Be Wary of All of the New “Experts” in Third Party Risk Management

With the recent increased focus of the regulatory agencies and standards bodies on third party risk management, the market is being flooded with companies offering to provide solutions in this area. The Shared Assessments Program has been focused on third party risk issues since the launch of our Tools – the SIG and AUP – in 2005. These Tools execute the Shared Assessments approach of “Trust but Verify” to determine whether a vendor is providing an appropriate risk control environment for your systems and confidential/customer data. This approach allows an organization to obtain IT/data security and privacy information in a cost effective manner through the use of vendor questionnaires, yet validate the accuracy of that information through on site assessments when additional due diligence is required.

As the risk of outsourcing products and services has grown over the years, so has the scope of risks addressed by the Shared Assessments Tools. With continued refinement by our members since 2005, the Shared Assessments Tools now cover third party issues related to cloud computing, mobile devices, software application security, and other key third party risks.

The most recent addition to the Shared Assessments’ tool set is the Vendor Risk Management Maturity Model (VRMMM). The VRMMM sets forth the best practices that should be followed to develop a comprehensive third party risk program. In addition, it allows a company to evaluate the maturity of each of their program’s components against stated development goals.

An exciting supplement to the VRMMM is the upcoming release of the third party risk management benchmarking study. Shared Assessments has teamed up with Protiviti to develop the first comprehensive benchmarking study on third party risk programs. The goal is to provide companies with the ability to evaluate their maturity of their own third party risk program against their industry peers. The release of this study is scheduled to coincide with the Shared Assessments Summit May 19 – 21 in Boston.

As the trusted authority on third party risk assessment and management, the Shared Assessments Program goes well beyond providing Tools for third party risk. Shared Assessments also provides workshops and training on how to implement our Tools and address all of the key issues in the third party risk lifecycle. We have training and educational materials that begin with vendor selection, continue to assessment and remediation, and conclude with vendor termination and replacement.

So, make sure you’re comfortable with the depth and breadth of the experience a company has in this area before you trust them to help solve your third party risk issues. When conducting your due diligence make sure you remember that the software solution providers who license Shared Assessments content, and all of our assessment firm members, are all beneficiaries of the Program’s decade of knowledge in addressing third party risks.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad.