Blogpost

In 2015, Don’t Just Make New Year Resolutions Regarding Third Party Risk, Keep Them!

Start 2015 on the right foot including your third party risk management program. Here are some suggested “New Year’s Resolutions” to incorporate into your strategic and tactical plans for the coming year:

Resolution #1: I will incorporate the new SIG 2015 into my third party program.

The new Standardized Information Gathering (SIG) questionnaire, has been further aligned with current industry standards, frameworks, and regulations as the Program Tool has been aligned and updated with ISO 27001/2:2013, PCI DSS v3.0, OCC-2013-29, and the NIST Cybersecurity Framework, in addition to the addition of a new software application security tab. As pressures increase with ever more regulatory and internal compliance scrutiny, adopting a methodology that continuously updates to meet new standards, guidance and risk areas, such as the SIG, can be an important component of your assessment program.

Resolution #2: I will perform at least one onsite assessment of a third party service provider.
It’s interesting to note that I still receive questions as to when an organization should execute the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures for of the Shared Assessments Program. An Onsite Assessment should be performed when a third party service provider is deemed critical or valuable to an organization’s key processes and strategy. Further conversations with some members of the Shared Assessments Program, Shared Assessments Program Tool purchasers, and those simply inquiring revealed that many companies still tend not to perform such analysis (or even prioritize) the vendors in their portfolio into those who should truly be assessed onsite. This is troublesome, as organizations may be relying on less reliable measures, such as published SOC3 reports, or assuming controls exist based on industry stature (“they are well respected in the industry”). Regardless, you need the full picture as to how the TPSP is performing, which means an assessor really should appear onsite to see these operations in action! Though there are certainly some steps in the AUP that can be performed either remotely by web conferencing, the human interaction that comes out truly from an onsite inspection is the best way to go.

Resolution #3: I will have my staff certified as Certified Third Party Risk Professionals (CTPRP).
This newly launched certification by the Shared Assessments Program ensures third party assessors truly have the skills and knowledge to effectively assess third party risk. Why? Because our CTPRP workshops cover the entire gamut of the third party lifecycle – from the RFP and contract phase through reassessment and termination. Additionally, discussions on regulations that affect third party risk are thoroughly discussed. The CTPRP Workshops also provides actual third party scenarios, so those in attendance gain a real-life understanding of what can happen (and what has happened) during the vendor risk management lifecycle.

Resolution #4: I will make myself more aware of what’s going on with respect to third party risk.
Being apart of the Shared Assessments community is the best place to start! Shared Assessments members have the ability to participate on our monthly Member Forum call, to hear presentations from industry experts on key trends and issues , to participate in our committees and awareness groups to help shape and refine the Shared Assessments Program Tools (and earn CPE’s while doing so). The Shared Assessments community also holds the ability to post timely blogs on Authorities on Risk Assurance, contribute to newsletters and white papers, project documents and case studies. We understand the potential value these deliverables can have, and their directly impact on you, your organization, and your third party service providers.

Resolution #5: I will develop/improve my relationship with our business management and procurement folks.
If you don’t do this on a regular basis then make this the year you reach out and partner with your business management and procurement groups. The landscapes are ever-changing… new regulations, changes to industry standards, and data breaches can all impact TPSP’s and may even require you to consider changing these providers. Be sure to share risks openly so they aren’t blindsided if and when something does not go according to plan.

By keeping these resolutions you can be assured that your 2015 will be off on the right foot and lead to something to celebrate at the end of the year.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn