Papers and Studies

Third party risk managers are struggling to convey the need for the additional resources to develop and sustain a robust TPRM program. Shared Assessments members came together to create a coherent picture of the emerging challenges and provide actionable tools that practitioners can use to document their business case for optimizing TPRM resource allocation within […]

This “Gaining Ground” briefing paper is phase one of the two-phase cooperative project led by the Shared Assessments’ Continuous Monitoring working group. This group has galvanized practitioners from 57 member organizations, as well as non-member CM solution providers in the Taxonomy Subgroup, to establish a common set of terms and standards for identifying, alerting and […]

In practice, governing boards are the last line of defense in ensuring critical risk management processes are effective. However, recent high profile incidents highlight the need for a greater role for boards in mitigating risks. These events serve as a stark example of why boards must become proactive in their risk management oversight role.

The Shared Assessments Program is pleased to present a briefing paper based on the significance of information security and privacy controls on law firms as third party service providers and collaborative opportunities for resolution. This paper focuses on the issues law firms are facing as they adapt to providing a secure IT environment that meets […]

This third annual study on third party IoT risk, conducted by the Ponemon Institute, helps the industry better understand how organizations are managing the risks created by known and unknown IoT devices.  Cyberattacks, data breaches and overall business disruption that can be caused by unsecured IoT devices in the workplace and used by third parties […]

Increasing pressures in the risk and regulatory environments continue to pose severe challenges to vendor risk management (VRM) programs, often offsetting incremental program improvements over the past 12 months. The results of this fifth annual study from Shared Assessments indicate that: There is a strong correlation between high levels of board engagement with VRM issues […]

This paper documents how to apply an emerging best practice to improve third party risk management program governance. Embedding the continuous feedback “OODA Loop” – observe-orient-decide-act – into third party risk management programs can be expected to improve an organization’s risk posture by providing a proactive approach to risk management. This paper provides guidance that […]

The dynamic nature of the risk environment means that third party risk professionals are being asked to protectagainst growing threats with a finite number of resources. In response to the need to be smarter about how weapproach third party risk management (TPRM), this paper provides guidance, practical tools and insight intohow to leverage an action-oriented […]

Benchmarking shows that against industries as a whole CPG has been slower in making program maturity gains in TPRM processes. The Shared Assessments Consumer Packaged Goods Vertical Strategy Group (CPG-VSG) has examined the gap between third party risk management (TPRM) practices and the current threat environment. The group has championed this Call to Action in […]

This paper documents best practices for streamlining third party contract development, approval, exceptions and addendums processes. Organizations increasingly rely on contract clauses and policies to mitigate third party risk. However, fewer than half in a recent study reported they are able to monitor compliance with contract provisions. This paper examines the need for actionable contracts and […]

This Executive Summary provides and overview of third party contract best practices for setting realistic expectations for both parties regarding due diligence, contract negotiations, onboarding, oversight (including control assessments), reporting requirements and terminations. The Summary contains the key components for optimizing contract processes across the vendor lifecycle. This is the companion to the more in-depth […]

With the proliferation of IoT devices in the enterprise, managing third-party risks to sensitive and confidential data has become a herculean task. As revealed in The Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk, companies are deeply concerned that failure to prevent a data breach or cyber attack […]