The Shared Assessments program never stops putting the Standard Information Gathering (SIG) tools through their paces. This intense, ongoing scrutiny is performed as part of an effort to continually refine the tools to meet the changing needs of Shared Assessments members. While this approach equips third party risk management teams with their choice of tools to use – including SIG Core and the SIG Lite — that’s only part of the story.
Shared Assessments members actually have three choices when it comes to the SIG along with a frequently underutilized resource that can help TPRM practitioners optimize the value of their entire SIG toolkit.
What are the two preconfigured versions of the SIG available for use?
The SIG Lite provides up to a maximum of 150 questions, and it is best used as the program level assessment for lower-risk third parties. Requests for Offer (RFO) and Requests for Information (RFI) in mergers and acquisitions, and pre-assessments and similar situations are boosted with greater assurance from the SIG Lite. The SIG Lite is often used as a preliminary assessment before a more detailed assessment. And can also be used as an interium assessment tool in mid year or mid assessment time periods.
The SIG Core provides up to a maximum of 825 questions. This version of the SIG allows for a deeper scope and more personalized assessment, containing additional questions at the control definition level. The SIG Core is typically used to assess organizations that store or manage highly sensitive or regulated information or services that are critical to the company’s business function. As this is derived from a Best Practices perspective using the Core as an internal self assessment tool is an excellent way to bring maturity to your program.
What is the third SIG option?
The Scoped SIG is used when the SIG Lite or SIG Core are not specific enough to the services provided. In these instances, a custom SIG may be created that scopes by Risk Domain, Mapping Reference (Industry Standard or Regulation), or Control Category. Questions that do not pertain to the scope of service can be hidden. Also, additional questions may also be added in order to create a fully customized version of the SIG to suit an organization’s risk profile or industry vertical and program need. The SIG Lite and Core may both be used as a starting off point for scoping as well.
The SIG option a TPRM team uses “should align to your organization’s inherent risk calculation,” notes Shared Assessments’ Sales Manager Christopher Campbell, who emphasizes the value of a crucial component of each SIG version, the user’s guide. The 30-plus-page SIG User’s Guide receives a similar level and frequency of scrutiny that each version of the tool is subjected to. “The User’s Guide is a highly practical resource,” Campbell notes, “given that it addresses the vast majority of questions that arise when a risk manager uses any of the SIG functions.”
The User’s Guide is updated annually based on three different sources of scrutiny:
- Member Input: Each incoming call, email and question the Shared Assessments customer team receives from members about the SIG tool is logged and evaluated.
- Tool Specialists: A dedicated group of tool specialists manage the updates to the various SIG versions each year, and they help ensure that those changes are reflected in related updates to the User Guides.
- Beta Testers: Each year, a small, hand-picked group of license tool users also put the near-final draft of the User’s Guide through its paces each year while probing the content for any errors, omissions or ambiguities that need to be addressed.
Those three levels of scrutiny help ensure that the User’s Guides contain answers to virtually any question that arises about the SIG tool set. And the best way to make the best use of those tools is by reading through the User’s Guide, Campbell stresses.
“I always read through the table of contents,” he adds. “It sounds basic, but it’s actually foundational. Think of it the way a golfer thinks about putting or a basketball player approaches dribbling the ball, basic foundational actions.”
