Shared Assessments Program addresses increased regulatory complexity including data protection requirements
Wednesday, November 27, 2019
By Jeffrey Kutler
For the financial services industry, long reliant on connections to external system and services providers, “third-party risk management is not new,” consulting firm EY and the Institute of International Finance (IIF) noted in their latest global bank risk management survey. What they described as “operating in an ever-expanding ecosystem” is second on a list of 10 key risk factors identified in the report, which looks out 10 years and warns that “the current level of dependence on third parties is only a small fraction of what it will likely be in the future.”
In view of these evolving and heightened demands on operational and compliance resources, Shared Assessments has issued an updated Third Party Risk Management Toolkit for 2020. The group said in a November 20 announcement that it bases the toolkit on “the needs and experience of nearly 300 industry member organizations and the thousands of organizations they serve, as well as the collective needs of non-member toolkit users who trust and depend on the Shared Assessments Program to develop and maintain comprehensive tools for third party risk management.”
Shared Assessments has also produced a briefing paper on the role of boards in effective risk management, a product of collaboration among Santa Fe Group, the program's managing agent; Alvarez & Marsal Dispute Analysis & Forensics; Annie Searle & Associates; Early Warning Services; MUFG Union Bank; Synovus Financial Corp.; and several other subject matter experts.
The vendor risk management benchmark (see Vendor Risk Programs 'Running to Stay in Place'), along with a recent Deloitte study that found extended-enterprise risk management to be suffering from underinvestment, delineate challenges of considerable magnitude and complexity. Accordingly, privacy, cybersecurity, anti-money-laundering, other conduct risks, international compliance, and human trafficking are some of the exposures that the Shared Assessments toolkit is designed to help manage.
EY and IIF considered an extended, or “hyper-connected,” third-party ecosystem that is poised to grow “exponentially as the industry's value chain disaggregates. Thus, as banks look out over the next decade or more, the scale of third-, fourth- and fifth-party risk will feel materially different.”
Aside from their networks of extended interconnections, “in the context of strengthening resilience, banks now have to identify their most critical services, and then determine what processes, technologies, people and third parties support those services,” EY-IIF said. “It is sometimes difficult to reach internal agreement on which business services are critical, so doubly difficult to identify critical third parties.”
GDPR and CCPA
Shared Assessments said that its toolkit “enables organizations to manage their full vendor assessment relationship life cycles, and more effectively execute, benchmark and assess third-party risk management programs.” Among what is new for 2020 are tools for the European Union's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
They rise to the level of board concern, Shared Assessments and Santa Fe Group chair and CEO Catherine Allen has said, because “the stakes have never been so high; the sophistication and potential consequences of cyber threats and non-cyber risks increase daily, while non-compliance penalties of regulations such as [GDPR and CCPA] can impede an organization's ability to operate.”
With the toolkit release, she stated, “While it's increasingly understood that third-party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization's reputation, the best practices for effective third-party risk management are certainly less well understood. The guidance and shared insight across industries that emerges from Shared Assessments' third-party risk management intelligence ecosystem of members, licensees, service providers and the thousands of organizations they serve is broadly recognized as the industry's finest.”
In addition to third-party privacy tools, updated for GDPR and CCPR, 2020 toolkit components include features for Vendor Risk Management Maturity Model benchmarking; the Standardized Information Gathering (SIG) Questionnaire; and the Standardized Control Assessment Procedure, which is used for vendor assessments.
Managing Regulatory Change
Shared Assessments also listed “new usability features and expanded operational content.” For example: “Content for the comprehensive but customizable question library addresses corporate governance functions of antitrust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain. Enterprise risk governance, information security risk and privacy data protection questions have expanded based on new regulations, including CCPA and GDPR.”
It also said that in light of regulatory change-management challenges, “new content across tools helps risk professionals close regulatory compliance gaps in third-party relationships.”
In the area of private-data protection and data governance, enhanced tools “assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships, including fourth party management.” And additions to the SIG Management Tool make it easier for service providers “to build, configure and maintain multiple completed questionnaires” while reducing the effort and complexity involved in responding to customer due-diligence requests.