The Shared Assessments Program, the member-driven leader in third party risk assurance, issued the 2020 Shared Assessments Third Party Risk Management Toolkit to help enable organizations around the world to meet new and evolving regulatory compliance demands, and address evolving physical and cyber risk.
New for 2020 are expanded third party privacy tools for GDPR and CCPA; new operational risk content on emerging and expanding third party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.
The 2020 Toolkit also features enhanced configuration options that allow both outsourcers and service providers to streamline assessments.
The Toolkit was developed based on the needs and experience of nearly 300 industry member organizations and the thousands of organizations they serve, as well as the collective needs of non-member Toolkit users who trust and depend on the Shared Assessments Program to develop and maintain comprehensive tools for third party risk management.
The Toolkit enables organizations to manage their full vendor assessment relationship life cycles, and more effectively execute, benchmark and assess third party risk management programs. This new 2020 edition is considered by risk management professionals to be an invaluable risk management resource.
“The Shared Assessments Standard Information Gathering questionnaire is one of our key strategic tools to assessing Third Parties,” said Eric Cohen, Director, Third Party Information Security Assessment Program, Union Bank.
“In navigating the complexities of dynamic compliance demands and threat landscapes, the modular questionnaire template, the Vendor Risk Management Maturity Model (VRMMM) benchmark tool, and the Standardized Control Assessment (SCA) Procedure Tools are crucial compasses that our risk management, IT and security teams depend on.
“The 2020 Toolkit enables our team to gather, assess and verify data on the full breadth of business issues and aspects, with unmatched ease and efficiency.”
New usability features and expanded operational content
Expanded operational/enterprise risk: Content for the comprehensive but customizable question library addresses corporate governance functions of anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.
Enterprise risk governance, information security risk and privacy data protection questions have expanded based on new regulations, including CCPA and GDPR.
Risk and regulatory compliance content: Fully 58 percent of risk management respondents reported in a recent major study that their regulatory change/compliance of third parties was below target, and 31 percent reported it was well below target. New content across tools helps risk professionals close regulatory compliance gaps in third party relationships.
Data governance: Privacy regulations such as CCPA and GDPR mandate that organizations diligently track data collected by or disclosed to third parties, how that data is used, and where it is accessed.
The enhanced Third Party Privacy Tools assist with the identification, tracking, and maintenance of personal information that is utilized within specific third party relationships, including fourth party management.
Service provider configuration & response management: New agility in the Standardized Information Gathering (SIG) Management Tool enables service providers to make it easier to build, configure and maintain multiple completed questionnaires, and sharply reduces the effort and complexity involved in responding to customer due diligence requests across multiple services.
External content automation: Share Assessments members, outsourcers and licensees can extract and integrate the content of these tools into their platforms with ease, and peer groups can collaborate securely and simply with the new import/export functionality in the SIG.
Usability: Members are key to our programs and we incorporate their feedback to improve functionality, usability, user documentation and training to promote the most efficient adoption of our tools. New scoping capabilities in the SCA Procedure Tools deliver a menu of test procedures tailored for each onsite or virtual assessment.
“While it’s increasingly understood that third party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization’s reputation, the best practices for effective third party risk management are certainly less well understood,” said Santa Fe Group CEO and Chairman Catherine A. Allen.
“The guidance and shared insight across industries that emerges from Shared Assessments’ third party risk management intelligence ecosystem of members, licensees, service providers and the thousands of organizations they serve is broadly recognized as the industry’s finest.”
The components of the 2020 Toolkit
Third party privacy tools: With new and updated tools this year, this popular set of tools was built from the demand driven for 2019’s GDPR Privacy Tools, with expanded privacy scope to meet the requirements from various privacy regulations and framework updates, including CCPA.
The enhanced tools include a standard Target Data Tracker (TDT) Tool that focuses on privacy data governance obligations that identify, track, and document the use of personal information within specific third party relationships, including subcontractors.
The TDT serves as a project management tool that streamlines the collection of information for data classification, data flows, and third party disclosures. These tools provide templates for pre-assessment scoping or readiness assessments that enable privacy centric assessments, incorporating privacy controls and obligations based on specific privacy jurisdictions.
Vendor Risk Management Maturity Model (VRMMM) benchmark tools: The VRMMM has been updated and improved annually since 2013. The industry’s longest running third party risk maturity model, it has been continuously vetted and refined by hundreds of the most experienced third party risk management professionals.
The 2020 VRMMM Benchmark Tools’ improved maturity tracking and functionality let managers set more granular maturity level ratings and deliver greater reporting clarity to help them evaluate program performance.
Program managers can utilize the Target Maturity to create action plans or incorporate peer benchmark data in setting their maturity targets. The VRMMM evaluates third party risk assessment programs against a comprehensive set of more than 200 program elements and best practices.
Enhanced dashboard and reporting capabilities enable the VRMMM to color-code each sub-section, sub-category, and criterion according to whether the organization meets or exceeds the target, providing transparency in management reporting.
The VRMMM is comprised of eight categories such as program governance; policies, standards and procedures; contract development, adherence and management; etc.
Standardized Information Gathering (SIG) questionnaire tools: The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency and data security risks.
It serves as the “trust” component for outsourcers who wish to use industry-vetted questions to obtain succinct, scoped initial assessment information on a service provider’s controls.
The SIG is also used proactively by service providers to reduce initial assessment duplication and assessment fatigue by proactively supplying their own pre-completed Response SIGs to outsourcers.
New functionality supports both standardization and customization by enabling service providers to manage multiple response questionnaires more efficiently. Expanded content and ability to scope Response SIGs enables outsourcers to focus assessments on their particular industry and/or service, and streamline due diligence processes and risk assessment responses.
For 2020, SIG content data is newly exportable into a JSON file that is recognized by various types of software and interfaces, making importing and exporting of content easier and more secure as the file replaces content with serial numbers.
Exportable content enables integration to other compliance platforms and the sharing of SIG templates with peers without exposing proprietary information.
Standardized Control Assessment (SCA) procedure tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of third party risk programs.
The SCA mirrors the 18 critical risk domains from the SIG and can be scoped to an individual organization’s needs. The SCA package includes the SCA Report Template, which provides a standardized approach to conducting and documenting control reviews, performing testing of controls and reporting assessment results.
The customization features of the SIG have made assessments easier now that scoping is available for the SCA. Assessors can tailor or right-size, either onsite or virtually, assessments with scoping capabilities to select or deselect which test procedures to include for each assessment and track progress of assessment completion with dashboard reporting.
Other new SCA features include a Documentation and Artifact Request Checklist for each risk domain that can be provided to an assessee in advance, providing a standardized way to collect due diligence information, saving time for all parties.