It has been an exciting time to participate in the Shared Assessments Program. Looking back at 2014, it has been a good, active year, with the rollout of our Certified Third Party Risk Professional (CTPRP) certification, our kick-off of the annual Vendor Risk Management Benchmark Study, the successful facilitation of financial services collaborative onsite assessments, and improvements to the Shared Assessments Program Tools. Let’s take a more detailed look at some of the highlights from 2014.
The results of the first annual Shared Assessments 2014 Vendor Risk Management Benchmark Study, sponsored by Protiviti, showed that outsourcers are still struggling with third (and fourth) party oversight. Program governance, along with policies, standards, and procedures were notable areas in need of improvement. This, coupled with an avalanche of new regulations and standards, proved the need for more education and training. In response, Shared Assessments has launched the Certified Third Party Risk Professional(CTPRP) designation, a new certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management.
On the regulatory and standards front, Shared Assessments quickly and thoroughly responded to the unprecedented list of regulators and standards bodies that expanded the third party risk footprint for our members:
- ISO-27001/2: 2013 (released in September 2013
- OCC 2013-29 (released in October 2013)
- PCI DSS version 3.0 (released in November 2013)
- Federal Reserve Guidance (released in December 2013)
- NIST Cybersecurity Framework (released in February 2014)
Updated Tools to Meet the Needs of Our Members
While we were confident that the issues outlined in the regulatory guidance and industry standards were already addressed by the Shared Assessments Program Tools, the Shared Assessments Development Committees performed specific mapping and gap analysis exercises to ensure that no holes existed in the risk controls covered by our Program Tools, which were all updated in 2014. Our next release of the Tools will be in January 2015. Until then, here’s a rundown of some of the key features:
- In the Standardized Information Gathering (SIG) questionnaire, changes were made to ensure it’s relevant and consistent with the new ISO-27001/2 and PCI DSS v.3.0. For organizations looking to become PCI or ISO compliant, the 2015 SIG will have updated the ISO reference text column, providing members with the capability to perform a self-assessment to be sure the necessary requirements to become certified are met.
- The Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, now includes modifications to further align it with the SIG. Together, these Tools form a robust and rigorous standard for third party risk management. New sections including Software Application Security (including the type of software found on POS devices) and Cloud Security were added.
- The Vendor Risk Management Maturity Model (VRMMM), which incorporates vendor risk management best practices into a usable model to assess the current and future state of a vendor risk management program, underwent modifications to address gaps identified between OCC guidance and the VRMMM.
Perhaps the most exciting advancement for Shared Assessments this year was our effort to perform Collaborative Onsite Assessments for the financial services industry. We identified and piloted the process to allow multiple financial institutions to work together and collaboratively assess one of their third party vendors that provided the same services for all of the financial servicers participants. Two successful collaborative assessments were performed leveraging the Shared Assessments AUP as the common risk assessments vehicle to perform the assessment. In 2015, we will refine the process and execute efforts to broaden the adoption of this model, designed to further create efficiencies, and cost savings to all parties involved in the risk assessments process. Stay tuned!
What’s on the Horizon for 2015
2014 also brought some lowlights—several high-profile data breaches—which further spotlighted third party risk. We anticipate more of the same in 2015. In addition, the 2015 landscape is predicted to include organizations continuing to evolve to meet the existing, and likely, new regulations. To address this ever-changing landscape, the Shared Assessments Program 2015 agenda will include important topics such as:
- The Board’s role in third party risk oversight: fostering board level conversation and education;
- Best practices for third party risk management and assurance;
- Regulatory compliance awareness, including due diligence and procurement related issues;
- Continued refinement of the CTPRP certification to differentiate skills in the marketplace
- The second annual Vendor Risk Management Benchmarking Study conducted with Shared Assessments Program member, Protiviti.
Our eighth annual Shared Assessments Summit 2015, will be held April 29-30, 2015 in Baltimore, MD. The theme is: Third Party Risk Assurance: Everything Old is New Again. We will focus on the need for organizations to evolve to meet new risk challenges, while still maintaining a holistic risk-based approach to managing risk.
Members can sign up for all of these important initiatives by completing our “request to participate.” More information about each activity and to sign up can be found here.
We are also very excited about increasing our international focus as we further grow our Shared Assessments membership with organizations that have an international presence or are headquartered overseas. Our initiatives in this area include:
- Continued focus on ISO mapping
- International regulatory and privacy updates to the Program Tools
- Exploring international opportunities to further showcase the organization as a leader in third party risk management
- Expansion of the CTPRP program for educating third parties overseas
- Increased international member participation in Shared Assessments activities and leadership
We will keep a watchful eye on risks associated with new technologies, new or updated standards, and regulations, in order to ensure our Program Tools are updated accordingly. As evidenced, we are excited to welcome 2015 on such solid footing and are prepared to meet the various challenges presented to us by our members and to those seeking guidance in third party risk. It’s what our members expect from us as we continue to be the trusted source for third party risk management.
Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.