Papers and Studies

This series affirms the value of having Third-Party Risk Management (TPRM) and Procurement/Sourcing actively engaged as partners in vendor management. Part 2: Supplier/Vendor Contracts describes contracts as being fundamental in identifying, selecting, mitigating, and minimizing exposures and risks when outsourcing. Knowing the associated risks a vendor poses to the organization – and putting controls in […]

This series affirms the value of having Third-Party Risk Management (TPRM) and Procurement/Sourcing actively engaged as partners in vendor management. Part 1: Supplier/Vendor Lifecycle explores the benefits of business units sharing responsibility for vetting, onboarding, monitoring, renewing, and terminating vendors, detailing activities for Procurement and Risk Management within each lifecycle phase.

This paper provides process and program guidance on meaningful, incremental improvements for organizations of all sizes, whether operating locally or globally. The content is designed for both beginning and seasoned security and TPRM practitioners, with an introduction to help inform C-Suite and Board discussions to determine what is at risk; how to manage those risks; […]

In our 2023 Third-Party Risk management Product Suite, we have 131 questions that cover Environmental, Social, Governance (ESG) within the Standardized Information Gathering (SIG) Questionnaire. ESG is now its own risk domain which allows users to scope an ESG-specific SIG. You will be able to complete a SIG for your organization and you can use […]

In and outside of work, the Covid-19 pandemic was a mandatory exercise in flexibility. What are the workplace shifts we see impacting third-party risk management as we emerge from the pandemic? This guide emphasizes how the pandemic has affected profile and management of third parties by:  Comparing “Pre-Covid” and “Post-Covid” insights  Highlighting the evolution of work […]

This guide introduces and defines 21 of the most critical and current risk domains within four key areas. The guide describes why organizations need to acknowledge each risk domain and offers concrete suggestions of how organizations can account for risks presented by each domain.

Business Case for Third-Party Risk Management (TPRM): A Starting Point For Senior Leadership As part of our ongoing support to the larger, global community of third-party risk practitioners and programs, Shared Assessments and Third Party Risk Association (TPRA) have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership. At […]

What is the Third-Party Risk Quantification paper about? In the current business landscape, organizations rely on numerous third and Nth parties to produce goods and services. The complexity of these outsourcing activities makes it difficult to understand risks across the supply chain. At the same time, new risks are mounting, and the frequency of severe […]

Securing Your Software Supply Chain Shared Assessments recommends a specific due diligence process for understanding third-party patch management capabilities using our industry-leading Standardized Information Gathering (SIG) Vendor Risk Questionnaire. In the case of #Spring4Shell (or alternatively #SpringShell), we recommend you review your previous risk assessments first, instead of initiating new Questionnaire requests in your vendor […]

Guide To Risk Domains This guide introduces and defines nineteen of the most critical and current risk domains within four key areas. The guide describes why organizations need to acknowledge each risk domain and offers concrete suggestions of how organizations can account for risks presented by each domain. What Are Risk Domains? Risk domains are […]

Data Privacy Scoping Template Given the pace and complexity of data protection regulations, Shared Assessments provides a free, scoped Privacy Standardized Information Gathering (SIG) Questionnaire mapped to privacy frameworks. This template helps organizations complete third party data privacy reviews, and is a step towards navigating and addressing data governance in third party relationships. What is a […]

Scoping Template Shared Assessments has released a free Standardized Assessment Tool for the Log4j risk. With this scoping template, you will be able to conduct your own vulnerability assessment and share the form with your vendors for a holistic view of Log4j risk across your supply chain. Register to download in the form on the […]