Third Party Risk Management - Consultancy, Assessment & Advisory

Shared Assessments Releases 2021 TPRM Toolkit

Shared Assessments Logo TPRMThe Shared Assessments Third Party Risk Management Toolkit was built by member practitioners, for practitioners. Leveraging diverse industry experience and relationship perspective, the toolkit embodies a “Trust, but Verify” approach based on vetted, standardised methodology.


Shared Assessments’ updated 2021 Third Party Risk Management (TPRM) Toolkit is responsive to recent events. A global pandemic, shutdowns and a shift to a virtual workforce, and an increasing data governance regulatory environment has meant this year is redefining how organisations approach risk management.

Vendors are more “remote” than ever, but assessments and assurance of security controls remain just as critical. Resilience, financial viability and operational risk are more important than before. Data governance regulation, privacy and international frameworks are developing at a fast pace, requiring even higher levels of TPRM program maturity.

This new 2021 edition is considered by risk management professionals to be an invaluable resource. “The Shared Assessments Toolkit is foundational in the area of third party risk,” said Ron Bradley, Director, Cybersecurity Risk Management, Trane Technologies. “2020 has been particularly challenging for those navigating vendor risk, and third party risk managers rely on tools, such as the SIG and the SCA to gather, assess, and verify controls with ease and efficiency.” 

The 2021 TPRM Toolkit is an essential part of the Shared Assessments Third Party Risk Management framework, which helps organisations manage the full lifecycle of a third party relationship. The 2021 Toolkit was built to allow standardised excellence in content and to make assessments easier to create, customise, and manage.

Shared Assessments 2021 TPRM Toolkit Released

Introducing The 2021 TPRM Toolkit

The components of the 2021 TPRM Toolkit include: 

1. Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: The VRMMM has been updated and improved annually since 2013. The industry’s longest running third party risk maturity model, it has been continuously vetted and refined by hundreds of the most experienced third party risk management professionals. 

The VRMMM evaluates third party risk assessment programs against a comprehensive set of more than 200 program elements and best practices. Program managers can utilise the Target Maturity to create action plans or incorporate peer benchmark data in setting their maturity targets.

VRMMM Benchmark Tools are free and available at: 

2. Standardised Information Gathering (SIG) Questionnaire Tools: The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency, and data security risks. These Tools serve as the “trust” component for outsourcers who wish to use industryvetted questions to obtain succinct, scoped initial assessment information on a service provider’s controls.  

The SIG is also used proactively by service providers to reduce initial assessment duplication and assessment fatigue through proactively supplying their own pre-completed Response SIGs to outsourcers.  

3.  Standardised Control Assessment (SCA) Procedure Tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of third party risk programs. The SCA mirrors the 18 critical risk domains from the SIG and can be scoped to an individual organisation’s needs. The SCA package includes templates and checklists, which provides a standardised approach to conducting and documenting control reviews, performing testing of controls, and reporting assessment results. 

4. Third Party Privacy Tools: The Privacy Tools were built to track requirements from various privacy regulations and framework updates, including CCPA. The Tool includes a Target Data Tracker (TDT) that focuses on privacy data governance obligations that identify, track, and document the use of personal information within specific third party relationships, including subcontractors. The TDT serves as a project management tool that streamlines the collection of information for data classification, data flows, and third party disclosures.  

The Target Data Tracker is now free and available at:  


Key Updates to the 2021 TPRM Toolkit

In preparation for regulatory changes in addition to emerging threats, we refreshed the tools with the following risks in mind: 

For details about enhancements, content organisation, updates, industry and regulatory standards included in the update to the 2021 TPRM Toolkit, please Contact Us or call +44 (0) 161 476 8700.


You’re Only As Strong As Your Weakest Link

Globalisation Cybersecurity TPRM Third Party Risk Location Risk IoT

There’s never a more vital time to start thinking seriously about the security posture of your organisation and extended enterprise.

DVV Solutions are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party and Location Risk domains.

Contact us to see how Supply Wisdom’s early warning and real-time alerts for countries and cities that are critical to your supply and sourcing chains adds certainty to your Third-Party Risk Management program:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do


About The Shared Assessments Program

As the trusted source in third party risk, the member-driven Shared Assessments Program has been setting the standard in third party risk assessments since 2005. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient means of conducting security, privacy and business resiliency control assessments. Learn more at