Standardized Information Gathering Questionnaire (SIG)

1 review

The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Vendor Risk Management Maturity Model (VRMMM)

0 reviews

The Vendor Risk Management Maturity Model (VRMMM is a comprehensive framework designed to help organizations assess and enhance their third-party risk management programs. By evaluating existing practices against industry benchmarks and best practices, the VRMMM enables organizations to identify areas for improvement, allocate resources effectively, and establish a baseline for program maturity. This model is particularly beneficial for organizations aiming to adapt their risk management strategies based on factors such as industry type, organizational size, and risk tolerance. Key Features and Functionality: - Program Governance: Establishes a risk management governance model with defined objectives, board reporting, and oversight, including considerations for ESG and codes of conduct. - Policies, Standards, and Procedures: Develops comprehensive policies for vendor risk management, including risk categorization, due diligence standards, and lifecycle management. - Contracts Management: Provides guidelines for contract provisions, relationship management, and procedures for vendor termination or exit. - Vendor Risk Assessment Process: Implements processes for pre-outsourcing risk evaluation, vendor risk tiering, ongoing assessments, and process automation. - Skills and Expertise: Defines roles and responsibilities, staffing levels, training programs, and qualifications necessary for effective risk management. - Communication and Information Sharing: Facilitates integration of vendor risk programs, reporting mechanisms, and communication protocols. - Tools, Measurement, and Analysis: Utilizes workflow management, risk scoring tools, financial analysis, and automation to monitor vendor risks. - Monitoring and Review: Establishes procedures for tracking contract provisions, monitoring service level agreements, and conducting continuous monitoring programs. Primary Value and Problem Solved: The VRMMM addresses the critical need for organizations to manage and mitigate risks associated with third-party vendors. By providing a structured approach to evaluate and improve vendor risk management programs, the VRMMM helps organizations make informed decisions regarding resource allocation and vendor-related risks. It enables the establishment of a maturity baseline, identification of high-value components, and tracking of program progress over time. Ultimately, the VRMMM empowers organizations to enhance their risk management capabilities, ensuring robust governance and compliance in their third-party relationships.

Data Governance Products

0 reviews

Shared Assessments' Data Governance Products offer a comprehensive suite of tools designed to help organizations manage and protect personal data within third-party relationships. Originally developed to meet GDPR requirements, these products have evolved to address various privacy regulations, including CPRA/CCPA. They assist organizations in navigating the complexities of data protection obligations, ensuring compliance, and mitigating risks associated with third-party data handling. Key Features and Functionality: - Target Data Tracker (TDT: Facilitates the identification, tracking, and monitoring of personal data usage and disclosure to third and fourth parties. - Privacy SIG Questionnaire Template: Provides a scoped template for conducting stand-alone data protection impact assessments or for prioritizing vendor assessments. - Privacy SCA Template: Offers a tailored template for evaluating documentation, artifacts, and privacy criteria during focused privacy risk assessments related to outsourced services. - Data Governance Products User Guide: Includes instructions for utilizing the TDT, Privacy SIG, and Privacy SCA in conducting data protection or privacy third-party risk assessments. - Data Governance Products Enhancement Document: Details changes and revisions in the latest versions of the Data Governance Products. Primary Value and Problem Solved: The Data Governance Products empower organizations to effectively manage data protection obligations in third-party relationships. By providing tools for tracking data flows, assessing privacy risks, and ensuring compliance with evolving regulations, these products help organizations mitigate risks associated with third-party data handling. This comprehensive approach enhances data transparency, supports regulatory compliance, and fosters a culture of accountability in data management.

Standardized Control Assessment Procedure (SCA)

0 reviews

The Standardized Control Assessment is a comprehensive suite of procedures and tools designed to assist risk professionals in planning, scoping, and conducting third-party risk assessments. Serving as the "verify" component in a third-party risk management program, the SCA is typically employed after initial questionnaires, such as the Standardized Information Gathering Questionnaire, to gather and confirm artifacts that attest to the veracity of the assessment. Key Features and Functionality: - Comprehensive Assessment Procedures: The SCA provides a standardized set of assessment procedures that can be efficiently utilized during onsite or virtual assessments, as well as for auditing internal systems. - Resource-Rich Toolkit: It includes a variety of resources such as solutions, templates, checklists, and guidelines, all aimed at facilitating thorough third-party risk assessments. - Alignment with Critical Risk Domains: The SCA mirrors 21 critical risk domains from the SIG, including Access Control, Application Security, Cloud Hosting Services, Compliance Management, and Supply Chain Risk Management, among others. - Customizable Scope: Organizations can tailor the SCA to their specific needs, selecting relevant test procedures based on their unique risk factors. Primary Value and Problem Solved: The SCA addresses the challenge of efficiently and effectively verifying third-party controls within a risk management framework. By providing a standardized, comprehensive, and customizable set of assessment procedures, it enables organizations to: - Enhance Assessment Efficiency: Streamline the assessment process through standardized procedures and resources, reducing time and effort required for thorough evaluations. - Ensure Consistency and Accuracy: Promote uniformity in assessments, leading to more reliable and comparable results across different third-party engagements. - Facilitate Regulatory Compliance: Assist organizations in meeting regulatory requirements by providing a structured approach to control verification. - Adapt to Various Assessment Scenarios: Support both onsite and virtual assessments, offering flexibility in conducting evaluations regardless of logistical constraints. By integrating the SCA into their third-party risk management programs, organizations can achieve a more robust and reliable assessment process, ultimately strengthening their overall risk posture.