Risk Management Practitioners Can Demonstrate Third Party Risk Management Program ROI with New Simplicity
Shared Assessments Best Practices Guide and New Visual Tools Help to Codify Program ROI with Unprecedented Clarity and Impact
The Shared Assessments Program, the member-driven leader in third party risk assurance, today issued a new best practices guide for risk professionals, “Meeting Increasing Regulatory Expectations Amid a More Challenging Risk Environment.” The Tools and Guidelines in this paper provide a clear picture of the emerging challenges, and actionable tools to document the business case for optimizing TPRM resource allocation.
The guide addresses the relationship between expanding regulatory mandates, the changing risk landscape and program needs that help make executive-level support of comprehensive TPRM a clear priority. Until now, conveying these challenges to senior executives has often been a hit-or-miss and time-consuming process, one that has left too many organizations with underfunded programs and C-Suite executives underinformed of their organizations’ risk exposure.
Once narrowly focused in the financial services sector, regulatory change is now far more widespread as firms grapple with enhanced privacy legislation (GDPR, CCPA, etc.) and new requirements in other areas. The escalating regulatory expectations challenge TPRM functions in a number of ways:
- Regulators are demanding higher levels of compliance specificity.
- Regulators are aggressively enhancing existing rules and developing new regulations, not just in the United States, but internationally.
- More regulations apply across multiple industries.
- Emerging factors such as cloud computing are only just beginning to be addressed in regulation.
Third party risk managers often struggle to convey the need for the additional resources to develop and sustain a robust TPRM program. The Guide and visual Tools enable practitioners to quickly create a coherent picture of the risk management challenges their organization faces and provides a means to document their business case for optimizing TPRM resource allocation within the organization.
Building an effective business case requires a sound business case that is well aligned to organizational priorities and is tailored to specific stakeholders. A robust case statement requires:
- understanding the changes in the regulatory landscape and the risk environment;
- doing the work of benchmarking the organization’s TPRM programs; and then
- applying that knowledge to show that a positive impact can be achieved by improved risk management with the highest risk vendors.
The Guideline Tools provide practitioners with a practical means of gauging the effectiveness of risk oversight around critical vendors. Understanding TPRM program effectiveness, especially in the case of critical services, is essential to continuing operations and achieving the organization’s most important goals. One of the guideline Tools is designed to examine TPRM program effectiveness in 11 focus areas that have grown to be increasingly pivotal to assuring good vendor security hygiene in most industries.
- Guideline Tool # 1: VRMMM Based tools for assessing program maturity
- Guideline Tool # 2: TPRM Effectiveness Factors and Heat Maps for scoring assessments and vendors
Over the past several years, overall vendor risk management maturity levels have demonstrated only modest improvement, according to ongoing benchmarking research (The Santa Fe Group, Shared Assessments Program and Protiviti, Inc., 2016-2018).
“It’s clear that even major organizations are having difficulty keeping pace with escalating regulatory expectations and with rapidly intensifying cybersecurity threats,” said Catherine A. Allen, Chairman and CEO of Shared Assessments. “Even in industries where there has historically been less regulation, organizations need to take into account those regulations that may touch their operations, such as cyber controls in manufacturing and for the broad category of government contractors. The tools and best practices introduced today provide practitioners with a lifeline to successfully overcome these challenges and drive the executive-level buy in and resource allocation essential for compliance.”
The Guideline Tools in the paper’s Appendix answer the important need for a practical means of gauging the effectiveness of risk oversight around critical vendors; as well as including templates that have proven to be useful for communicating those findings to executive management.