Sweeping Updates Support Standardized Excellence in Vendor Risk Management Content and Programs, and Make Assessments Easier to Create, Customize and Manage.
SANTA FE, NM, September 28, 2021 – The Shared Assessments Program, the member-driven leader in third party risk assurance, today issued the 2022 Shared Assessments Third Party Risk Management (TPRM) Toolkit. The Shared Assessments TPRM tools, research and best practices are considered a de facto standard and are used by third party risk management programs, practitioners and consultants serving more than 15,000 organizations.
The 2022 Toolkit supports risk management practitioners, outsourcers and providers to keep pace with a rapidly shifting risk landscape, and helps them achieve higher levels of operational resilience now necessitated by the pandemic and its ongoing, cascading impacts, and to meet increased regulatory pressure in data governance and ESG (environmental, social, governance). It also brings new ease and integration to TPRM program management and execution.
“Our overarching goal is providing the best and most effective pathway to achieving the resilience so urgently needed at this historic moment, and as a result, the 2022 Toolkit connects and aligns risk management with the greater needs of the business,” said Catherine A. Allen, Chairman, Shared Assessments.
The Toolkit simplifies the use of control information and program execution.
- Outsourcers will appreciate the 2022 Toolkit’s ease of use, which can be particularly helpful in expanding the use of the Standard Information Gathering (SIG) tool for SMBs as well as enterprises. The SIG tool’s richer content enables using one platform vs. multiple questionnaires to address the broader range of risk types such as Operational Risk, Compliance Risk, and Supply Chain risk.
- Licensees will benefit from important new content – over 80 percent of it has been improved/enhanced.
- Service providers can leverage the standardized assurance that the SIG questionnaire allows when responding to customers’ security needs and RFPs.
- All customer sets can leverage its comprehensive set of resources for due diligence vs. customized solutions in addition to the SIG. The Target Data Tracker (TDT) addresses new obligations quickly for EU Standard Contractual Clauses. The updated Vendor Risk Management Maturity Model provides a lens into where a TPRM program should be, and lets service providers meet client contract obligations with less work.
Regulatory Updates: Shared Assessments aligns with regulations, guidelines and standards for a wide range of industries and has integrated 1,600 Control Points into the 2022 Toolkit including:
- NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organizations
- DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies
- Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 (April 2020)
- CSA Cloud Controls Matrix (CCM) Version 4
- Industrial Automation and Control Systems Guidance EC-62443 (2018)
- GDPR Guidance on Standard Contractual Clauses (SCCs) June 2021
- State Privacy Laws (CA, CO, VA)
Third party risk programs must increasingly gauge the ESG compliance of critical suppliers and vendors. In response, new features of the 2022 Toolkit include ESG updates among all of the tools.
Core 2022 Toolkit Components – New Features:
Standardized Information Gathering (SIG) Questionnaire Tools: Smarter and streamlined, the 2022 SIG Questionnaire allows organizations to build, customize, analyze and store questionnaires. A simplified user experience delivers vetted questions mapped to the most recent controls and regulatory guidance.
The SIG continues to provide the industry standard for efficiency in performing third party risk assessments. New features include:
- Expanded visibility from a comprehensive question library with controls-focused content
- Out-Of-The-Box Questionnaires through Enhanced Tiering for SIG Lite and Core
- Updated content aligned to most recent NIST, Cloud, CSA, SCCs guidance
- Streamlined user experience, introducing seamless navigation
- Efficient integration with Vendor Risk Ratings and Vendor Classification structures in TPRM programs
- Easy updates for Vendor Questionnaires for outsourcers with broadened scope of domains
Standardized Control Assessment (SCA) Procedure Tools – Virtual Assessments: The SCA Procedures are standardized resources (tools, templates, checklists, guidelines) to plan, scope and perform third party risk assessments. If the SIG is the “trust,” SCA is the “verify.” The COVID pandemic shifted risk management programs towards performing virtual assessments, elevating the SCA’s importance as the standard for improving efficiency, accuracy and quality in remote and onsite assessments.
Having helped many organizations migrate in-person assessments to virtual assessments, for 2022 the SCA has matured with multiple new attributes, features, risk domains, updated data privacy restructuring for regulatory compliance, enhanced reporting and other important updates.
Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: A TPRM program assessment tool to assist organizations as they develop mature TPRM programs, the VRMMM allows third party risk programs to benchmark themselves against a comprehensive set of best practices.
The 2022 release of the VRMMM explores 250 distinct program elements formed by eight key structures and six key attributes a well-run third party risk management program will have. It supports both assessments of a vendor’s TPRM program and self-assessment of a company’s own TPRM program – particularly helpful for practitioners new to risk management teams, and to organizations building a TPRM program. The 2022 Toolkit also features a sweeping refresh and reorganization of VRMMM content reflecting global industry guidance around third party risk and modernization of TPRM language.
Data Governance Tools: These have evolved to help meet increasing regulatory pressures across the world. They support business resilience to enhance Disaster Recovery and Business Continuity Plans, and provide insight into 4th/Nth party and cloud provider risk.
About the Shared Assessments Program
As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, the Shared Assessments Program has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. Join the dialog with peer companies and learn how you can optimize your compliance programs while building a better understanding of what it takes to create a more risk sensitive environment in your organization. For more information, visit https://sharedassessments.org/