Strengthening Third Party Risk Management with Agnostic Program Tools

Third party mishaps resulting in breaches and other newsworthy events continue to drive home the need for improved risk management program capabilities in all verticals. From planning for engagement, through due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and through termination, the Program Tools helps organizations effectively manage the critical components of third party relationships.

The Shared Assessments Program, released its updated 2017 Program Tools November 29th. These Tools provide users with the means for evaluating cybersecurity, IT, privacy, data security and business resiliency controls throughout the third party engagement lifecycle using a proven “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Tools, as well as the expert knowledge base and mentoring provided to Shared Assessments Members, serve organizations, regardless of size and industry. The Shared Assessments Program Tools are:

  • Standardized Information Gathering (SIG) questionnaire remote assessment;
  • Agreed Upon Procedures (AUP) for performing onsite assessments; and
  • Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices.

Each Tool has been updated, mapping in detail against the current landscape of regulatory guidance, best practices and industry guidance. The Tools provide a holistic means for evaluating third party risk programs including in the following areas: Program Governance; Policies, Standards and Procedures; Contracts; Vendor Risk Identification and Analysis; Skills and Expertise; Communication and Information Sharing; Tools, Measurement and Analysis; and Monitoring and Review. For example, the VRMMM Contracts tab items allow assessment of those items that allow an organization to “protect” and “control,” two of the NIST’s functional categories.

Use of the tools gives the user the confidence that all controls and activities (both internal to the outsourcer and external to third and fourth parties) are as strong and effective or better as the outsourcer’s risk appetite demands. Key factors that differentiate the Shared Assessments Program and its Program Tools are the solid focus on third party risk, incorporation of operational risk perspectives that go well beyond IT security, and regular updating by the industry’s most accomplished practitioners, who represent stakeholders across the spectrum of outsourcing, vendor and assessor operations and risk management.

While each Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cybersecurity threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues. You can check out the Program by visiting and the tools by visiting

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.