Shared Assessments Adds Module to Third-Party Framework

Two months after unveiling its Third Party Risk Management (TPRM) framework, the Shared Assessments third-party risk assurance program announced the availability of a new module covering periodic assessments and continuous monitoring.

The introductory release in June included the first of a planned 10 modules in the framework. Gary Roboff, who led development of the framework and is senior adviser of Santa Fe Group, which is Shared Assessments' managing agent, said then that the objective is “to provide guidance for organizations seeking to develop, optimize and manage third-party-risk best practices,” while acknowledging that in many cases, “resources may be constrained.” (See Best-Practices Guidance for Third-Party Risk)

Periodic assessments and continuous monitoring are described as being at the heart of the “trust, but verify” approach to tracking vendor exposures. With organizations seeking to both improve efficiency and enhance effectiveness in third-party risk management, Shared Assessments said that its “module explores the changing relationship between periodic assessments and continuous monitoring, and examines solutions to the problems organizations are reporting when implementing continuous monitoring programs focused on threat intelligence. It's a 'nuts and bolts' guide, whether improving existing programs or planning TPRM processes from scratch.”

The framework grew out of Shared Assessments' being a focal point for risk practitioners in multiple sectors coping with the growth and ever-increasing complexity of risks arising from third-party interconnectedness.

In July, Shared Assessments announced that its steering committee chair and vice chair, respectively, for 2019 are Glen Sgambati, customer and industry relations executive at Early Warning Services, and Emily Irving, vice president of third-party risk at BlackRock.

Practitioners Surveyed

Shared Assessments collaborates with Protiviti on an annual Vendor Risk Management Benchmark Study. It more informally polled attendees at the Shared Assessments Member Forum in July on the effectiveness of risk appetite statements and other aspects of vendor risk management. According to a blog post by Roboff, 42% answered “no” to the question, “Is your organization's risk appetite widely understood and applied throughout your organization?”

Another result: 43% said they did not have a “complete vendor inventory accessible enterprise-wide.”

However, Roboff deemed it “heartening” that 95% “said they regularly differentiated critical vendors, a task that allows outsourcers to better match the degree and type of due diligence activities to the amount of risk a critical vendor may present.”

When asked if they tested their ability to quickly restore all critical services,” 75% said “yes,” which, Roboff noted, “tracked nicely” with the benchmark survey.

Early Evaluations

Shared Assessments included in its August announcement pre-release testimonials:

- Paul Poh, managing partner, Radical Security: “This is a great blueprint for anyone that is either building a TPRM program or . . . looking to assess if their existing TPRM program encompasses all the current thought leadership in third-party risk.”

- Rocco Grillo, managing director, Global Cyber Risk Services practice, Alvarez & Marsal: “The guidance in this release is spot-on, especially given the evolving threat landscape and the reliance on third-party service and hosting providers. With the module's focus on integrating continuous monitoring and incident management processes into legacy TPRM programs, it will propel organizations in their quest to achieve greater cybersecurity resiliency. The module provides solid guidance to mitigate the everyday issues and risks that imperil program efficacy.”

- Pete Tannish, director of information security, Small Business Financial Exchange, on the module's depth in exploring periodic assessments and continuous monitoring: “This document is by far the most thorough I've ever seen. [It] gives the reader any and every option of what to consider in order to build a program based on cost and/or risk.”