Member Projects and Activities
Shared Assessments offers opportunities for members to address global risk management challenges through its committees, Awareness Groups and special projects/interest groups.
Shared Assessments members are national and international organizations of all sizes that understand the value of leveraging the knowledge of their risk management peers in the development and management of best-in-class third party risk management programs. They are leaders in their industries, and members of a global community of risk management professionals working together to keep the Shared Assessments Pro-gram Tools at the forefront of third party risk management practices.
One of the primary reasons the Shared Assessments Program Tools have been able to maintain their status as the industry standard for third party risk assurance is that they are maintained by the very risk professionals who specialize in third party risk management issues.
The primary mission of the Development Committees is to ensure that the Shared Assessments Program standardized tools (SIG, SCA, and VRMMM) are relevant and thorough, responding to a range of new and emerging US and international guidelines for privacy, information and data security, and business continuity. All of the Shared Assessments Development Committees are conducted under the direction and oversight of the Shared Assessments Steering Committee. The Steering Committee, with input from each Development Committee Chair, establishes the annual initiatives and helps prioritize their efforts.
Who Serves on the Development Committee?
Development committee members play an important leadership role in the Shared Assessments Program. All Shared Assessment members are eligible to serve on a development committee or awareness group. Development committee members are subject matter experts and other risk management leaders from a range of in-dustries. Participants include experts from the Big 4 accounting firms, which serve as Technical Advisors to the Shared Assessments Program.
Development committee membership offers
- Participation in a global community of risk management and information technology professionals
- Professional development opportunities
- Collaboration with industry peers on challenging issues in information and data security, privacy and business continuity
Standardized Information Gathering (SIG) Committee
Meets monthly, every 4th Thursday at 12:00pm ET
The SIG Committee is responsible for developing the content and functionality of the SIG Questionnaire Tools. The SIG Questionnaire Tools are a set of comprehensive questionnaire management tools that lets organizations build, customize, store, and automatically analyze questionnaires and related evidence. The committee’s goal is to ensure the SIG Questionnaire Tools are always relevant to diverse industries and current with the latest industry regulations, standards and leading practices as the Tools relate to information and cyber security, privacy, resiliency, risk management, and other technology and compliance matters. The SIG Committee maintains alignment with these external references and the rest of the Third Party Risk Management Toolkit.
Meets monthly or as necessary, every 4th Wednesday at 12:00pm ET
The Privacy Committee addresses challenges organizations face in managing Privacy risks and compliance by communicating changes in domestic and international Privacy regulations. The Privacy Committee is responsible for developing the content and functionality of the Third Party Risk Management Toolkit components that are related to Privacy management, including the GDPR Privacy Tools and Privacy sections of the SIG Questionnaire Tools and SCA Procedure Tools. The Privacy Committee also hosts presentations and produces briefing papers, blogs and other publications on topics of interest relevant to Privacy.
Standardized Control Assessment (SCA) Committee
Meets monthly, every 3rd Tuesday at 12:00pm ET
The SCA Committee is responsible for developing the content and functionality of the SCA Procedure Tools, which assists risk professionals in performing effective and efficient onsite or virtual assessments of vendors using standardized methods and procedures. The SCA Committee ensures the content of the SCA is relevant and accurate by examining and discussing changes to regulations, industry standards and guidelines, and updating SCA content as needed. Committee members also maintain alignment with those external documents and with the other components of the Third Party Risk Management Toolkit.
Vendor Risk Management Maturity Model (VRMMM) Committee
Meets monthly, every 3rd Thursday at 12:00pm ET
The VRMMM Committee is responsible for developing and updating the content and functionality of the VRMMM Benchmark Tools. The VRMMM Benchmark Tools incorporate the most essential vendor risk management practices into an actionable model that can be leveraged to assess the current and desired future state of an organization’s vendor risk management program. Practitioners can utilize the VRMMM to make well-informed decisions on how to spend limited resources in ways that allow them to most effectively manage vendor-related risks. The VRMMM Committee ensures benchmarking tools and surveys maintain relevance for diverse industries and reflect the most current Third Party Risk Management regulations, standards and leading practices.
Committees, Working and Awareness Groups
Best Practices for Third Party Risk Management & Assurance Awareness Group
Meets monthly, every 1st Wednesday at 11:00am ET
The focus of this awareness group is to examine the challenges that organizations face in managing third party risk, and to identify existing best practices in use today or to develop new best practices to address emerging challenges. Examples of previously examined topics include: fourth party management; third party contract development, adherence and management; risk rating third parties; and assessment scoping.
This group will coordinate with the Tool Development Committees when changes appropriate to the Program Tools are identified through group research and discussion. Examples of deliverables developed by this awareness group may include: blog posts; briefing papers; industry call to action pieces; and other suggestions that enhance the practice of third party risk management.
Certified Third Party Risk Professional (CTPRP) Working Group
Meets monthly, every last Wednesday at 2:00pm ET
OPEN TO CTPRP HOLDERS ONLY
Doing business in an outsourced economy requires special strategies, processes and practices for evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties. Risk management professionals with the specialized skills and training required to manage third party risk have a significant advantage in the workplace. The CTPRP designation from Shared Assessments validates that expertise, providing professional credibility, recognition and marketability. Join other CTPRP holders in the ongoing development and improvement of the CTPRP program, including improving existing workshops, testing and developing additional distribution methodologies and study materials.
Certified Third Party Risk Assessor (CTPRA) Working Group
Meets monthly, every last Wednesday at 2:00pm ET
OPEN TO CTPRA HOLDERS ONLY
Performing a thorough IT risk assessment requires a certain level of proficiency in various third party risk assessment concept and principles. It is critical for an assessor to possess the technical knowledge and experience required to verify claims stated on an assessment questionnaire. The CTPRA validates that expertise by presenting an advanced discussion of specific IT concepts such as network and application security, operations management and server security. Following the recent launch of the CTPRA certification, join other certificate holders in improving existing workshop, testing and development of additional distribution methodologies, and study materials.
Continuous Monitoring Working Group
Meets monthly, every 3rd Tuesday at 11:00am ET
As the field of third party risk management continues to evolve in response to business outsourcing demands, internal vulnerabilities and external threats and the expanding use of downstream services, it has become clear that a once a year assessment cannot sufficiently evaluate certain control weaknesses posed by this increasingly complex ecosystem. Proliferation of new technology is having a profound effect on the Third Party Risk Management (TPRM) environment, led by growth in web hosting and SaaS applications and the exponential increase of connected IoT devices.
The Continuous Monitoring Working Group develops and documents best practices for continuous monitoring, focusing on people, process and technology considerations. Key areas of inquiry include preventative and detective controls and rapid response processes. We can expect to see rapid changes in Continuous Monitoring in keeping with its increasing importance within TPRM programs, as member companies focus on the need to for agile response to the threat environment.
Operational Technology Risk Management Working Group
Meets monthly, every 4th Wednesday at 11:00am ET
The focus of this group is to discuss the challenges organizations face in managing Operational Technology (OT) risks, to identify today’s existing best practices and develop new best practices to address those challenges. Among the areas this working group could focus on will be on developing methods for standardizing the communications around OT due diligence activities. Examples of other topics include assessing compliance with standards, regulations, and frameworks (such as NERC CIP, NIST SP 800-82, and CPNI SICS); assessing co-manufacturers; managing the divergence and convergence of Information Technology (IT) and OT; securing Industrial Digital Twin and Internet of Things (IoT) technologies; and addressing supply chain cybersecurity risks.
This working group is open to all members. Industries that may have interest in this group include Manufacturing (including Consumer, Industrial, and Defense), Utilities, Energy, Industrial Control System (ICS) manufacturers and service providers (including ICS Security software and service providers).
Examples of deliverables developed by this group may include briefing papers, case studies, pilot projects, and practical tools like checklists, guidance, questionnaires, and test procedures.
Regulatory Compliance & Audits Awareness Group
Meets monthly, every 2nd Thursday at 11:00am EST
Today’s regulatory landscape is growing ever more complex. On one hand, major U.S. banking organizations are asking that regulators decrease reliance on third party risk management guidance in their supervisory approach, yet at the same time standards-based risk management regimes (e.g., NIST) and industry specific requirements (e.g., PCI) are continuing to advance in a risk environment where new threats are a regular occurrence. Add to that the international regulatory trend towards adoption of best practices as base requirements (e.g., GDPR) and the overall compliance/audit environment is more complex than ever.
This group regularly invites speakers on relevant topics, and as thought leaders, publishes member-driven white papers on regulatory-related topics. The group also reviews and discusses draft and final third party regulatory guidance and rules that are open for comment. On occasion – and when appropriate – the group has formally responded to regulatory requests for comments and feedback. The Regulatory Compliance & Audit Awareness Group identifies emerging trends and needs for third party assessment tools that address consumer protection, operational risk and regulatory compliance monitoring to identify recommendations for enhancements to Shared Assessments Program content, and suggests other needed deliverables.
In this period of regulatory complexity, please join the dialog with peer companies and help to build a better understanding of how you can optimize your organization’s compliance programs.
Open to Shared Assessments Steering Committee and Advisory Board Members Only. Email Sylvie Obledo (email@example.com) for additional information.
The Risk Committee is an opportunity for Shared Assessments Leaders from a cross sector of industries to share their experiences managing risks, leading to the identification of best practices for incorporating new risks and new risk detection/mitigation techniques into an existing Enterprise Risk Management (ERM) structure, and, thus influencing strategies that will advance the practice of efficient and effective third party risk management. The output of this committee will influence the agenda for Shared Assessments moving forward. Among topics for discussion include:
- Emergence of issues due to geopolitical risks and tariffs
- Looking beyond current risks associated with Enterprise Risk Management (ERM).
- Communicating on risk related issues between the Board and the C-Suite
- Navigating the shift from compliance orientation to a risk orientation.
Vertical Strategy Groups
Open to Shared Assessments Members and Non- Members – Any restrictions are noted
In our continuing effort to meet the needs of our diverse Shared Assessments membership, we have created specific vertical strategy groups (VSGs). Below are the VSGs that have launched to date. Additional VSGs will launch throughout 2019 and members will be notified to participate.
We do allow participation in our VSGs for companies that are not Shared Assessments members to ensure we are taking a comprehensive look at the needs of the specific verticals. Non-member participation is limited to one year from date of signature of the VSG Rules of Participation agreement. No other benefits of membership, including access to the Program Toolkit, are provided to non-members.
Asset Management Vertical Strategy Group
Meets every other month, 2nd Thursday at 2:00pm ET
Open to Asset Management Firms Only
The Asset Management – Vertical Strategy Group (AM-VSG) has been created to gather thought leadership, exchange ideas, share best practices and identify collaboration opportunities regarding asset management third party risk management. Shared Assessments recognizes the expanding risk landscape and regulatory requirements for asset management firms and seeks to:
- Address the expanding frequency/scope of control assessments, including risks associated with cybersecurity, information security, business resiliency, physical security and operational procedures.
- Create a trusted network of professionals who deal with key business processes within the Asset Management industry related to the management of third parties, including but not limited to procurement, operations risk, finance, and policy. These professionals address challenges, risk trends, regulatory changes and best practices that are related to the third party lifecycle.
- Develop and publish targeted white papers and best practices articles that are shared both with Shared Assessments Program members and more broadly across the asset management industry.
Financial Institutions Vertical Strategy Group
Meets monthly, every 2nd Thursday at 1:00pm ET
Open to Financial Institutions Only
The Financial Institutions Vertical Strategy Group (FI-VSG) provides an opportunity for third party risk professionals from the financial services community to share their experiences, leading to the identification of best practices. In turn, this peer-to-peer effort documents successful strategies that advance the practice of efficient and effective third party risk management in the financial services sector. Experienced financial services executives facilitate the FI-VSG community’s discussions of the most pressing third party risk management challenges in the context of today’s rapidly changing risk landscape and seek to
- Explore the feasibility of developing an assessment sharing ecosystem of financial institutions and their service providers/suppliers
- Ensure the Shared Assessment program tools are fit for use within an FI context
- Become a forum for Identifying, understanding, and supporting what’s needed by FIs in Third Party Risk Management.
Insurance Vertical Strategy Group
Meets monthly, every 3rd Thursday from 11:00am ET
Open to Insurance (Property, Casualty and Life) Firms Only
Goals for the Insurance Vertical Strategy Group (INS-VSG) are to exchange ideas, share best practices and identify collaboration opportunities related to insurance-specific TPRM needs. Shared Assessments’ recognizes the expanding risk landscape and regulatory requirements for insurance firms, and potential group activities include:
- Gaining and documenting and understanding of the unique TPRM needs of property, casualty and life insurance firms.
- Addressing the expanding frequency/scope of control assessments, including risks associated with cybersecurity, information security, business resiliency, physical security and operational procedures.
- Improving the industry’s opportunities for TPRM efficiencies and cost savings.