Product Support Center

Customer Success

Your question may already be answered! Please review FAQs and Product Videos below.
_
Shared Assessments hosts monthly demos of our TPRM Toolkit (SIG, SCA, VRMMM, TDT) Register Now
Got TPRM questions? Join expert-led webinars and get CPE credits. Upcoming webinars
Certify your TPRM knowledge today - open to professional risk practitioners and risk assessors. Class Schedule

Frequently Asked Questions

Standardized Information Gathering (SIG)

What is SIG Manager?

SIG Manager is the engine that creates and manages the Standardized Information Gathering (SIG) Questionnaires (templates). The Tool allows organizations to build, customize, analyze, store, and recall third-party assessments. See page 2 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

What is a SIG Questionnaire?

The SIG Questionnaire is the template produced by SIG Manager (electronic questionnaire)—quickly, simply and out-of-the-box, or with as much specificity and detail as you need. See page 2 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

The SIG Manager was downloaded, so how do I get started?

SIG Manager operates within Excel. Make sure you have Excel open, enable content, and enable editing if prompted. Start with page 3 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide for complete instructions.

Why do I need to enter my company name?

Access to the Tool is licensed to Tool purchasers and members. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

After creating a SIG scoping template, can I rename it?

The Recall/Modify function allows you to save a template under the same or a different name. See page 23 in the 2022 SIG Manager/SIG Questionnaires User Procedure Guide.

Standardized Control Assessment (SCA)

Can I use the Documentation and Artifacts Request Checklist outside of an onsite assessment?

Yes. Members and Tool purchasers that receive the Standardized Control Assessment (SCA) Procedures will receive a stand-alone Documentation and Artifacts Checklist that can be used as a template or artifact in any due diligence process to provide efficiency in the due diligence process. The SCA Best Practices Checklist will refer to this tool in the planning phase of a risk assessment.

Are there multiple ways to use the SCA Control Assessment Procedures?

Yes. The SCA Procedures provide a library of test procedures that can be used for onsite or virtual assessments. The SCA Procedures can be used by internal audit or assurance teams to conduct readiness or control assessment reviews. The procedures can be used internally for gap analysis, self-assessment, or in any process such as M&A, where control assessments are indicated.

Are there any guidelines I should follow when utilizing the SCA?

Yes. The Shared Assessments Program has developed a set of SCA Guidelines that are included in the bundle. The SCA Procedures provide risk professionals a set of resources (tools, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments. This is the “verify” portion of a third-party risk program and was created leveraging the collective intelligence and experience of our vast member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Do I have to use every procedure when conducting a SCA?

No. The SCA is a library of best practice assessment procedures and should be scoped based on risk factors determined by the organization.

Are there multiple ways the SCA can be used?

Yes. The SCA can be used to provide independent testing of controls. It can be used by outsourcers and service providers in the due diligence process, and it can be used as an internal self-assessment.

Data Governance (Target Data Tracker – TDT)

Can the Target Data Tracker Tool be used for CCPA/CPRA initiatives?

The Target Data Tracker Tool is designed to be used as a project management tool and supports the SIG and SCA in the “Trust But Verify” model. The Tool can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance Tools assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. These functions can support CCPA/CPRA readiness and planning efforts, and can be utilized as a due diligence artifact to respond to client requests for service providers.

Can the Target Data Tracker tool be used for Standard Contractual Clauses (SCCs) readiness initiatives?

Yes. The Tool can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance Tools assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. The sections of the Target Data Tracker provide a data collection mechanism for information required to address the contract Annex requirements in the GDPR/EU SCCs. Refer to the TDT User Procedure Guide for details.

Can the Data Governance Tools assist with Data Protection Impact Assessments (DPIAs)?

The updated Data Governance Tools are designed to assist with pre-scoping activities prior to conducting a complete third-party review. The standalone SIG and SCA Templates can be used as artifacts for conducting a DPIA assessment. The Data Governance Tools focus on the core privacy obligations and should be used in conjunction with the completed Target Data Tracker or completed SIG for an enterprise view of the Information Technology and Security risks.

As a service provider, can the Target Data Tracker be used as a record of my processing activities under GDPR General Data Protection Regulation (EU)?

The Target Data Tracker Tool was constructed as a due diligence artifact to be used across many privacy jurisdictions. It contains relevant topics and attributes for records of processing and authorized use, including GDPR obligations for records of processing or as evidence of the implementation of Standard Contractual Clauses (SCCs). Each set of services may require different levels of detail to meet records of processing artifacts, but it can be used to supplement or enhance these documentation efforts. Refer to the TDT User Procedure Guide for detailed information on how to use the Tool.

Vendor Risk Management Maturity Model (VRMMM)

What is Target Maturity and how do I use it?

Target Maturity is an optional field to display in the Vendor Risk Management Maturity Model VRMMM Dashboard to establish the desired state of maturity for each element in a TPRM program. Target Maturity is typically not displayed to users during initial self-assessment to prevent skewing of results but is used to quantify and prioritize areas of improvement. The VRMMM User Procedure Guide provides an overview on how to utilize the Target Maturity Feature.

Is there an updated VRMMM Benchmarking Study?

The last published study was released in 2019 and planned updates were delayed due to the pandemic. The next iteration of the VRMMM benchmarking study is in development in 2021 with planned surveys and analysis for release in mid-year 2022. The research will be structured with a focus on the 48 VRMMM Program Attributes, including the new TPRM program elements such as Environmental Social Governance (ESG), M&A, Fourth-Nth Party Management, etc.

How do I share the results of the VRMMM self-assessment?

The VRMMM tool enables an organization to assess the maturity of over 250 detailed program criteria. The VRMMM organizes TPRM Program structures into Categories and Attributes to streamline the identification of areas of process improvement. The VRMMM Executive Summary Data Tables and Reporting Templates provide formatting templates and charts to share TPRM results and action plans to include in enterprise risk management reporting.

How do I use the VRMMM Accountability Matrix?

The VRMMM tool is designed to capture the process maturity across cross-functional areas of a TPRM Program. The VRMMM Accountability Matrix enables the TPRM program owner to capture the names and resources for the individual(s) who provided inputs to the self-evaluation process. The Matrix also enables the identification of the TPRM Program Owners who approved setting Target Maturity levels for the TPRM program in the organization.

Video Resources