The world of third party risk (TPR) is a big place. It encompasses numerous industries, is governed by a variety of laws and regulations, and reaches around the globe. Given this substantial diversity in the TPR ecosystem, establishing standards that appeal to the many needs and interests may be a daunting task.
Nevertheless, the Shared Assessments Program was designed to do just that: bring together a wide range of TPR viewpoints to collaborate on common standards in the industry.
Shared Assessments employs multiple vehicles to reach this destination, with “mapping” being among them. For those unfamiliar with the term, mapping is the process of charting a law, regulation, rule, or standard to another to illustrate their level of alignment with one another.
Shared Assessments devotes considerable resources to mapping many important third party risk standards to its Standardized Information Gathering (SIG) Questionnaire and Standardized Control Assessment (SCA).
Why? Shared Assessments has labored for years to ensure that the SIG and SCA can be standards in the TPR industry, and mapping has played a vital role not only in helping the SIG and SCA reach the level of “industry standard,” but also in maintaining that title into the future.
The benefits of mapping are diverse. The process provides valuable information about the similarities and differences between two authorities. Thus, through mapping, Shared Assessments can identify common requirements and themes that are present throughout a variety of authority documents, and craft appropriate content for the SIG and SCA that may be used by as many of the diverse interests in the TPR world as possible.
Through identifying and analyzing gaps between a standard and the SIG or SCA, mapping may help detect potential shortcomings in the SIG and SCA that may lead to the creation of additional content in future tool releases.
Finally, due to the enormous diversity in the TPR industry, and because the SIG and SCA are meant to be used by as many interests in that industry as possible, the tools may not get as detailed on certain requirements or issues as other TPR authority documents.
Mapping artifacts address this concern by specifically identifying the level of alignment between each requirement within a law, regulation, or standard to each SIG question or to each SCA control. These mapping artifacts allow users of the tools to distinguish those areas that may require greater scrutiny to remain compliant with applicable laws and regulations.
In other words, mapping illustrates those regions of the TPR landscape for which the tools lack the intensive detail sometimes required by legal mandates. Indeed, mapping itself offers a greater insight into how the tools fit into the world of third-party risk, and how they can evolve with and adapt to future shifts in the geography.