Shared Assessments 2015 – Building Best Practices and Strengthening the Member Community

2015 at Shared Assessments was a year for building best practices and compliance awareness, continuing longitudinal third party risk management and assurance research and reporting and providing risk professionals with development opportunities unique in the marketplace. Program efforts this year also reflect increased international focus, working with organizations with a global presence, as well as those headquartered overseas.

In addition to increasing Shared Assessments membership from 121 in 2014 to 180 in 2015, additional highlights for the year include:

• Providing vertical and sector specific roundtables and workshops to better understand the needs of our membership.
• The launch of the Certified Third Party Risk Professional (CTPRP) designation, and additional training and educational resources for risk professionals.
• Conducting our Eighth annual Shared Assessments Summit with a record turnout of 250 attendees.
• Continued momentum on developing our Collaborative Onsite Assessments program and facilitation of additional financial services program pilots.
• International expansion for the Shared Assessments Program, focused on growth into the UK and Asia-Pacific regions.
• Shared Assessments Program Tools improvements and updates in response to changes in regulations, standards and guidelines at both the national and international level.

2015 Shared Assessments Summit
Our eighth annual Shared Assessments Summit was held April 29-30, 2015 in Baltimore, MD. A record 250 attendees participated in roundtables, discussions, workshops and presentations focused on the need in third party risk assurance. The Shared Assessments Summit has grown to be the leading third party risk assessment event for industries that include financial services, healthcare, retail, academia and energy. You can read more about the Shared Assessments Summit here.

Collaborative Onsite Assessments
The Shared Assessments Collaborative Onsite Assessment Project, leveraging the Shared Assessments Agreed Upon Procedures (AUP) as the common onsite risk assessment methodology, undertaken beginning in 2014 was continued with additional participants. The project has developed a standardized risk assessment tool to improve assessment-related economies and scalability for outsourcers and service providers. The study used the collective intelligence of several top-tier leading multi-national financial services industry institutions to inform the Program Tools at the most robust level. The Collaborative Onsite Assessments pilots have been met with enthusiasm at the highest levels among participants. Currently eight of the top 10 financial institutions have mapped their corporate requirements to the new AUP and signed off that it fully meets their expectations.

International Expansion
In 2015, the Shared Assessments Program began working towards expanding its international footprint. The Program is working with leaders in some of the most heavily-regulated foreign markets including the UK, and Asia-Pacific to involve them in building best practices for third party risk in their countries.

Roundtables and Awareness Groups
This past year, Shared Assessments Program members and other thought leaders convened, providing a venue for:

• The Shared Assessments Regulatory Compliance Awareness Group that identifies emerging trends and needs for third party assessment tools for consumer protection, operational risk and regulatory compliance monitoring to identify recommendations for enhancements to program content and other needed deliverables. In 2016, this Awareness Group will seek to release a white paper titled, In-Tune Tone at the Top to Shape an Effective Risk Management Culture.
• The Best Practices for Third Party Risk Management Awareness Group that discusses the challenges organizations face in managing third party risk and identifies existing best practices in use today, or seeks to develop new best practices to address those challenges. This Awareness Group will release two white papers in 2016 titled, Evolving Procurement in Third Party Risk Management and Onsite Assessment Best Practices Guideline.
• In-person events to discuss collaboration and best practices for UK-based financial services organizations; law firms that service the financial services industry and leading healthcare and pharmaceutical organizations.

2015 Studies and Papers

• The results of the second annual Shared Assessments 2015 Vendor Risk Management Benchmark Study, sponsored by Protiviti, included additional analyses and insight into areas where a substantial number of respondents reported they have no process in place to support significant vendor risk component activities.
• Law Firm Briefing Paper: The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution, with a focus on constructing a replicable process for evaluating client vendor relationship that employs governance modeling.
• Collaborative Onsite Assessments Case Study: A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments, reporting on the successful Collaborative Onsite Assessments performed with financial services industry participants and a key industry third party.
• Incident Response Briefing Paper: Due to release to Shared Assessments Program members on December 8 and to the public on December 9, the paper titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program examines and outlines a robust reference tool and practical third party risk assessment and monitoring recommendations for each phase of incident event management (pre, during and post incident). Members are encouraged to join a Shared Assessments webinar on December 9 to review the paper’s content with four of its creators: Jonathan Dambrot, CEO and Co-Founder, Prevalent Inc., Shared Assessments Program Chair; Brenda Ferraro, Director of Global Security, Aetna, Shared Assessments Steering Committee member; Rocco Grillo, Managing Director & Global Incident Response & Forensics Investigations, Protiviti, Inc., Shared Assessments Steering Committee member; and Ted Julian, Vice President, Product Management & Co-Founder, Resilient Systems. For more information and to register, please click here. The webinar is open to Shared Assessments members, as well as the general public.

Shared Assessments Certified Third Party Risk Professional Certification
Our Certified Third Party Risk Professional (CTPRP) Program has been a terrific success. In 2015, over 250 individuals received their CTPRP certification, improving their organization’s risk awareness and management capacity and their own professional standing. Earning the CTPRP designation shows proficiency in third party risk management concepts and principles. This includes managing the vendor lifecycle, vendor risk identification and rating and the fundamentals of third party risk assessment, monitoring and management. There is planned expansion of the CTPRP program in 2016 for additional online opportunities, at national universities and for in-person workshops educating third parties overseas.

Updated 2016 Program Tools
The Shared Assessments Program Tools help organizations create sustainable, organization-wide efficiencies in today’s high risk environment. The Program Tools are: the Standardized Information Gathering (SIG) questionnaire; the Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM). The updated Shared Assessments Program Tools will be released in early 2016. These assessment tools serve organizations as they meet the recent surge in regulatory, consumer and business scrutiny alongside rapidly increasing threats and vulnerabilities, including those posed by third party service providers.

The Program Tools have been updated with focus on business continuity and resiliency, operational risk as it relates to information security, ensuring adequate controls to prevent Denial of Service (DoS) attacks, and the addition of maturity ranking. Among the industry standards, regulations and guidance the Program Tools currently align to include:

• US financial services and healthcare regulations and standards and guidance, including: FFIEC Appendix J and OCC-2013-29; Merchant Processing Handbook; Healthcare Regulatory Guidance and Standards: HIPAA Incident Response Reporting Procedures.
• Other pertinent US governmental guidance and standards in all industries for federal and/or state agencies, including: NIST Cybersecurity Framework (CSF); Computer Security Incident Handling Guide (NIST.SP.800-61r2); Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a); DOJ Breach Procedures; US CERT – Federal Incident Notification Guidelines.
• US-based national and international standards: AICPA Incident Response Procedures; COBIT; Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); ISO 27001, 27002; PCI-DSS.
• International standards, including UK Cyber Essentials Scheme and EU Data Protection Directive.

Mapping is underway to ensure we further align to:

• Asia – Pacific – Japan (APJ): Asia-Pacific Economic Cooperation (APEC): Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines; Australian Prudential Regulatory Authority (APRA); Hong Kong Monetary Authority (HKMA); Monitory Authority of Singapore (MAS).
• Europe: EU – European Central Bank (ECB); Germany – Bundesbank/Central Bank of Germany (BuBA), German Federal Financial Supervisory Authority (BaFIN); Luxembourg – Commission de Surveillance du Secteur Financier (CSSF); Switzerland – Financial Market Supervision Act (FINMA); UK – Financial Conduct Authority (FCA); Financial Services Authority (FSA); Prudential Regulation Authority (PRA) Rulebook.

What Else is on the Horizon for 2016?
Shared Assessments 2016 initiatives respond directly to the dynamic landscape of third party risk management by addressing the increased need for direct board involvement, compliance awareness and research and education opportunities for risk professionals to inform and support establishment and refinement of best practices within and across verticals.

The Shared Assessments Program will be convening and/or participating in the following industry roundtables, as well as developing those in other relevant sectors:

• Financial Institution Roundtable – January 2016
• International Singapore APAC – February 2016
• Asset Management Roundtable – March 2016
• 2016 Shared Assessments Summit – May 16-20, 2016.
• 2016 Shared Assessments Conferences with is planned for London and Singapore.

The Program will be releasing several original and highly-influential papers at the end of the year and into 2016, which include:

• A research project, conducted with the Ponemon Institute, exploring risk management practices related to cybersecurity and third party risk.
• A Guided Assessment – Shared Assessments Working Group: Onsite Assessment Best Practices Guidelines, created by the Shared Assessments Best Practices for Third Party Risk Management & Assurance Awareness Group, with best practice assessment and scoping guidelines that are practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope.
• The 2016 annual Vendor Risk Management Benchmark Study, sponsored by Protiviti.

And, the full Shared Assessments Collaborative Onsite Assessments Program will roll out in 2016. Learn how you can review the testing procedures outlined in the Shared Assessments AUP and participate in the Program by contacting Charlie Miller, Senior Vice President, The Santa Fe Group and Shared Assessments Program, at charlie@santa-fe-group.com.

The Shared Assessments Program continues to provide a professional platform for examining and resolving critical issues as they emerge in the evolving third party risk landscape, including managing for risk rather than compliance, optimizing third party risk mitigation and leveraging resilience to ensure positive outcomes. Members can sign up to participate in 2016 initiatives by completing the “request to participate.” For more information about each activity and to sign up, click here.

Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group and the Shared Assessments Program. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, Advisory Board, Steering Committee and working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.