Third Party Risk Management - Consultancy, Assessment & Advisory

A Bright Future for Third-Party Risk Standards and Best Practice

Dynamic Due Diligence TPRM framework

As some of you may know, I have been championing the cause of standards in third-party risk management in the UK for a number of years now.

When DVV Solutions originally looked at what standards we should build out our service offering and risk advisory from, there was only one organisation that stood out, and that was Shared Assessments.

The Shared Assessments Program is a member-driven community that advances industry-standard tools and best practices for consistent, efficient and cost-effective Third-Party Risk Management (TPRM). The Program has been setting the standard in Third Party risk management since 2005, when the “Big Four” and six global banks collaborated to form Shared Assessments to address the inefficiencies surrounding TPRM.

What did and still stands out most about Shared Assessments is that members not only gain access to the Program Tools (such as the SIG Questionnaire, SCA Process and Data Privacy Toolkit) and thought leadership, but also work alongside industry peers to influence and develop them.

This gives the Program and its artifacts great agility to align with emerging trends and broader GRC and InfoSec auditing standards and regulations – such as NIST, ISO 27001/27002 and PCI DSS – pulling them into one central standard specifically geared to address the risks within third parties and supply chains. Moreover, in recent times Shared Assessments has taken up an advisory role in the support and development of such standards and regulations as it provides a consolidated voice for the views and opinions within the market.

At this point I should declare that as well as being a staunch advocate of the Program I do have a vested interest having been Co-Chair of the Shared Assessments UK/EMEA Best Practice Committee for almost 2 years. However, I am yet to meet a client who has not been able to identify value in membership of the Program and its tooling – but to find out more for yourself simply visit the Shared Assessments website and LinkedIn page.

Taking The Next Big Step for The Future

Shared Assessments have been driving forward standards in third-party risk for over 15 years and, following the recent announcement regarding its acquisition by OneTrust, it has taken another monumental step forward. On reflection I believe the acquisition presents a great opportunity for the Shared Assessments Program to further establish itself as the de facto global standard for Third Party Risk Management and, in turn, an even greater win for existing and future members.

So, what does announcement actually mean for Shared Assessments and why is it a monumental step forward?

Maintaining Vendor Neutrality

The Shared Assessment Program relies on the active engagement from its membership of client, service provider and vendor organisations that work collaboratively to develop a balanced and holistic series of tools, processes, research and thought leadership that all parties benefit from.

OneTrust clearly understand this is core to the integrity of the Program and Kabir Barday, the Founder, President and CEO of OneTrust has first and foremost committed to maintaining the independence of Shared Assessments. This is a critical move in ensuring that collaboration between peers and commercial competitors for mutual benefit remains within the Program. Furthermore, former CEO Catherine Allen has been retained to ensure a consistency of leadership and focus on the Program’s objectives. 

Expanding Program Utility

This is probably the area OneTrust can best leverage its own successes in supporting the development of the Program. The Shared Assessments SIG Questionnaire is one of the most widely adopted third-party risk standards today, used by more than 15,000 companies globally.

With its experience in bringing together multiple international privacy, governance, risk and compliance domains across a multiple technologies and sources, OneTrust plans to pull the ever-increasing scope of the SIG and other tooling into a central platform for organisation to adopt and/or integrate with.

In addition, planned real-time updates will enable the SIG to incorporate industry news and events (e.g. COVID, Schrems II) to give it even greater depth as an instrument for point-in-time and ongoing third-party risk assessments.

These will give the Program tools even greater utility for new and existing members and make the Shared Assessments standards and practices an even more compelling value proposition.

Enhancing Education and Engagement

Shared Assessments isn’t simply about the adoption of the SIG questionnaire. The CTPRP and CTPRA training and accreditation programs help fulfil an essential need in this rapidly evolving space. The courses play an instrumental role in supporting the adoption and integration of the Shared Assessments methodology into each member organisation and provide a gateway for new and experienced TPRM professionals to gain even greater credibility and recognition.

Having already made recent strides in expanding the reach of these programs through on-line and on-demand course delivery it is therefore very encouraging to hear that OneTrust intends to make them even more accessible to a global audience.

Going Global

With the additional commercial impetus and resources now at Shared Assessments’ disposal the team and its members will be able to extend existing work in expanding the Program’s reach beyond its historic geographical borders with the SIG remaining a core part of the value proposition.

As an active member of the Program I have seen first-hand the level of interest a local community can have in working to support and grow the Program and provide a regional perspective to the development of new Program content (for example, providing practical experience of the impact of regulations such as GDPR, Operational Resilience and SM&CR).

With an even greater focus and the multi-language support the OneTrust team brings to the table I can only see the Program accelerating its growth within the European market and beyond.

Raising Standards Is A Team Sport

Irrespective of the management model and ownership the true value of Shared Assessments Program for members comes from sharing the challenges faced with peers and learning from each other how to strategically and practically mature their TPRM programs.

The research the membership undertakes is invaluable and the blogs, articles and white papers it provides on the latest trends, standards and regulations globally ensures all member organisations remain fully informed.

I, for one, am certainly looking forward to being a part of this new relationship and cementing Shared Assessments’ position as the trusted source in third party risk assurance.  

About the Author

Sean O’Brien, Managing Director at DVV Solutions is a practicing Certified Third Party Risk Professional and Assessor with over 25 years’ hands-on experience of delivering IT security and GRC managed services within highly regulated industries.

In addition to the day job Sean is a founding member of the EMEA Steering Committee for the Shared Assessments Program, and sits on their Best Practices Committee providing a Euro-centric perspective into the development of Shared Assessments’ global standards and practices for Third Party risk frameworks and programs.