The longevity of MythBusters – a television series that aired nearly 300 episodes over 15-plus years — speaks to the enduring appeal of testing the validity of rumors, myths, and other claims. In one of the series’ most popular episodes, the hosts deployed the scientific method to determine whether pouring gasoline down a toilet causes it to explode.
It doesn’t, but the hosts still managed to blow up the toilet (while deploying the dramatic principle known as Chekov’s gun).
What are the three SIG misperceptions?
Given the collection of questions that the Shared Assessments program fields concerning the Standard Information Gathering (SIG) tools, I want to explode some SIG myths that materialize from time to time:
- The SIG is too large: A third party risk management practitioner who is new to the SIG may see 1,000 questions in the tool and then quickly imagine a counterpart in small to mid-sized third party recoiling at the notion of addressing all of those queries. The truth is that smaller, low-risk vendors – as well as many larger and medium- to high-risk third party partners – do not always need to complete such lengthy and detailed questionnaires. While the SIG Core provides up to a maximum of 825 questions, this tool is designed for vendors that require deeper scrutiny and more personalized risk assessments. The SIG Core also offers shorter, more targeted questionnaire templates that are well-suited for many vendors. Plus, if a vendor’s risk level is low or even medium-low, the SIG Lite is well-suited as a standard program-level assessment; it provides up to a maximum of 150 questions.
- The SIG Lite is still too much: We sometimes hear that the SIG Lite’s 150 questions are a bit too much to ask of vendors. While that can certainly be the case, the misperception is that there are no alternatives to the SIG Lite … such as the Scoped SIG. Shared Assessments members use the Scoped SIG in situations where the SIG Lite or SIG Core are not specific enough to the services provided. In these instances, a custom SIG may be created that scopes by Risk Domain, Mapping Reference (Industry Standard or Regulation), or Control Category. Questions that do not pertain to the scope of service can be hidden. Plus, both the SIG Lite and SIG Core can be used as a starting off point for scoping. The SIG tools are infinitely configurable: you can include 100 questions, 50 questions, or even seven questions.
- Using the SIG tools is like riding a bike: This misperception is that third party risk managers do not need to refamiliarize themselves with the SIG tools after their initial exposure to them. In reality, the tools receive significant updates each year to reflect real-world practices, regulatory changes, and guideline updates. Although getting a feel for these changes does not require much time or effort, it is an important activity to perform. We don’t think much about how a golfer putts or how a basketball player dribbles because those foundational activities seem so natural. Yet, the best athletes succeed based on their attention to foundational details. For Shared Assessments members who use the SIG tools, this translates to reading through the SIG User’s Guide (which is also updated annually).
Despite what you may have heard, toilets don’t explode after gasoline has been flushed. Similar myths exist in the realm of third party risk management: exposing and eliminating these misperceptions will help TPRM teams get more effective and efficient assessments in the can.