When it comes to behind-the-scenes work that requires a rare combination of hard-earned experience, deep expertise, and a killer toolset, Santa has his elves. For its part, Shared Assessments has a workshop full of seasoned third party risk management (TPRM) experts who continually track and respond to global regulatory changes, updates from standards-setters, and new needs and priorities (e.g., ESG) among TPRM practitioners around the world.
As all of these developments are scrutinized, relevant changes drive additions, subtractions, clarifications, and other recalibrations to Shared Assessments tools, which include the Vendor Risk Management Maturity Model (VRMMM), Standardized Information Gathering (SIG) Questionnaire, Standardized Control Assessment (SCA) Procedure Tools, and Data Governance Tools.
For example, when the European Commission adopted new contractual clauses back in June – one for use between outsourcers and third parties, and one concerning the transfer of personal data to third countries — for its General Data Protection Regulation (GDPR), those changes were mapped to, and reflected throughout, Shared Assessments’ tools.
The TPRM workshop was bustling with tool updates and refinements this year, reports Shared Assessments’ Senior Vice President, TPR Software Products Colleen Milazzo. More than 1,600 control points were updated; dozens of legacy questions were retired; new “Control Category” and “Control Attribute” content was added to all questions; visibility to content was improved across all domains; content was expanded based on Mapping Reference Documents, and questions were reorganized in each domain by topic and sequence for easier evaluation.
All of the updates to the tools were designed to generate “smarter and more focused questions and stronger controls,” notes Milazzo, who reports that two of the tools also became significantly more streamlined: the SIG Core was reduced by 25% and the SIG Lite was reduced by 50%.
Despite all of these changes and updates, next year – when Milazzo and her colleagues will be working on changes for the 2023 tools – promises more of the same.
“For 2023, we’re going to continue to improve all of our content, particularly in the areas of ESG, threat vulnerability, and the FFIEC guidance on ‘Architecture, Infrastructure, and Operations,’” Milazzo adds. “We’re also committed to making the SIG the global standard.”