This guide introduces and defines eighteen of the most critical and current risk domains within four key areas. The guide describes why organizations need to acknowledge each risk domain and offers concrete suggestions of how organizations can account for risks presented by each domain.
Risk domains are categories or focus areas of defining control areas that help to guide third party risk management (TPRM) programs. Risk domains are used to scope or frame types of controls that should be evaluated during a vendor risk assessment. The ever-changing risk and regulatory environment define risk domains.
Risk can be categorized into four key areas.
Governance and Risk Management include these domains: Enterprise Risk Management, Security Policy, Organizational Security, Human Resources Security, Compliance & Operational Risk, and Privacy.
Information Protection includes these risk domains: Physical & Environmental Security, Access Control, Application Security, Endpoint Device Security, Network Security, Server Security, and Cloud Hosting Services
IT Operations and Business Resilience include these risk domains: Asset & Information Management, IT Operations Management, and Operational Resilience.
Security Incident and Threat Management include these risk domains: Cybersecurity Incident, Management Threat Management.
A particular risk may be more relevant to third party risk management based on the nature of the services being outsourced.
The Standardized Information Gathering (SIG) Questionnaire helps risk management programs to scope third party risk questionnaires appropriately for the organization. The SIG also enables risk management programs to develop custom-tiered questionnaires and to analyze and manage vendor responses.
The SIG is created leveraging the collective intelligence and experience of our diverse member base. It is updated every year to keep up with dynamic risk domains.
The Shared Assessments Program’s Third Party Risk Management (TPRM) Framework is designed to provide guidance for organizations seeking to develop, optimize and/or manage Third Party Risk by incorporating a wide range of best practices into their risk management program. The Framework also provides guidance about how to implement meaningful incremental improvements in TPRM practice maturity in organizations where resources may be constrained.
Learn about the Shared Assessments Third Party Risk Management Toolkit in this on-demand webinar.
Join an upcoming demo of the toolkit.