Shared Assessments Community For All – First Member Forum Call

In our first Member Forum Call of 2021, our Senior Advisors and Subject Matter Experts offered predictions for the months ahead along with compelling reasons to join the Shared Assessments community. (Member Forum Calls offer the opportunity to earn CPE credits while hearing from industry thought leaders and subject matter experts on the latest developments in vendor risk management practices, emerging technologies, privacy and regulatory compliance.  Contact Laura Waller with questions or to join.)

Charlie Miller addressed the continuation of change we are likely to see in the year ahead. Adaptation and acceleration in safety, privacy, and resilience is sure to roll forward. As Security Centers transform into Risk Operation Centers, the TPRM Process will become more efficient with more attention devoted to understanding Nth Party risk. Miller predicts innovation will further develop the use of technologies such as IoT, Artificial Intelligence and Machine Learning in risk management. While virtual assessments may revert back to onsite assessments, financial viability, ESG (Environmental, Social, and Corporate Governance) and climate change should remain on our risk radars.

Here is Miller’s recommendation for leveraging committee participation:


Gary Roboff discussed the Regulatory Horizon for TPRM in 2021. Roboff touched on ESG – Environmental, Social, and Corporate Governance – and the metrics identified by World Economic Forum in their ESG paper. The four pillars organizing these metrics are Principles of Governance, Planet, People and Prosperity. In the long term, Roboff expects ESG compliance metrics to be divided into two levels: a common set, international in scope, and then, a sector specific set. (Roboff noted that European Banking is also focusing on ESG Risks with a paper that begins to delve into set of detailed metrics that fit the financial services industry.)

Meanwhile, the FSBFinancial Stability Boardasks questions to gather an international perspective on regulatory practices across the world for a high-level overview. (For example, the FSB wrote about outsourcing recommendations for cloud.)

Roboff offers these compelling reasons to join the Regulatory Compliance and Audit Awareness Committee:


Bob Jones who leads the Best Practices Awareness Group spoke about the group’s work on the Complex Supply Chain Paper. (This paper outlines how to approach a more robust practice of risk management, offering a practitioner checklist.) Jones described how small groups of Shared Assessments members mobilize to make materials – checklists, blogs, papers – to help the community.  The Best Practices Awareness Group tries to respond to the changing risk landscape with beneficial and feasible approaches.

Jones welcomes all members to the Best Practices Awareness Group – “our merry little band” and “a permanent ad hoc committee for third party risk.”

Tom Garrubba gave an overview of the Cyber Threat Horizon: 2020 was an ugly year….and 2021 will continue what we experienced before. Recent attacks have been sieges to integrity as they are well-laid plans to take down significant vendors. Beware: mobile apps are one of the hottest vectors for deploying malicious code. Garrubba emphasized the CIA triad (confidentiality, integrity and availability) as the best model for developing security policies and reminded members of the need to examine cyber insurance policies. (You need to understand the details of your coverage!)

Finally, Brad Keller illuminated the importance of contracting in third party relationships. Developments in the past year point to the need for robust termination clauses in the coming year. Well considered termination strategies should find their way into your contracts, answering questions such as “What happens to our data in a transition to a new vendor?”

Contracting with vendors in 2021 will require you to sharpen your negotiation skills as you integrate Force Majeure clauses – the terms that get you out of contract or help you renegotiate the contract when unforeseeable circumstances prevent a vendor from fulfilling a contract.

In his blogpost on community, Brad identifies committee participation as one of the primary ways you can stay connected – “to find that essential trust, connection and mutual purpose in our work.”