Shared Assessments’ new resource presents Governance Best Practices for TPRM Programs: Strategy, Structure & Program Evaluation. This handy guide is designed for both new and seasoned security and TPRM professionals, with a short introductory Overview to help inform C-Suite and Board discussions around establishing and maturing a formalized program framework that supports an organization’s strategic business objectives. The paper offers guidance appropriate to the organization’s size, complexity, industry, jurisdictional and regulatory requirements, and corporate culture. This resource includes sample metrics that assist professionals in creating suitable program evaluation indicators for their own context.
Program metrics have to be tied to management objectives. In summary, Key Program Indicators (KPIs) convey the efficiency, effectiveness, and workload constraints of the program; Key Risk Indicators (KRIs) convey both known and unknown risks; while Key Control Indicators (KCIs) provide an early signal of increasing risk exposure. The Shared Assessments Vendor Risk Management Maturity Model (VRMMM) provides the capability to benchmark programs against a comprehensive set of industry best practices to which an organization can gauge its own maturity level. Examples of other Risk Maturity Self-Assessment tools are noted in the paper’s Relevant Resources section.
Organizations that build strong governance structures establish clear accountability that fosters efficient use of resources, greater transparency, and an environment of trust. The scope of assurance for program evaluations mandates the program by:
This paper represents the work of the Shared Assessments Global TPRM Best Practices Committee and project team of SMEs who stepped forward to update this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which last year focused on ransomware preparedness, reputational risk, and onsite assessment best practices. The Global TPRM Best Practices Committee, open to members and non-members, currently has more than 260 registered individuals from 185 organizations spanning 15 time zones. If you would like to join, we’d love to have you. You can learn about our other committees at https://sharedassessments.org/committees/.
The full paper and Practitioner Guide are available for download here.