Shared Assessments Releases 2022 Third Party Risk Management Toolkit

Standardised Excellence To Meet Today’s Risk Environment

Shared Assessments has released the 2022 Third Party Risk Management Toolkit. The tools included in this update are:

• Vendor Risk Management Maturity Model (VRMMM): Self-assessment of TPRM Programs
• Standardised Information Gathering Questionnaire (SIG): Efficient Vendor Risk Assessments
• Standardised Control Assessment (SCA): Validation of Third Party Controls
• Data Governance Tools: Due Diligence Tracking

The Toolkit functions as a framework for Third Party Risk Management (TPRM) allowing 15,000+ organisations worldwide to design and manage their programs with a high degree of assurance and efficiency through standardisation. The SIG is also incorporated into the products of 37 of the program’s third party risk software and GRC platform licensees.

How The Risk Management Toolkit Is Made

The 300+ member organisations bring diverse viewpoints into the creation of the tools including:

• Outsourcers, service providers, licensees, assessment firms and regulators
• Organisations from start-ups to large, global corporations
• Industries including Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare
• Experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management, ESG and third party risk

The toolkit was updated to keep up with regulatory changes, an evolving threat landscape and business requirements. Changes were also made to make it easier to create questionnaires and manage programs. While the tools can stand alone, we focused on aligning the entire suite of tools for 2022.

Third Party Risk Landscape 2022

Every year, the Shared Assessments TPRM Toolkit is updated to keep pace with the current risk environment.

2021 saw a major increase in ransomware, for example. Even if we do not record a single ransomware attack in this second half of 2021, this year will go down as the worst year yet for ransomware. Social engineering attacks, distributed denial-of-service (DDoS) and state sponsored cyberattacks are also on the rise. And we are seeing an increase in attacks on critical infrastructure, such as the Colonial Pipeline disruption.

New regulations call for organisations to evidence the completion of risk assessments and securely store these artifacts. With an industry-wide shift to virtual assessments during the pandemic, this documentation has become even more critical.

For organisations struggling to find a foothold amidst pandemic induced challenges, protracted disruptions to supply chains and difficulty to onboard and assess new vendors remains an issue. While at the same time, cost pressure has prevented insourcing.

A remote workforce poses its own challenges – in the Work-From-Anywhere (WFA), on-boarding and training of risk management personnel has become more challenging.

Economy-wide, pressure is growing to introduce ESG measures (environmental, social, and governance) across extended enterprise. Third party risk management programs are being called upon to assist their organisations’ ESG efforts with their most critical suppliers and vendors.

As the face of third party risk changes, the Shared Assessments 2022 Third Party Risk Management Toolkit prepares risk practitioners and programs for a shifting reality.

Regulatory Updates

Shared Assessments updates tools to follow regulations, guidelines and standards for a wide range of industries. The 2022 Toolkit has integrated 1,600 Control Points from new guidelines, regulations, and frameworks including:

• NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organisations
• DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies
• Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 (April 2020)
• CSA Cloud Controls Matrix (CCM) Version 4
• Industrial Automation and Control Systems Guidance EC-62443 (2018)
• GDPR Guidance on Standard Contractual Clauses (SCCs) June 2021
• State Privacy Laws (CA, CO, Virginia)

Updates for Environmental, Social, Governance (ESG)

Third party risk programs must increasingly gauge the ESG compliance of critical suppliers and vendors. In response, new features of the 2022 Toolkit include ESG updates among all SA Tools:

• SIG – ESG is visible as a category with 35 questions; ESG only questionnaire can be created
• VRMMM – Updated VRMMM program component in the Program Governance Section. Added more detailed criteria
• SCA – Created new procedure for ESG; updated content in procedure to match changes in SIG
• TDT –Identifies if international data transfers are in scope for a third party/fourth party and identifies country; helps gather information for the ESG program

Standardised Information Gathering (SIG) Questionnaire Tools

Smarter and streamlined, the 2022 SIG Questionnaire allows organisations to build, customise, analyse and store questionnaires. A simplified user experience delivers vetted questions mapped to the most recent controls and regulatory guidance.

The SIG continues to provide standardisation and efficiency in performing third party risk assessments along with:

• Expanded visibility from a comprehensive question library with controls-focused content
• Out-Of-The-Box Questionnaires through Enhanced Tiering for SIG Lite and Core
• Updated content aligned to most recent NIST, Cloud, CSA, SCCs guidance
• Streamlined User Experience introducing seamless navigation
• Efficient Integration with Vendor Risk Ratings and Vendor Classification structures in TPRM programs
• Richer Content enables using one platform vs. multiple questionnaires to address a broader range of risk types (e.g. Operational Risk, Compliance Risk, Supply Chain risk).

Standardised Control Assessment (SCA) Procedure Tools

The SCA Procedures are standardised resources (tools, templates, checklists, guidelines) that can be used to plan, scope, and perform third party risk assessments. The procedures provide a standardised and objective assessment workbook for assessors to verify vendor compliance with standardised control testing.

As the COVID pandemic shifted risk management programs towards performing virtual assessments, the SCA served as the standard for improving efficiency, accuracy and quality in remote assessments. Having helped many organisations migrate in-person assessments to virtual assessments, for 2022 the SCA has matured with:

• Enriched Program-Focused Content with new attributes, categories and risk domains
• Compliance and Operational Risk Improvements including pre-configured procedures for ESG and Corporate Governance
• Data Privacy Restructuring aligning with GDPR, various state and NIST privacy regulation changes
• Strengthened Compliance Documentation to address new regulations including GDPR SCCs (Cross Border Data Transfer) Requirements
• Enhanced Management Reporting with SCA Executive Reporting Data Tables and templates
• Addressing Operational Risk through new procedures

Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

A TPRM Program Assessment Tool to assist organisations as they develop mature TPRM programs, the VRMMM allows Third Party Risk programs to benchmark themselves against a comprehensive set of best practices. The 2022 release of the VRMMM introduces a multidimensional program model, which explores 250 distinct program elements formed by 8 key structures and 6 key attributes a well-run third party risk management program will have.

The 2022 release of the VRMMM explores 250 distinct program elements formed by 8 key structures and 6 key attributes a well-run third party risk management program will have. It supports both assessments of a vendor’s TPRM program and self-assessment of a company’s own TPRM program. This invaluable guidance is particularly helpful for practitioners new to risk management teams, and to organisations building a TPRM Program.

The 2022 Toolkit features a sweeping refresh and reorganisation of VRMMM content reflecting global industry guidance around third party risk and modernisation of TPRM language. Other enhancements to the VRMMM in 2022 include:

• Enriched Dashboard introducing improved management reporting and templates
• Streamlined Content Navigation helping users clarify/find what they are looking for
• Ability to Measure Target Maturity for ESG, Fourth Party/Nth Party Management, etc.
• Addressing Broader Types of Risk from third party relationships including ESG, emerging technology, fourth party management, and data governance

Data Governance Tools

The Data Governance Tools are solutions for addressing specific data protection obligations (increasing worldwide) in third party risk. The tools enable collection and maintenance of data governance information required to address compliance for authorised data use by third and fourth parties by product, service, or system.

The 2022 Data Governance Tools include:

• Privacy SIG Questionnaire Template: Scoped privacy SIG Template to be used when conducting a stand-alone data protection impact assessment or as a pre-scoping tool for prioritising vendor assessments.
• Privacy SCA Procedure Template: Scoped privacy SCA Standardised Test Procedure that identifies a set of documentation, artifacts, and privacy criteria to be evaluated when an assessment requires a focused privacy risk assessment tailored by the services that are outsourced.
• Target Data Tracker: A data governance tool that enables the identification, tracking, and monitoring of the use and disclosure of personal data to third and fourth parties.

The Data Governance Tools have evolved for increasing regulatory pressure across the world and now:

• Support Business Resilience to enhance Disaster Recovery and Business Continuity Plans by identifying points of contact in company profile
• Efficiently Determine Vendor Classification and Level of Due Diligence as TDT allows for better pre-scoping for TPRM risk or for standalone risk assessments
• Provide Insight Into 4th/Nth Party and Cloud Provider Risk through content that addresses better identification and tracking
• Support International Business and Data Privacy Compliance through location management, identification and tracking of international data transfers

Get The 2022 Third Party Risk Management Toolkit

To learn more about the Shared Assessments Program and TPRM Toolkit please contact

Sean O’Brien
Co-Chair Shared Assessments UK/EMEA Best Practice Committee
on +44 (0) 161 476 8700, or

Members can download the 2022 Toolkit here

Become involved with making the tools here.

Schedule a demo here.