Can the Target Data Tracker Tool be used for CCPA/CPRA initiatives?
  • The Target Data Tracker Tool is designed to be used as a project management tool and supports the SIG and SCA in the “Trust But Verify” model. The Tool can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance Tools assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. These functions can support CCPA/CPRA readiness and planning efforts, and can be utilized as a due diligence artifact to respond to client requests for service providers.

Can the Target Data Tracker tool be used for Standard Contractual Clauses (SCCs) readiness initiatives?
  • Yes. The Tool can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance Tools assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. The sections of the Target Data Tracker provide a data collection mechanism for information required to address the contract Annex requirements in the GDPR/EU SCCs. Refer to the TDT User Procedure Guide for details.

Can the Data Governance Tools assist with Data Protection Impact Assessments (DPIAs)?
  • The updated Data Governance Tools are designed to assist with pre-scoping activities prior to conducting a complete third-party review. The standalone SIG and SCA Templates can be used as artifacts for conducting a DPIA assessment. The Data Governance Tools focus on the core privacy obligations and should be used in conjunction with the completed Target Data Tracker or completed SIG for an enterprise view of the Information Technology and Security risks.

As a service provider, can the Target Data Tracker be used as a record of my processing activities under GDPR General Data Protection Regulation (EU) ?
  • The Target Data Tracker Tool was constructed as a due diligence artifact to be used across many privacy jurisdictions. It contains relevant topics and attributes for records of processing and authorized use, including GDPR obligations for records of processing or as evidence of the implementation of Standard Contractual Clauses (SCCs). Each set of services may require different levels of detail to meet records of processing artifacts, but it can be used to supplement or enhance these documentation efforts. Refer to the TDT User Procedure Guide for detailed information on how to use the Tool.

Vendor Risk Management Maturity Model (VRMMM)

What is Target Maturity and how do I use it? 
  • Target Maturity is an optional field to display in the Vendor Risk Management Maturity Model VRMMM Dashboard to establish the desired state of maturity for each element in a TPRM program. Target Maturity is typically not displayed to users during initial self-assessment to prevent skewing of results but is used to quantify and prioritize areas of improvement. The VRMMM User Procedure Guide provides an overview on how to utilize the Target Maturity Feature.

Is there an updated VRMMM Benchmarking Study? 
  • The last published study was released in 2019 and planned updates were delayed due to the pandemic. The next iteration of the VRMMM benchmarking study is in development in 2021 with planned surveys and analysis for release in mid-year 2022. The research will be structured with a focus on the 48 VRMMM Program Attributes, including the new TPRM program elements such as Environmental Social Governance (ESG), M&A, Fourth-Nth Party Management, etc.

How do I share the results of the VRMMM self-assessment?
  • The VRMMM tool enables an organization to assess the maturity of over 250 detailed program criteria. The VRMMM organizes TPRM Program structures into Categories and Attributes to streamline the identification of areas of process improvement.  The VRMMM Executive Summary Data Tables and Reporting Templates provide formatting templates and charts to share TPRM results and action plans to include in enterprise risk management reporting.

How do I use the VRMMM Accountability Matrix?
  • The VRMMM tool is designed to capture the process maturity across cross-functional areas of a TPRM Program. The VRMMM Accountability Matrix enables the TPRM program owner to capture the names and resources for the individual(s) who provided inputs to the self-evaluation process. The Matrix also enables the identification of the TPRM Program Owners who approved setting Target Maturity levels for the TPRM program in the organization.