Introduction: “What if today, we were just grateful for everything?”
Happy week of Thanksgiving! Charlie Brown, beloved comic strip poet and philosopher, probably said it best: “What if today, we were just grateful for everything?” With a theme of gratitude, we are very pleased to announce the release of our 2024 Products for the Vendor Risk Management Lifecycle. Cue the Peanuts jazz music and read on for details around this release.
This 2024 Third Party Risk Management Product Family release makes us grateful for new risk domains, regulatory mappings, features and functionalities. But, most of all, Product Release makes us appreciate our community’s ability to rise and meet change through collaboration. Our community…is everything! By harnessing insight, innovation, and input from our diverse community of practitioners, consultants, and licensees, we have developed a strong set of solutions.
If you cannot wait to see the 2024 Product Family, we invite you to book a personalized demo. If you are in our international community, please join us for our Virtual Launch on December 5th @ 11:00am GMT. After the holiday rush, we will also host a Product Release 2024 Webinar on January 24, 2024 @ 11:00am ET.
2024 Products for the Vendor Risk Management Lifecycle include:
- VRMMM – Vendor Risk Management Maturity Model – Now includes 2024 Risk Management Benchmark Study
- TPSIRR – Third-Party Service Inherent Risk Rating – New solution for planning Due Diligence
- SIG – Standardized Information Gathering Questionnaire – Updated and Enhanced
- SCA – Standardized Control Assessment Procedure Products – Aligned with the 2024 SIG
- Data Governance Products
- ESG SIG – Environmental, Social, and Governance SIG
These products fit together and address each step of the Vendor Risk Management Lifecycle as shown below:
Emerging Risks and Regulations: “If there’s one person you want by your side at a moment like this, it’s your loyal dog.”
Risk Management (and the people and processes in it) are some of the world’s best stewards of change. While Charlie Brown is right in suggesting you keep a loyal dog by your side through all moments of change (Snoopy!), Shared Assessments suggests keeping your loyal risk managers, their risk programs, and at the very least, the 2024 Standardized Information Gathering Questionnaire (SIG) by your other side in the year ahead.
As we move from 2023 into 2024, we see an enduring hybrid workforce, a rapidly shifting geopolitical landscape, and evolving regulatory environments worldwide. AI looms large – both its possibilities and its perils. Climate change risk and supply chain issues are reflected in regulatory guidance. Our TPRM Product Family – and the Standardized Information Gathering Questionnaire (SIG) particularly – like loyal Snoopy, is ready for and responsive to these changes.
New Regulatory Mappings in the 2024 SIG include:
- New York DFS’s Climate Guidance is a risk management framework to account for climate-related financial risks.
- German Supply Chain Act addresses companies’ obligations to make sure their suppliers have high standards regarding health and environmental safety.
- Interagency Guidance on Third-Party Relationships provides principles that support a risk-based approach to third-party risk management that banking organizations should conside.
New Risk Domains in the 2024 SIG include:
- Supply Chain Risk Management (SCRM) SCRM involves managing risks in the supply chain through continuous risk assessment. Organizations should establish Cybersecurity Supply Chain Risk Management (C-SCRM) program standards that encompass the entire life cycle, from development to maintenance.
- AI Risk The practice of understanding AI’s impacts, limitations, and enhancements to its performance, reliability, trustworthiness, and effectiveness. The organization should set goals and implement standards to assist AI developers, users, and evaluator systems reduce AI-related risks to individuals, organizations, society, and the environment.
Significant Updates to the 2024 SIG include:
- Closer Alignment With Industry Terminology (ISO, NIST, and Cobit5)
- User Interface & Navigation Action based buttons, consolidated worksheets, simplified steps
- Content Organization, Question Tiering & Control Categories Controls, program level questions, enhanced content visibility
- Integration of SIG Manager Domains, categories, and attributes
Related Updates to the 2024 SCA include:
- Risk Statements, Control Objectives & Control Statements Step-by-step process for assessment consistency
- Greater Alignment to SIG for Domain and Procedure Names New content, updated procedures, and attributes
- Updated Business Information, Documentation & Artifacts Lists Enable virtual assessments
- Enhanced Templates for Recordkeeping and Audit Evidence assessment results
Brand New Inherent Risk Solution: “Keep looking up…that’s the secret of life.”
Snoopy said this perched on the roof of his dog house with Woodstock as he gazed into the sky. We suggest you keep looking up, but focus your gaze – look up and ahead with the Third-Party Service Inherent Risk Rating (TPSIRR) product. The TPSIRR helps organizations determine their vendors’ levels of inherent risk with a consistent and documented approach. You can read more about our inherent risk solution here and find all the facts on the TPSIRR webpage.
The TPSIRR solution gives organizations an understanding of the inherent amount and types of risk posed by prospective third-party engagements. Additionally, the TPSIRR defines the scope and depth of Due Diligence that should be undertaken for a given vendor based on the vendor’s inherent risk.
Our TPSIRR solution allows practitioners to:
- Determine third-party Inherent Risk Ratings (IRR) across vendor portfolios
- Discern areas of focus (including controls) for Risk-Based Due Diligence
- Report on the types of third-party risks introduced to an organization by third-party vendors
Key Functionalities of the TPSIRR include:
- Vendor Risk Scoring in accordance with an organization’s customizable risk classifications
- Quick-Glance Assessments using RAG reporting for levels of risk (Red=High, Amber=Moderate, Green=Low)
- Due-diligence scoping and frequency planning including identification of SIG Questionnaire for diligence (Lite, Core, Full)
- Risk Tiering derived from inherent risk ratings
- Dashboard tracking on Inherent Risk Ratings (IRR) completed across vendor portfolios
“Learn from yesterday, live for today, look to tomorrow, rest this afternoon”….and please, please use the VRMMM
Hopefully the peace of mind offered by our product updates and positive Peanuts quotes will give you a moment to assess your own program and practices using the Vendor Risk Management Maturity Model (VRMMM), which provides objective measurements (AKA benchmarking) of TPRM program practice maturity.
With this product release, the VRMMM includes the latest Benchmark Survey Report: A New Baseline. The purpose of this study is to improve understanding of relative maturity levels of Third-Party Risk Management (TPRM) practices across a range of industries and to document steps organizations are taking to improve their TPRM processes.
The Benchmark Survey applies the VRMMM, from which metrics can be used for internal planning, budget prioritization, and identifying ways to provide meaningful executive management reporting. The VRMMM provides a time-tested methodology for creating quantifiable risk metrics that can be integrated with risk ratings across an organization’s overall enterprise risk management program.
Conclusion: “Don’t worry about the world coming to an end today. It’s already tomorrow in Australia.”
As you navigate the 2024 risk environment just remember to never, ever kick Lucy’s football. She always wins. Do not let Lucy or risk win – consider using the 2024 Shared Assessments Product Family. We are here and prepared to deliver a personalized demo of any solution that seems a good fit for your risk management program. No question is too small – we look forward to hearing from you. Contact us via info@sharedassessments.org.
Finally – before we part for our own Charlie Brown Thanksgivings – a resounding “cheers” is due to our Product Committee participants and our bright Product Team who worked diligently and tirelessly to produce this release: Ron Parham, Michael Walton, Mike Baker, Lea Brymer, Shawn Davis, and Colleen Milazzo.
