This guide introduces and defines nineteen of the most critical and current risk domains within four key areas. The guide describes why organizations need to acknowledge each risk domain and offers concrete suggestions of how organizations can account for risks presented by each domain.
Risk domains are categories or focus areas of defining control areas that help to guide third-party risk management (TPRM) programs. Risk domains are used to scope or frame types of controls that should be evaluated during a vendor risk assessment. The ever-changing risk and regulatory environment define risk domains.
Risk can be categorized into four key areas.
Governance and Risk Management include these domains: Compliance Management, Enterprise Risk Management, Environmental, Social, and Governance (ESG), Human Resources Security, Information Assurance, Nth Party Management, Privacy Management
Information Protection includes these risk domains: Access Control, Application Security, Cloud Hosting Services, Endpoint Security, Network Security, Physical & Environmental Security, Server Security
IT Operations and Business Resilience include these risk domains: Asset & Information Management, IT Operations Management, Operational Resilience
Security Incident and Threat Management include these risk domains: Cybersecurity Incident, Management Threat Management.
A particular risk may be more relevant to third party risk management based on the nature of the services being outsourced.
The Standardized Information Gathering (SIG) Questionnaire helps risk management programs to scope third party risk questionnaires appropriately for the organization. The SIG also enables risk management programs to develop custom-tiered questionnaires and to analyze and manage vendor responses.
The SIG is created leveraging the collective intelligence and experience of our diverse member base. It is updated every year to keep up with dynamic risk domains.
The Shared Assessments Program’s Third Party Risk Management (TPRM) Framework is designed to provide guidance for organizations seeking to develop, optimize and/or manage Third Party Risk by incorporating a wide range of best practices into their risk management program. The Framework also provides guidance about how to implement meaningful incremental improvements in TPRM practice maturity in organizations where resources may be constrained.
Learn about the Shared Assessments Third Party Risk Management Product Suite.