SIG Manager is the engine that creates and manages the Standardized Information Gathering (SIG) Questionnaires (templates). The SIG Manager allows organizations to build, customize, analyze, store, and recall third-party assessments. See page 2 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.
The SIG Questionnaire is the template produced by SIG Manager (electronic questionnaire)—quickly, simply and out-of-the-box, or with as much specificity and detail as you need. See page 2 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.
SIG Manager operates within Excel. Make sure you have Excel open, enable content, and enable editing if prompted. Start with page 3 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide for complete instructions.
Access to the SIG is licensed to Product Subscribers and Members. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.
The Recall/Modify function allows you to save a template under the same or a different name. See page 23 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.
Yes. Members and Product purchasers that receive the Standardized Control Assessment (SCA) Procedures will receive a stand-alone Documentation and Artifacts Checklist that can be used as a template or artifact in any due diligence process to provide efficiency in the due diligence process. The SCA Best Practices Checklist will refer to this product in the planning phase of a risk assessment.
Yes. The SCA Procedures provide a library of test procedures that can be used for onsite or virtual assessments. The SCA Procedures can be used by internal audit or assurance teams to conduct readiness or control assessment reviews. The procedures can be used internally for gap analysis, self-assessment, or in any process such as M&A, where control assessments are indicated.
Yes. The Shared Assessments Program has developed a set of SCA Guidelines that are included in the bundle. The SCA Procedures provide risk professionals a set of resources (products, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments. This is the “verify” portion of a third-party risk program and was created leveraging the collective intelligence and experience of our vast member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.
No. The SCA is a library of best practice assessment procedures and should be scoped based on risk factors determined by the organization.
Yes. The SCA can be used to provide independent testing of controls. It can be used by outsourcers and service providers in the due diligence process, and it can be used as an internal self-assessment.
The Target Data Tracker product is designed to be used for project management and supports the SIG and SCA in the “Trust But Verify” model. The TDT can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance product assists with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. These functions can support CCPA/CPRA readiness and planning efforts, and can be utilized as a due diligence artifact to respond to client requests for service providers.
Yes. This product can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance product assists with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. The sections of the Target Data Tracker (TDT) provide a data collection mechanism for information required to address the contract Annex requirements in the GDPR/EU SCCs. Refer to the TDT User Procedure Guide for details.
The updated Data Governance products are designed to assist with pre-scoping activities prior to conducting a complete third-party review. The standalone SIG and SCA Templates can be used as artifacts for conducting a DPIA assessment. The Data Governance products focus on the core privacy obligations and should be used in conjunction with the completed Target Data Tracker or completed SIG for an enterprise view of the Information Technology and Security risks.
The Target Data Tracker product was constructed as a due diligence artifact to be used across many privacy jurisdictions. It contains relevant topics and attributes for records of processing and authorized use, including GDPR obligations for records of processing or as evidence of the implementation of Standard Contractual Clauses (SCCs). Each set of services may require different levels of detail to meet records of processing artifacts, but it can be used to supplement or enhance these documentation efforts. Refer to the TDT User Procedure Guide for detailed information on it's use.
Target Maturity is an optional field to display in the Vendor Risk Management Maturity Model VRMMM Dashboard to establish the desired state of maturity for each element in a TPRM program. Target Maturity is typically not displayed to users during initial self-assessment to prevent skewing of results but is used to quantify and prioritize areas of improvement. The VRMMM User Procedure Guide provides an overview on how to utilize the Target Maturity Feature.
The latest data from the 2022 VRMMM benchmarking study is included in the VRMMM 2023 product. The research focuses on the 48 VRMMM Program Attributes, including new TPRM program elements such as Environmental Social Governance (ESG), M&A, and Nth Party Management.
The VRMMM enables an organization to assess the maturity of over 250 detailed program criteria. The VRMMM organizes TPRM Program structures into Categories and Attributes to streamline the identification of areas of process improvement. The VRMMM Executive Summary Data Tables and Reporting Templates provide formatting templates and charts to share TPRM results and action plans to include in enterprise risk management reporting.
The VRMMM is designed to capture the process maturity across cross-functional areas of a TPRM Program. The VRMMM Accountability Matrix enables the TPRM program owner to capture the names and resources for the individual(s) who provided inputs to the self-evaluation process. The Matrix also enables the identification of the TPRM Program Owners who approved setting Target Maturity levels for the TPRM program in the organization.