Shared Assessments finished the 2016 year with 85 new members, a 25% increase over 2015. We closed out the year with a total of 226 members, showing continuing year-over-year growth in the commitment of organizations to improving third party risk management and advancing best practices worldwide.
We’ve come a long way together since Shared Assessments was founded in 2006, when we set out to ease the burden on both outsourcers and third parties by streamlining the cumbersome evaluation process and creating a proven industry standard. Today the Shared Assessments Program’s membership is industry agnostic as companies from across the globe in a variety of industries have adopted the Shared Assessments standards.
The year’s highlights include:
- The Ninth Annual Shared Assessments Summit boasted record attendance by 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.
- We provided roundtables, workshops, training and other educational resources for risk professionals throughout the year.
- We continued our increased international focus, working with organizations with an international presence, as well as those headquartered overseas.
- Release in November of the 2017 Shared Assessments Program Tools, updated to reflect emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent.
2016 Shared Assessments Summit
The Ninth Annual Shared Assessments Summit was held May 18-19, 2016 in Baltimore, MD. The pre-Summit workshops drew more than 100 attendees. And, in keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrated several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. You can read more about the Summit here.
In 2016, Shared Assessments expanded its international footprint by working with leaders in the heavily regulated Singapore market to involve them in building best practices for third party risk. Additional roundtables, conference participation and sponsorships were developed in 2016 and will be expanded throughout the UK and Singapore in 2017.
This past year, Shared Assessments convened our members and other thought leaders, providing a venue for:
- Privacy and Shared Assessments Program Tools Development Committees.
- Committees for regulatory compliance awareness and best practices third party risk management and assurance awareness.
- Industry and regional groups in the UK and in the areas of legal and healthcare/pharma.
Shared Assessments convened and/or participated in the following industry roundtables:
- Financial Institution Roundtable – January 2016.
- International Singapore APAC – March 2016.
- Asset Management Roundtable – March 2016.
- 2016 Shared Assessments Summit – May 2016.
2016 Studies and Papers
Member participation in various Committees and Awareness Groups increased drastically in 2016. For instance, the Best Practices Awareness Group increased to over 70 committee members, an increase of 84%. Each of the papers listed below were released in 2016 by Shared Assessments member volunteers and partner member organizations, who also participated in the monthly Member Forum webinars on each of these topics:
- The results of the third annual 2016 Shared Assessments-Protiviti Vendor Risk Management Benchmark Study included new insight into an improving landscape that supports significantly more mature Vendor Risk Component activities among outsourcers.
- The 2016 Tone at the Top and Third Party Risk Survey examines the role of executives in third party risk management in a broad range of industries and the effect of “Tone at the Top” on minimizing business risks within organizations. This study was sponsored by Shared Assessments and conducted by the Ponemon Institute.
- Financial Services Industry Call to Action puts out the call for creating true efficiencies through standardization, cooperation and public-private partnerships focused on critical third party risk management issues in the face of increased connectivity and complexity of critical infrastructure systems both nationally and globally. This is a response to economic and public security being squarely placed at the forefront of risk management in every sector and industry vertical.
- Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program white paper examines and outlines best practice processes for outsourcing companies. This effort was sponsored by the Shared Assessments Program Standardized Information Gathering (SIG) Committee.
- Best Practices Awareness Group White Papers:
- A Guided Assessment – Shared Assessments Working Group: Onsite Assessment Best Practices Guidelines Shared Assessments white paper discusses best practice assessment and scoping guidelines that are practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope.
- Building Best Practices in Third Party Risk Management: Involving Procurement white paper examines the tools and framework within which the Procurement function can work closely, efficiently and effectively with all areas of an organization, to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship.
- Regulatory Compliance Awareness Group White Paper and Initiatives:
- It Takes It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture white paper addresses the growing consensus that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues.
- EU General Data Protection Regulation (GDPR) and Brexit have been examined in articles and Member Forum calls.
- A subject matter expert article was prepared upon invitation by the ISACA Journal, The Tone at the Top – Assessing the Board’s Effectiveness, and accepted for publication and released in November 2016.
- The Committee prepared a response in May 2016 to a Request for Comments from the Office of Comptroller of the Currency (OCC) on its Supporting Responsible Innovation in the Federal Banking System white paper and conducted ongoing Committee discussions on the issues involved and the June OCC Forum in response to comments..
Shared Assessments Certified Third Party Risk Professional Certification
In 2016, 10 CTPRP in-person workshops were offered. Our Certified Third Party Risk Professional (CTPRP) certification has now trained more than 500 CTPRP certification holders. A new Associate CTPRP designation is now available, announced in September 2016, which is awarded to individuals who have successfully completed the full CTPRP training, yet lack the requisite five-year work experience for the full CTPRP certification. In 2017, we will announce the ability to participate in online CTPRP training opportunities and are expanding CTPRP in-person workshops internationally.
Updated 2017 Program Tools
Shared Assessments Program Tools help organizations create sustainable, organization-wide efficiencies in today’s high risk environment. The tools, which are foundational elements for risk management program assessment and evaluation of third party service provider cybersecurity, IT, privacy, data security and business resiliency controls, are: Standardized Information Gathering (SIG) questionnaire; Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM).
The Shared Assessments Program maintains its status as the trusted source for industry standard third party risk assurance leadership, in part through regular identification of modifications in domestic and international regulations, industry standards and guidelines and the emergence of new risks. Evaluation of pertinent changes to the Program Tools is made on an ongoing basis against tool content and related updates. It is the partnership between Shared Assessments and member organizations, which creates the essential industry leadership that helps our members to meet the surge in regulatory, consumer and business scrutiny within the constant landscape of cyber and other security threats and vulnerabilities.
These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns. Changes to the 2017 Program Tools reflect US and International regulatory changes and guidelines, as well as industry specific standards and best practices for gathering and assessing cybersecurity, IT, privacy, data security and business resiliency in an information technology environment to provide a complete picture of service provider controls, with scoring capability for response analysis and reporting.
On the Horizon for 2017
Shared Assessments will continue to provide a professional platform for examining and resolving the critical issues as they emerge in the evolving third party risk landscape, including managing for risk rather than compliance, optimizing third party risk mitigation and leveraging resilience to ensure positive outcomes. Members can sign up to participate in our 2017 initiatives by completing our “request to participate.” More information about each activity and to sign up you can go here.
Deliverables from the working groups and supporting staff from The Santa Fe Group include publications, research studies, speaking opportunities, webinars and podcasts, events and meetings, social media input, and consulting and advisory services. The CTPRP Program will seek to expand its offerings by providing online training opportunities, SIG and AUP master-level course additions and a Certified Third Party Risk Assessor (CTPRA) certification.
2017 committee initiatives include:
- The Best Practices Awareness Group has already released its first white paper of 2017, Continuous Monitoring of Third Party Vendors: Building Best Practices, which discusses moving the needle on longitudinal tracking for more effective processes and more effective decision-making and achieve discernable gains in risk management.
- Other 2017 Best Practices Awareness Group initiatives and white papers include: Vendor Risk Rating for Third Party Management; Assessment of Public Cloud Computing Vendors; and Fourth Party Risk Management.
- The 2017 Regulatory Compliance Awareness Group is working on: Phase II of the Tone at the Top and Third Party Risk project; building a Compliance Maturity Model for Third Party Risk; and examination, and where appropriate response to, both domestic and international regulatory changes in this dynamic area, including GDPR.
- The 2017 Vendor Risk Management Benchmark study, sponsored by our member partner, Protiviti, Inc.
- The 2017 Ponemon-Shared Assessments Study is being developed, with a focus on third party risk management.
- Additional Member Awareness Group committees are being developed for individual sectors, benchmarking, continuous monitoring, cybersecurity, and environmental trend groups. Invitations to participate are being fielded to all members.
- Additional Member Resources are under development, such as a Third Party Risk Management library, which would include the Collaborative Onsite Assessments (COA) Addendum.
Jenny Burke, is a Senior Vice President for Marketing and Communications with The Santa Fe Group, with key responsibilities that include advancing strategy to increase awareness of the Shared Assessments program, grow memberships, improve tool adoption and communicate all the combined efforts of our staff and members. Prior to joining The Santa Fe Group, she has worked both as an independent marketing consultant and in private industry in branding, digital strategy, website redesign, content management and social media for a variety of software, consumer and website clients. Connect with Jenny on LinkedIn.