Across the northern hemisphere, temperatures are dropping, trees are transitioning color, and the 2023 Shared Assessments Third Party Risk Management Product Suite has arrived with changes!
Responsive to the regulatory and risk environment, enhancements to the 2023 TPRM Product Suite are manifold.
About Shared Assessments’ 2023 Third-Party Risk Management Product Suite
The 2023 Shared Assessments Third-Party Risk Management Product Suite lays the foundation for building and scaling a successful TPRM Program.
Bringing your risk management processes together, the 2023 TPRM Product Suite is comprised of four core solutions:
- Standardized Information Gathering (SIG) Questionnaire (includes SIG Fundamentals Training)
- Standardized Control Assessment (SCA) Procedure
- Vendor Risk Management Maturity Model (VRMMM)
- Data Governance Products
The 2023 TPRM Product Suite can be used to assess outsourcing risk across all major industry verticals, including banking, energy, utilities, government, healthcare, information technology, manufacturing, and retail. 15,000+ organizations run efficient and effective Third-Party Risk Management programs with the Shared Assessments TPRM Product Suite.
Notable New Content: 2023 Standardized Information Gathering (SIG) Questionnaire
The 2023 Standardized Information Gathering (SIG) Questionnaire’s new Nth Party Domain accounts for an increasingly complex supply chain, helping users scope a SIG supply chain risk assessment with more ease & precision.
Additionally, ESG (Environmental, Social, Governance) takes a prominent role in the 2023 SIG with 131 questions in a new ESG Risk Domain allowing users to easily scope an ESG-specific SIG. Risk practitioners can use an ESG-scoped SIG to self-assess their own organization’s ESG compliance, or to assess third-party ESG risk (and use responses to assist with ESG reporting and metrics).
The 2023 SIG has received important Privacy Updates to address pending CPRA/CCPA implementation in California, as well as EU GDPR updates, the GLBA Data Safeguard ruling, and impending U.S. State Privacy laws from Colorado, Utah, Virginia, and Connecticut.
Supporting details may be found within the Shared Assessments Glossary and in our Guide to Risk Domains.
Content Refresh Based On New Regulations and Standards
Mapping additions to the 2023 Standardized Information Gathering Questionnaire (SIG) help organizations stay current with the latest regulations and widely adopted standards:
- Federal Financial Institutions Examination Council (FFIEC) Architecture, Infrastructure, and Operations (AIO) focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall enterprise and business structure, implementation of information technology (IT) infrastructure components, and delivery of services and value for customers.
- Federal Financial Institutions Examination Council (FFIEC) Outsourcing Technology Services stresses that institutions must address additional risks beyond their normal vendor management responsibilities.
- Federal Risk and Authorization Management Program (FedRAMP) establishes a single risk-based standard that cloud-based service providers (and their cloud-based vendor ecosystems) must achieve before engagement with Federal government agencies.
- North American Electric Reliability Corporation (NERC) Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results-based approach that focuses on performance, risk management, and entity capabilities.
2023 Standardized Control Assessment (SCA) Procedure Products
The Standardized Control Assessment (SCA) Procedure Products are used to verify a vendor’s risk controls and document artifacts using a consistent, objective methodology. Domains and procedures in the 2023 SCA are updated and aligned to match controls in the 2023 SIG.
Simplifying Virtual Assessments are a key area of focus in the 2023 SCA. Improved recordkeeping and audit templates, plus streamlined methods for collecting business information, deliver efficient and accurate virtual assessments.
2023 Vendor Resource Management Maturity Model (VRMMM)
The Vendor Resource Management Maturity Model (VRMMM) benchmarks TPRM programs against a comprehensive set of best practices. Benchmark surveys are conducted by Shared Assessments across all major industry verticals.
Evaluation efficiency is afforded by the 2023 VRMMM, where enhanced visualizations quickly identify TPRM program gaps between the current state and the next maturity milestone. The VRMMM supports both assessments of a vendor’s TPRM program and self-assessment of a company’s own TPRM program – particularly helpful for practitioners new to risk management teams, and to organizations building a TPRM program.
2023 Data Governance Products
The 2023 Data Governance products include a Target Data Tracker (TDT), helping entities assess the scope of Personally Identifiable Information (PII) handled by outsourced services, including data jurisdictions. New 2023 TDT updates include GLBA Data Safeguards and UK SCCs for International Data Transfer Requirements, plus additional scoping questions in response to emerging technology such as Artificial Intelligence (AI), Machine Learning (ML), and digital marketing. The TDT includes modified definitions of personal data to better align with “Sensitive” data classification based on new Privacy Laws.
