“Survey says!”
Depending on your age and viewing habits, that phrase likely calls to mind Family Feud hosts Richard Dawson, Louie Anderson or Steve Harvey. The legendary game show pits two families against each other in a trivia contest whose correct answers are generated by anonymous surveys of random people.
While Shared Assessments operates in the third party risk management (TPRM) business, as opposed to show business, the organization also regularly conducts formal and informal polls of its growing membership base.
The purpose of these surveys is to find out what challenges, information needs and questions are on members’ minds. Some recent polling activities have centered on the Shared Assessments’ Standard Information Gathering Questionnaire (SIG).
The SIG is a comprehensive set of questions used to assess third party risk, and it was developed by leveraging the collective intelligence and experience of the organization’s vast and diverse member base. The SIG is updated every year to keep pace with the ever-changing external risk environment and internal risk-management priorities. Here are five of SIG-related questions Shared Assessments members are asking right now – along with some helpful answers and insights from Shared Assessments Sales Manager Christopher Campbell.
1. Question: I have a SIG from a few years ago…Do I have to start from scratch in my new SIG?
Answer: In short: no. The licensed user of the SIG does not have to start from scratch. Functionality in the 2021 SIG will allow users to move information from any SIG document to another document regardless of chronology. “This functionality also allows members to port over their self assessment results into a Service Outsourcers questionnaire,” Campbell adds.
2. Question: Do I have a ready-to-use question template?
Answer: In short: yes. In fact, you have both a short version of the ready-to-use template (the SIG Lite) and a long version (the SIG Core). Plus, the 2021 SIG offers customizable templates using one of three methods. One method involves mapping questions to one of the 14 built in frameworks, which include NIST, ISO and GDPR among others. Choose your favorite method, or methods, and within a few seconds you’ll have a custom template. Campbell notes that the predetermined template (the method mentioned a few sentences back) is designed by the SIG Tool Development Committee, which consists of Shared Assessments members who volunteer their time. “The Lite and Core are industry-inclusive and can be customized by hiding any non-relevant information,” Campbell continues. “The Shared Assessments community feels strongly the Core template will satisfy the security requirements of 80-90% of TPRM programs in high-risk industries.”
3. Question: Is there a scoring function in the tools?
Answer: A simple scoring function allows the user to immediately rate the importance of each question used during the assessment. This functionality quickly isolates the High-, Med-, Low- or No-Risk questions by separating and “tagging” questions; and this facilitates a swift start to remediating the High-Risk questions first.
4. Question: Can I compare the questions to a Framework like NIST, ISO or GDPR?
Answer: “Absolutely!” Campbell asserts. “I can choose to build a custom template and choose the framework of greatest interest to me using a simple checkbox. Doing so immediately builds a template with every question within the Content Library that can be found in that identified framework.”
5. Question: Will the tools produce any reports?
Answer: Survey says, “Yes.” The SIG, SCA and VRMMM all have relevant summary reports that allow for either the assessment to be sorted by risk rating, summary executive review or high level category. “We’d be happy to show how all of the tools and reports can be utilized by any entity with a Low, Medium or High TPRM program maturity level,” Campbell adds.