Select Page

Papers

Using the SCA in Complement with Other Assessments: Streamlining Due Diligence

This Building Best Practices resource:

  • Examines how to improve due diligence assessment productivity.
  • Identifies a strong strategy that leverages control verification reports.
  • Documents a means of examining existing artifacts to more efficiently scope any remaining due diligence.

A practitioner tool is provided to house a consolidated record of the reports, facilitate gap analysis, document closing of deltas, and summarize results.

Register to Download

Executive Summary: The Role of ERM in Managing Risks Related to New Technologies

This Executive Summary provides an overview of the challenges related to emerging technologies and key steps identified to help establish effective risk monitoring programs that are responsive to potential risks related to new technologies. This is the companion to the more in-depth briefing paper.

Register to Download

The Role of ERM in Managing Risks Related to New Technologies

The Role of ERM in Managing Risks Related to New Technologies and its companion Executive Summary document examine the challenges that come with significant technology shifts, such as IoT, AI, 5G and quantum encryption and computing; and the valuable role that the board and C-suite can play in helping organizations to recognize and respond to the risks that emerging technology can present.

Register to Download

GDPR Privacy Guidelines and Checklists

This set of General Data Protection Regulation (GDPR) resources have been updated to provide insights to the Third Party risk community and include background on the regulation and guidance on how to integrate GDPR requirements into TPRM programs. These resources work in conjunction with the Shared Assessments Third Party Privacy Tools, a component in the Third Party Risk Management Toolkit.

Register to Download

CCPA Privacy Guidelines and Checklists

This set of California Online Consumer Privacy Act (“CCPA”) resources are provided to share insights and best practices on how to understand aspects of CCPA and the implications that this regulation has on Third Party risk management. These resources work in conjunction with the Shared Assessments Third Party Privacy Tools, a component in the Third Party Risk Management Toolkit.

Register to Download

Using TPRM Best Practices to Improve M&A Outcomes

TPRM practices are ideally suited to enhancing M&A outcomes. By applying TPRM best practices, a wider range of risks deeper in the supply chain can be examined than is typically achieved in M&A due diligence. The guide outlines specific best practices to help lower risks; discusses acquirer and target viewpoints; provides how-to guidance; and includes practitioner Guideline Tools.

Register to Download

Best Practices in TPRM Resource Management: Meeting Increasing Regulatory Expectations Amid a More Challenging Risk Environment

Third party risk managers are struggling to convey the need for the additional resources to develop and sustain a robust TPRM program. Shared Assessments members came together to create a coherent picture of the emerging challenges and provide actionable tools that practitioners can use to document their business case for optimizing TPRM resource allocation within their own organizations.

Register to Download

Creating a Unified Continuous Monitoring Cybersecurity Taxonomy: Gaining Ground by Saying What's What

Continuous monitoring is a rapidly expanding field where a common taxonomy is key to setting expectations in the field and a consistent understanding around continuous monitoring practices. To resolve this problem, the Shared Assessments Program Continuous Monitoring Taxonomy subgroup is proposing a common taxonomy that categorizes the types of alert information that can be selected to be monitored.

Register to Download

The Board's Role in Realizing Effective Risk Management

In practice, governing boards are the last line of defense in ensuring critical risk management processes are effective. However, recent high profile incidents highlight the need for a greater role for boards in mitigating risks. These events serve as a stark example of why boards must become proactive in their risk management oversight role.

Register to Download

Innovations in Third Party Continuous Monitoring

This paper documents how to apply an emerging best practice to improve third party risk management program governance. Embedding the continuous feedback “OODA Loop” – observe-orient-decide-act – into third party risk management programs can be expected to improve an organization’s risk posture by providing a proactive approach to risk management. This paper provides guidance that equips stakeholders in third party risk management to frame internal discussions around implementing this approach within their individual organizations.

Register to Download

Consumer Packaged Goods Industry Call To Action

Benchmarking shows that against industries as a whole CPG has been slower in making program maturity gains in TPRM processes. The Shared Assessments Consumer Packaged Goods Vertical Strategy Group (CPG-VSG) has examined the gap between third party risk management (TPRM) practices and the current threat environment. The group has championed this Call to Action in response to several critical challenges that CPG, as an industry, is facing in attaining TPRM program maturity.

Register to Download

Executive Summary: Principles of Third Party Contract Development, Adherence & Management

This Executive Summary provides and overview of third party contract best practices for setting realistic expectations for both parties regarding due diligence, contract negotiations, onboarding, oversight (including control assessments), reporting requirements and terminations. The Summary contains the key components for optimizing contract processes across the vendor lifecycle. This is the companion to the more in-depth paper.

Register to Download

Principles of Third Party Contract Development, Adherence & Management

Principles of Third Party Contract Development, Adherence & Management and its companion Executive Summary document, discuss how robust contract development practices provide benefits to both the outsourcer and the third party provider. These resources provide guidelines for developing a defined organizational structure in which parameters are set at the beginning of a contracting process to establish a solid foundation for the success of the relationship and improve the maturity of the outsourcer’s third party risk management program.

Register to Download

Balancing Compliance & Convenience in Digital Device Use

Have we become convenience junkies? We have become a mobile society, a mobile economy, and we live a mobile life. Seventy-seven percent of Americans now own smartphones. How do we balance this convenience with privacy, security and risk? Linnea Solem, Chairperson of the Shared Assessments Program Privacy Working Group, explores that balance in this article. Contacts for downloads of this article will be shared with the co-author and Shared Assessments member, Copytalk.

Register to Download

Risk Rating Third Parties: Optimizing Risk Management Outcomes

The objectivity of a risk rating process that follows best practices informs a more effective evaluation and comparison of third party control postures. This paper discusses what third party risk rating is, what risk rating is needed and how an organization can apply risk rating best practices as part of their risk management program. It is essential that a pre-engagement risk rating is performed on every potential third party to determine appropriate levels of due diligence oversight and set relevant expectations for ongoing assessments.

Register to Download

Evaluating Cloud Risk for the Enterprise - An Updated Shared Assessments Guide

In the past seven years we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing a computing service. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily; and new exciting developments are evolving, such as microservices, to allow previously unimaginable scalability and efficiencies.

Register to Download

Assessment of Public Cloud Computing Vendors

Unique concerns exist around assessing security and controls for public cloud vendor use. This paper addresses those concerns and emerging best practice solutions for outsourcers seeking a Cloud Service Provider (CSP), as well as outsourcers engaging in relationships with third parties that use a CSP.

Register to Download

Fourth Party Risk Management Paper

Risk from downstream parties is increasing as outsourcing organizations engage more and more third parties who themselves have their own outside provider relationships. The proliferation of fourth party relationships provides the undesired opportunity for the existence of significant risk management gaps.

Register to Download

Continuous Monitoring of Third Party Vendors: Building Best Practices

Moving the Needle on Longitudinal Tracking for More Effective Processes Continuous monitoring, a subset of ongoing monitoring, moves the risk posture of systems to a level that allows tracking over time, often in real-time, to raise awareness of changing vulnerabilities and processes for more effective decision-making and achieve discernable gains in risk management.

Register to Download

Building Best Practices in Third Party Risk Management: Involving Procurement Paper

Establishing a strong standard for risk management means including all stakeholders before a third party is brought on board.  The paper focuses on ways to effectively integrate Procurement into the third party oversight function.

Register to Download

Financial Services Industry Call to Action

The increased connectivity and complexity of critical infrastructure systems both nationally and globally puts economic and public security squarely at the forefront of risk management in every sector and industry vertical. A proactive stance is clearly required to establish best practices for more mature risk management programs industry-wide. The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels to collectively raise the bar and establish effective industry-wide risk management solutions.

Register to Download

Onsite Assessments Best Practices Paper

A Shared Assessments awareness committee was established to create a best practice assessment and scoping guideline practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope. The guideline will work in concert with existing onsite assessment tools and processes. It provides a clear, consistent methodology to keep the assessment process on target and therefore reduce duplication of effort and assessment fatigue.

Register to Download

Incident Response Briefing Paper

To help organizations be better prepared against increasingly inevitable incidents, the Shared Assessments Program SIG Committee has released Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper outlines a newly developed best practices model of incident event management program creation.

Register to Download

Tone at the Top Paper

DID YOU KNOW? Consensus is quickly growing that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues. The right Tone at the Top and risk culture can become important drivers of improved organizational performance – companies that incorporate risk management into their strategic planning process and operating model gain clear competitive advantage

Register to Download

Collaborative Onsite Assessments Case Study

The Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program. The goal of this pilot program is to create the opportunity for multiple industry outsourcers to perform a collaborative onsite assessment of a single service provider, performed by an independent assessment firm, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as a common onsite assessment vehicle. The case study outlines the methodology used and the results of this first pilot.

Register to Download

It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture

In-Tune Tone at the Top is the first of a two-part approach to developing a measurable, repeatable approach to assessment of Tone at the Top elements, with particular sensitivity to third party risk management. Developing and maintaining a strong risk culture requires more than written policy. Good risk management is heavily process-dependent and without risk-focused leadership that enables effective structure and process, security and operational risk activities may remain suboptimal.

Register to Download

Sign up for our Newsletter

Learn more about upcoming events, special offers from our partners and more.
By submitting this form, you are consenting to receive marketing emails from: The Santa Fe Group, 3 Chamisa Drive N., Santa Fe, NM, 87508, https://www.sharedassessments.org. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact
Shared Assessments is managed by THE SANTA FE GROUP
Privacy policy

This site uses cookies

Please note that on our website we use cookies necessary for the functioning of our website, cookies that optimize the performance. To learn more about our cookies, how we use them and their benefits, please read our Cookie Policy and Privacy Policy.

Accept