Blogpost

Right-Sizing the SIG: A Q&A with Shared Assessments CEO Andrew Moyad

Shared Assessments CEO Andrew Moyad had a quite a head start getting up to speed after stepping into his current role in February. Moyad’s 25-plus years in risk management and information security includes leadership roles in vendor risk management at Blackstone, one of the world’s top global asset management firms, and BlackRock, the world’s largest asset manager. “As a longtime practitioner,” he emphasizes, “I am keenly aware of just how crucial Shared Assessments’ resources support so many organizations’ strategic business outcomes.” While leading global risk programs, Moyad learned how to optimize Shared Assessments’ resources and understands the importance of right-sizing the SIG. As such, he’s eager to discuss how to configure and deploy the Standardized Information Gathering (SIG) Questionnaire Tools.

Why do some third-party risk management professionals ask “Is the SIG too big?”

Andrew Moyad: The question is fair but reflects a simple misunderstanding. Some practitioners react as if we’ve handed them the equivalent of a restaurant menu and need to order every item in one sitting. In fact, that’s not how the SIG is designed. Instead, just as diners order food based on their individual tastes, appetites, and dietary needs, each organization’s unique risk appetites and control standards should determine which portions of the SIG they use. Individual or service-specific vendor risk profiles can help drive the selection of SIG questions. Shared Assessments has made it easier for members to configure the SIG to address their unique third-party risks, and we’re always working on new ways to improve the user experience.

Before we get to those improvements, help me understand why the SIG content library is so broad.

Andrew Moyad: Throughout our existence, Shared Assessments has focused on operating as the authoritative source for third-party risk assessments. That explains why the SIG maps to more than 50 regulatory and industry frameworks. We manage the authoritative library of third party risks. But keep in mind: the Library of Congress wasn’t created so that everyone would read every book in the collection. Similarly, the SIG’s components and questions should be used selectively given the type of service a vendor provides and the magnitude of risk that a service poses to a member or client organization. We want risk managers to read and use our library in a discerning manner by asking first “What do I actually need to learn about my third party and their controls?”.

As a longtime practitioner and senior risk management leaders, you leveraged Shared Assessments resources for years before stepping into your current role. How did you tailor the SIG to address third party risks in an effective, efficient manner?

Andrew Moyad: I started with the SIG Lite as a default. Based on the details of each vendor’s risk profile, I would then add other risk domains and/or additional questions from the SIG Core. That approach enabled us to operate an incredibly efficient process. We routinely completed vendor assessments before the contracts were finalized, which was our goal. That’s the gold standard: completing third party risk assessments before the contract is executed. In most organizations, that still occurs too rarely.

What are the implications of assessment delays?

Andrew Moyad: Delays can fuel a perception that the SIG is too big, or that there’s too little time to configure the tool to align with a vendor’s risk profile. As a result, some risk managers throw the whole library at a vendor by default. Even the SIG Lite can put too many questions to vendors whose risk profiles do not warrant that level of scrutiny. This misalignment can reduce the credibility of the third party risk management program. When the program is not viewed as business-friendly, risk managers may be prevented from performing their assessments until after a contract is signed. Worse, many business teams may stop disclosing new vendor engagements until after a contract is signed. Without sufficient confidence that a risk program is limiting their checks to necessary controls and working efficiently, business teams lose their incentive to collaborate with risk professionals, which then harms an organization’s ability to protect its assets and its clients.

How is Shared Assessments making it easier to configure the SIG?

Andrew Moyad: As part of an ongoing process managed each year, our team continually refines all of our tools and resources. Three SIG improvement efforts are underway right now. First, our product team is developing an inherent risk calculator in the SIG Manager that will help members quickly customize the SIG to align with each vendor’s risk profile. Second, we’re also working with our product team to produce a form of the SIG that is even more streamlined that the SIG Lite. The purpose of this new limited-scope SIG is to help risk managers zero in on the key controls that equip them with the greatest indication their vendors will experience a breach. Third, we’re developing an online version of the SIG that members can use to generate different versions of vendor assessments quickly. This online option is currently being iterated and improved based on user feedback.

Andrew, thanks for sharing your time and insights on the SIG. In parting, do you have any other lessons as a practitioner that might help members strengthen their assessment processes?

Andrew Moyad: Thanks, Eric. Our perspectives as risk managers matter more than we realize. It’s important to recognize there are many different risk management frameworks in the marketplace and that different organizational teams lead third party diligence reviews. In my view, a disproportionate number of diligence reviews today are conducted solely or predominantly by cybersecurity teams. There’s nothing inherently wrong with that; after all, cybersecurity is a major component of third-party risk. However, organizations can miss other essential enterprise-level risks when cybersecurity-led assessments focus too much on security risks without addressing regulatory compliance, business continuity, operational, and privacy risks, where applicable. A well-rounded approach is crucial to effective third party risk management, and this requires active participation from multiple teams and is made easier by right-sizing the SIG.